How Ransomware Attacks

How Ransomware Attacks


Company Name : Sophos

This report highlights how ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up.


Most blogs or papers about crypto-ransomware typically focus on the threat’s delivery, encryption algorithms and communication, with associated indicators of compromise (IOCs). This research paper takes a different approach: an analysis of the file system activity or behaviors of prominent crypto-ransomware families (hereafter, simply called ransomware).

Ransomware creators are acutely aware that network or endpoint security controls pose a fatal threat to any operation, so they’ve developed a fixation on detection logic. Modern ransomware spends an inordinate amount of time attempting to thwart security controls, tilling the field for a future harvest.

It’s a lot easier to change a malware’s appearance (obfuscate its code) than to change its purpose or behavior, and ransomware always shows its tell when it strikes. The increasing frequency with which we hear of large ransomware incidents indicates that the code obfuscation techniques ransomware now routinely employs, such as the use of runtime packers, must continue to be fairly effective against some security tools, otherwise the ransomware makers wouldn’t use them.

It’s important to recognize there’s hope in this fight, and a number of ways admins can resist: Windows 10 Controlled Folder Access (CFA) whitelisting is one such way, allowing only trusted applications to edit documents and files in a specified location. But whitelisting isn’t perfect – it requires active maintenance, and gaps or errors in coverage can result in failure when it’s most needed.

You may also like…

  • SophosLabs 2020 Threat Report


  • Baldr vs the World


  • The Future of Cybersecurity in Asia Pacific and Japan – Culture, Efficiency, Awareness


Featured Products

  • Crystal Eye UTM Series 10+ Gateway

    Enterprise to SMB/Home Office Solutions - Crystal Eye Series 10 - 200