It’s easy enough to understand what ransomware does: It holds your data for ransom by encrypting it until you pay a fee to the threat actors.
But how does ransomware actually work? That’s a more complex question. Different types of ransomware operate in different ways, which means there is no simple rule to follow to protect your business (or yourself) from ransomware.
To illustrate this point, this article walks through three examples of major ransomwares and explains the attack techniques used by each one. It also discusses ransomware protection strategies that can mitigate the risks associated with each of these ransomwares.
Conti ransomware, which first surfaced in 2020, uses hash values APIs to call low-level OS services within the kernel. Through these calls, the ransomware can gain kernel-level access to memory and processes, which makes it possible to steal sensitive files and information. Conti was distributed by a cybersecurity community called Wizard Spier and its threat actors typically threaten to publish sensitive data unless victims pay a ransom.
What makes Conti especially insidious is that, in the second half of 2020, the ransomware’s creators updated the software in a way that allows it to evade common threat detection tools. Current versions of Conti achieve this evasion by disabling hooking, a method that security tools typically use to detect malicious activity, on the systems that it infects.
Conti ransomware protection
In the case of the Conti variant, the key to protection against the ransomware is to disable unhooking by preventing software from removing API hooks within operating system files.
Minerva was able to prevent an attack that uses this new variant of Conti, against one of our customers. Although other security tools are not yet capable of detecting the zero-day threat posed by the Conti variant, Minerva has successfully stopped these attacks.
First detected in 2018, Ryuk is a targeted ransomware variant that focuses on quality over quantity. It’s designed to be deployed against a specific victim via an attack path that threat actors have researched and identified within the victim’s IT infrastructure.
In most cases, Ryuk attacks are initiated using spear phishing, which involves deploying custom phishing emails or other messages at specific users within an organization. Once the user clicks on the phishing email, Ryuk gains a beachhead on the user’s computer. From there, it downloads additional malware elements called droppers, to launch a full-fledged attack against the victim organization by encrypting critical files. Threat actors usually demand an extremely large ransom to restore access.
Ryuk is another ransomware that we at Minerva know well. We’ve successfully defended clients against Ryuk attacks. We are proud to say that in one case, we preemptively prevented the attack in its very early stages, 28 days before it was first submitted to VirusTotal.
REvil, which has existed since at least April 2019 and is perhaps most notorious for its involvement in an attack against Kaseya, is an example of a special class of ransomware: Ransomware-as-a-Service, or RaaS, which aims to make it easy for threat actors to deploy the ransomware even if they lack specific technical skills.
REvil used Sodinokibi, which works via process injection. That means that it injects code into the processes running on a system, allowing it to access any memory, disk, network or other resources that the process can access.
Using this technique, REvil can encrypt files. What’s more, the fact that Sodinokibi injects code into processes makes Sodinokibi even harder to detect. The processes themselves may appear legitimate to the OS and to security monitoring tools, even if they contain malicious code.
As of July 2021, REvil, which was likely based in Russia, seems to have ceased operations. Theories as to why include a deliberate effort by the U.S. Cyber Command to take down the group’s sites, or a takedown by the Russian government. It’s also possible that the group voluntarily stopped its operations in order to avoid being caught in the crossfire between the American and Russian governments.
REvil ransomware protection
Despite REvil’s ability to hide within processes that appear legitimate, at Minerva, we were able to preemptively prevent REvil attacks, without needing to rely on our knowledge of Sodinokibi, a similar ransomware.
As the image above shows, our technology began preventing REvil attacks five hours earlier than they started to be reported to VirusTotal, a site that tracks malware and ransomware threats.
Conclusion: How to protect your business against ransomware
Different ransomwares work in different ways. Some exploit vulnerabilities in an operating system, while others rely on unsuspecting users to help them gain entry via phishing attacks.
What this means is that there is no simple means of detecting or preventing all types of ransomware attacks. What’s more, the ability of some ransomwares to obfuscate themselves in order to evade detection makes it all the more difficult to prevent attacks before damage is done.
That’s why you need cybersecurity tools on your side that integrate the deep expertise required to respond to a variety of ransomware attack techniques -- including those associated with unknown ransomwares that are not yet widely understood. Minerva’s technology does this by drawing on our team’s deep cybersecurity expertise to prevent attacks from multiple threat attacks preemptively. Even in the case of previously unknown threats, Minerva has established a track record of stopping ransomware before it causes any damage.
Learn more by requesting a demo or contacting the Minerva team by clicking below: