Skip to main content
Meet NetWitness at RSA Conference 2024!
Stop by our booth #254 or book a meeting with an expert. Reserve Your Spot Today!
Burger menu
Securing the Digital World

Ransomware: A Beginner’s Guide to Threat Detection

  • by Darren Mccutchen

If you followed the news in early 2021, you saw the word “ransomware” everywhere. Each week another major company revealed a ransomware attack, but this threat isn’t new – the first large-scale case, the AIDS Trojan, spread by floppy disk in 1989. 

NetWitness knows how damaging a ransomware incident can be, so we created this Ransomware FAQ to help. It explains major ransomware types, common distribution methods, and best practices for ransomware detection and enterprise-level ransomware protection. You’ll also find guidance on advanced threat detection techniques, continuous threat investigation and response, and how threat detection and response services can strengthen your overall cybersecurity detection and response strategy. 

What is Ransomware? 

Ransomware is a class of malware that, once executed on a victim’s computer, renders the system and/or its data inaccessible until a ransom payment is completed. This is typically achieved by either: 

  1. Locker ransomware prevents the user from using basic system functions, making the computer inoperable. The goal of locker ransomware is to prevent system access, not destroy data. 
  2. Crypto ransomware identifies and encrypts the contents of entire drives and/or specific valuable data on the victim system. Beginning with CryptoLocker in 2013, most modern ransomware attacks involve some form of data encryption. 

What does Ransomware cost companies? 

With improvements in encryption algorithms, the introduction of crypto payments, and easier distribution, the major difference from 1989 to today is financial: 

  • In 2019, costs associated with ransomware attacks passed $7.5 billion. 
  • In 2021, medium-sized organizations paid out an average of $170,404 for ransom demands. 
  • Over the last three years, requested ransom fees have increased 4,000%, going from $5,000 in 2018 to around $200,000 in 2020. 

 

High-Profile Attacks Highlight Need for Threat Detection and Response Services 

In 2021 alone, there have been several major high-profile ransomware attacks resulting in hundreds of millions of dollars lost. These incidents underline why enterprises rely on cyber security detection and response programs and proactive threat detection investigation and response strategies: 

  • CNA- US insurer CNA paid a $40 million ransom after a Phoenix CryptoLocker attack by Evil Corp that hit 15,000 devices, including remote VPN users, forcing systems and its website offline. 
  • Colonial Pipeline Company- In April, DarkSide used leaked VPN credentials to deploy ransomware on Colonial’s network, forcing a five-day shutdown that caused fuel shortages and price spikes. Facing threats to leak 100 GB of stolen data, Colonial paid a $4.4 million ransom. 
  • JBS USA- On June 1, meat processor JBS was hit by a REvil ransomware attack, shutting plants in Australia and Brazil. The group had exfiltrated data for three months before encrypting systems, and JBS paid $11 million in Bitcoin to end the breach. 

 

How is Ransomware distributed? 

From the first widely distributed attacks using a floppy disk to the use of botnets in the mid to late 2000s, ransomware distribution methods have evolved over the years. Modern attackers blend phishing, automated scans, and Ransomware-as-a-Service to evade even the best threat detection controls. The most recent ransomware families and their associated variants most frequently employ the following techniques: 

  • Phishing: Malicious emails with infected links or attachments remain the top ransomware delivery vector. Proofpoint reports 47% of successful phishing campaigns lead to ransomware. Ryuk, created by the Russian group WIZARD SPIDER, often follows a Trickbot infection from such emails. 
  • Automated recon scans: Attackers use internet-wide scans (e.g., Shodan) to find exposed systems with open ports like RDP (TCP/3389) or unpatched software. CloP exploited Accellion FTA zero-days (CVE-2021-27102/27104) to gain remote code execution. 
  • Ransomware-as-a-Service (RaaS): A newer method of distribution, Ransomware-as-a-service RaaS outsources the initial compromise of corporate systems (some will even outsource all actions up to ransom collection) with some form of subscription or profit splitting. While there are multiple revenue models for RaaS, groups like DopplePaymer, Maze, and NetWalker run on affiliate models, providing malware, infrastructure, and support while affiliates handle delivery. Profits are then split between the operators and affiliates. 

 

Stages of a Ransomware Infection and Threat Detection Response 

Once a target has been identified, the ransomware lifecycle can be observed through the following stages. Each stage demands robust threat detection investigation and response to stop attackers early:  

  1. Initial Access/Distribution: Ransomware often starts like other malware, spreading through drive-by downloads, malicious files, third-party compromises, or as a second stage of existing malware. Because these vectors mimic other threats, it’s hard to identify the attack as ransomware at this point. 
  1. Infection: Once the dropper lands on the victim machine, it downloads a malicious executable—often via a hardcoded URL or as the second stage of the initial infection. You might see network traffic to suspicious IPs or domains hosting the payload. The file is usually saved in the Windows %temp% folder (sometimes in C:\ or C:\Windows), the dropper deletes itself, and the downloaded executable runs. 
  1. Payload Staging: At this point, the ransomware attack begins to set itself up for successful execution. The main goal of this stage is to ensure completion of the ransomware attack and persistence through system shutdowns. Some actions the ransomware may take during this stage include but are not limited to: 
  • Running checks to see if ransomware has previously been deployed on the system. 
  • Checking, adding, and modifying Registry values. 
  • Discovering user accounts and their associated privileges. 
  • Attempting privilege escalation. 
  • Identifying mapped network shares. 
  • Deleting system backups. 
  • Disabling recovery tools. 
  • Compiling encryption/decryption keys. 
  • Adjusting system boot settings (some variants reboot victims in ‘Safe Mode’). 
  • Depending on the malware variant, C2 communication may be established. 
  1. Scanning: After staging, the ransomware scans for files to encrypt, often using a hardcoded list of targets or exclusions. In human-operated attacks, adversaries may manually pick high-value data. Others, like Petya, simply encrypt the entire drive. Using network mapping from the staging phase, ransomware can also locate remote systems and files, and many recent strains extend encryption to connected cloud storage. 
  1. Data Encryption: With the target data identified, ransomware will begin encrypting. Files will be encrypted in one of two ways: 
  • Encrypted data will be written over the original data and data will be renamed. 
  • A copy of original data will be encrypted, and the original will be deleted. 

Different ransomware families may prefer specific encryption algorithms or a combination of many. An example of this is in the Kaseya supply chain attack, in which REvil ransomware used a combination of Curve25519 (asymmetric) and Salsa20 (symmetric) encryption algorithms to encrypt target files. At some point either immediately prior, during, or after, encrypted files will be renamed and appended with a ransomware identifying hardcoded or dynamically generated file extension. 

  1. Ransom Demand: Ransomware typically leaves a note – often a “calling card” from the attacker – on infected systems. It might appear in a single folder, every folder with encrypted files, or as a desktop lock screen. These notes usually share traits like a title, phrasing, or a group name that identify the attacker, and variants within a ransomware family often reuse the same format. 

The note outlines the cryptocurrency payment demand, instructions to reach the payment portal, and a contact point. Victims who pay receive a private decryption key, but there’s no guarantee it works. Sophos reports that 92% of victims still lost data, with over half losing at least a third of their files. 

 

What are Common Behaviors of Ransomware families? 

With numerous ransomware families and their associated variants being actively exploited in the wild, cybersecurity professionals need a set of common criteria to identify, respond, and mitigate attacks more easily. 

Some of the methods we’ve witnessed across multiple ransomware attacks include: 

  • Privilege escalation attempts prior to lateral movement. 
  • Disabling of security tools and the killing of specific system processes. 
  • Deletion of Volume Shadow Copy (via vssadmin, WMI, or other). 
  • Recovery prevention via BCDedit. 
  • Preference for remote encryption of mapped network drives from 1 or 2 infected hosts. 
  • Encryption of files (Overwrite vs. Copy/Delete Method). 
  • Renaming of files. 
  • Creation of a ransom note. 

Not every ransomware variant will display every one of these traits. However, some combination of these common behaviors will be present in most ransomware attacks. 

Ransomware Detection: Key Red Flags to Monitor 

1. Using network and endpoint data, these are the ransomware red flags to look for: 

2. A large number of files renamed in a short period of time. 

3. Accessing and disabling of services/processes/applications that could detect execution of ransomware payloads. 

4. System backups, recovery partitions, and volume shadow copies deleted. 

5. System event logs disabled or deleted. 

Example Command-Line Arguments: 

  • “C:\Windows\System32\wevtutil.exe” cl Security 
  • “C:\Windows\System32\wevtutil.exe” cl System 
  • “C:\Windows\System32\wevtutil.exe” cl Application 
  • “C:\Windows\System32\wevtutil.exe” cl Setup

6. Ransom notes naming conventions (only effective in stopping ongoing attacks). 

This is not a comprehensive list but should provide a starting point for ransomware detection of characteristics associated with a ransomware attack. 

 

Frequently Asked Questions

1. What is threat detection and response?

Threat detection and response is the practice of identifying and neutralizing cyber threats across endpoints, networks, and cloud systems using continuous monitoring and automated investigation.

2. How to detect insider threats?

Use behavior analytics, privilege monitoring, and advanced threat detection tools to spot unusual data access patterns.

3. What are the 4 methods of threat detection?

The four primary methods are signature-based detection, anomaly-based detection, heuristic analysis, and behavior-based detection.

4. Why are managed threat detection and response services important for ransomware?

They provide 24/7 monitoring, quick investigation, and rapid containment when ransomware indicators appear.

5. How do threat detection investigation and response stop ransomware attacks?

By correlating network, endpoint, and cloud data, these services identify early compromise signs and trigger immediate response actions. 

Ready to See NetWitness in Action? Book Your Demo Now

Schedule a Demo