Revealing Ransomware Secrets With All-Source Analysis

Posted: 10th August 2016

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Observing these, as with any type of cyber attack, can provide early warning signs of a potential ransomware infection and help organizations lock down their own data and files that could be used against them.

During a recent webinar, Zach Flom, a threat intelligence analyst with Recorded Future, demonstrated how organizations can stay ahead of ransomware threats by using Recorded Future as part of a holistic threat intelligence capability.

Common Tactics — Exploit Kits

The use of exploit kits is the most common and prevailing ransomware tactic, explained Flom. Observing them over time, exploit kits continue to lead to successful exploitation, even though they’re largely preventable by adhering to basic security best practices.

As most security professionals know, said Flom, exploit kits take advantage of too-frequent vulnerabilities in commonly used software like SilverLight, Flash, and Java. Ransomware authors use these vulnerabilities as an opening for the exploit kit, then launch their ransomware as a secondary infection. Ransomware needs only read/write access and the ability to move laterally within a network to achieve its goal.

As such, these exploit kits first target legacy software or vulnerabilities that have not been patched, then move to identifying and encrypting files, and finally delete the files from the victim’s server.

Using Recorded Future, Flom demonstrated how to build a timeline of events, back to 2013, for these ransomware exploit kits to show the notable increase in mentions of various exploit kits. In his analysis and findings from Recorded Future, Flom was unable to find references to any true zero-day exploits being utilized by exploit kits, meaning there’s always some other early indicator before a ransomware attack can be successfully executed.

Common Tactics — Infection Vector

Many recent ransomware attacks have leveraged phishing and spam emails as the primary attack method. Spam and phishing have high success rates, and once the victim falls for the bait, the phony emails contain malicious macro-embedded files or obfuscated JavaScript which can be spread to the victim’s computer, then into the network, if desired.

For macro-embedded files, an email is written to trick the user into enabling macros to view a desired file or use some special feature. When the user takes action, a malicious execution runs. Obfuscated JavaScript, on the other hand, runs after a user opens file, which can be an attachment to or link in the email.

Once the ransomware starts to spread, the authors may use domain-generated algorithms to create the domain name that will be used as C2 (command and control) server. Each domain is unique to the infected host, which allows the attacker to track specific infections and victims as the ransomware progresses.

Common Tactics — Persistence

Flom explained that ransomware authors are modifying registry keys as a way to establish persistence once inside the desired network.

This tactic has been used widely in the past in all types of attacks, so it should be familiar to malware analysts (who should know to check for registry key modification when conducting behavioral analysis). With more advanced ransomware, authors have developed functionality to seek out processes associated with common system diagnostics tools and then terminate them. TeslaCrypt is a great example of this functionality; the ransomware searches for regedit, task manager, process explorer, or if it’s in the presence of a virtual machine or debugger.

Reiterating the need to “go back to the basics,” security practitioners need to intimately know network details and processes so any changes or anomalies, such as modifying registry keys, can be identified quickly and actions can be taken to eradicate or mitigate an infection.

Design for Targeting Specific Technologies

In the past, ransomware cast a wide net, looking for any target it could hit. Using Recorded Future, Flom demonstrated how new ransomware is written to target specific technologies, like JBoss and Magento.


Recorded Future timeline for JBoss and Magento technologies.

The shift may be due to the desire to target tools or systems that will cause the most “pain” if they’re compromised, encrypted, and owner/user is locked out. A tool like a CRM or HR database is a great example, explained Flom. He suggested that organizations incorporate open source penetration testing tools that can help identify vulnerabilities in these systems.

New Ransomware

Using Recorded Future, threat analysts can move toward more proactive intelligence gathering. Ransomware — as well as other types of malware — will always produce new or versions of old and successful variants. It’s important for threat analysts, and security and risk teams in general, to stay up to date on emerging trends and indicators of compromise to ward off attacks and minimize damage.


Keep up with new and emerging trends and IOCs.

Flom built a timeline of events to demonstrate that ransomware shows no signs of slowing down. During the webinar, he built a query against Recorded Future’s data set to look for indicators of recent compromises and attacks. The above timeline shows the prevalence of mentions of ransomware on the web and trending activity in the cyber landscape.

Flom next ran a query on Intelligence Cards™. The Intelligence Cards™ deliver contextual information about an entity and makes it easy for threat analysts or researchers to keep all of the information in one place:


Recorded Future Intelligence Card™ for SNSLocker.

Intelligence Cards™ allow analysts to dig down deeper into related entities seen alongside ransomware, in any context, or at a sentence fragment level. They also pull information, like IP addresses and hashes, that were mentioned in the same context anywhere on the web.

Analysts can continue to click through for more granular information, including specific details on attackers, sources, and IP addresses:


Recorded Future Intelligence Card™ for a malicious IP address. Recorded Future maintains technology integrations with leading security companies like DomainTools, PhishMe, and FireEye, so users can easily link into partner intelligence about an indicator or entity — finding deeper context and information about ransomware or a variant.


What happens if your organization is infected and your files are encrypted? Even with the tightest security controls, any company can become a victim to ransomware. In the best case scenario, your company maintains backups and you can ignore the attacker’s demands. If backups aren’t readily available, Recorded Future customers can run a query for publicly available decryptors, as seen below.


Example query for publicly available decryptors.

In some cases, a decryptor will not be publicly available, but Recorded Future customers may set an alert and be notified if one is published. In addition, users of Recorded Future can see how others in the industry are addressing the issue, again, by setting up alerts that will notify customers whenever information about the particular ransomware variant is posted on the web.

Regardless of what technology you use or how imminent the threat of infection, Flom advises to focus on the basics:

  • Ensure your organization is running up-to-date software
  • Educate users
  • Disable unnecessary functions (macros)
  • Maintain offsite backups
  • Encrypt your data
  • Restrict/disable write access

To learn more about how Recorded Future can protect you from ransomware, contact us today and schedule a personalized demo. You can also view our webinar, “Revealing Ransomware Secrets With All-Source Analysis” for additional details.