Is Ransomware Really as Terrifying as You Think?

Gavin Phillips 20-03-2017

Ransomware is a regular nuisance. A ransomware infection takes your computer hostage, and demands payment for release. In some cases, a payment doesn’t secure your files. Personal photos, music, films, work, and more are destroyed. The ransomware infection rate continues to rise — unfortunately, we still haven’t reached the peak Ransomware-as-a-Service Will Bring Chaos to Everyone Ransomware is moving from its roots as the tool of criminals and malefactors into a worrying service industry, in which anyone can subscribe to a ransomware service and target users like you and me. Read More — and its complexity is increasing.


There have been notable exceptions to this rule. In some cases, security researchers have cracked the ransomware encryption Beat Scammers With These Ransomware Decryption Tools If you've been infected by ransomware, these free decrypting tools will help you unlock and recover your lost files. Don't wait another minute! Read More , allowing them to create a coveted decryption tool 5 Sites and Apps to Beat Ransomware and Protect Yourself Have you faced a ransomware attack so far, where some of your files are no longer accessible? Here are some of the tools you can use to prevent or solve these problems. Read More . These events are rare, usually arriving when a malicious botnet is taken down. However, not all ransomware is as complex as we think.

The Anatomy of an Attack

Unlike some common malware variants, ransomware attempts to remain hidden for as long as possible. This is to allow time to encrypt your personal files. Ransomware is designed to keep the maximum amount of system resources available to the user, as not to raise the alarm. Consequently, for many users, the first indication of a ransomware infection is a post-encryption message explaining what has happened.

Compared to other malware Viruses, Spyware, Malware, etc. Explained: Understanding Online Threats When you start to think about all the things that could go wrong when browsing the Internet, the web starts to look like a pretty scary place. Read More , ransomware’s infection process is quite predictable. The user will download an infected file: this contains the ransomware payload. When the infected file is executed, nothing will appear to happen immediately (depending on the type of infection). The user remains unaware that ransomware begins to encrypt their personal files.

As well as this, a ransomware attack has several other distinct behavioral patterns:

  • Distinct ransomware note.
  • Background data transmission between host and control servers.
  • The entropy of files changes.

File Entropy

File entropy can be used to identify files encrypted with ransomware. Writing for the Internet Storm Centre, Rob VandenBrink briefly outlines file entropy and ransomware:


In the IT industry, a file’s entropy refers to a specific measure of randomness called “Shannon Entropy,” named for Claude Shannon. This value is essentially a measure of the predictability of any specific character in the file, based on preceding characters (full details and math here). In other words, it’s a measure of the “randomness” of the data in a file — measured in a scale of 1 to 8, where typical text files will have a low value, and encrypted or compressed files will have a high measure.

I would suggest reading the original article as it is very interesting.

Is It Different From “Ordinary” Malware?

Ransomware and malware share a common goal: remaining obscured. The user maintains a chance of fighting the infection if it is spotted before long. The magic word is “encryption.” Ransomware takes its place in infamy for its use of encryption, whereas encryption has been used in malware for a very long time.

Encryption helps malware pass under the radar of antivirus programs by confusing the signature detection. Instead of seeing a recognizable string of characters that would alert a defense barrier, the infection slips by, unnoticed. Although antivirus suites are becoming more adept at noticing these strings — commonly known as hashes — it is trivial for many malware developers to work around.

Common Obfuscation Methods

Here are a few more common methods of obfuscation:

  • Detection — Many malware variants can detect whether they are being used in a virtualized environment. This allows the malware to evade the attention of security researchers by simply refusing to execute or unpack. In turn, this stops the creation of an up-to-date security signature.
  • Timing — The best antivirus suites are constantly alert, checking for a new threat. Unfortunately, general antivirus programs cannot protect every aspect of your system at all times. For instance, some malware will only deploy following a system restart, escaping (and likely disabling in the process) antivirus operations.
  • Communication — Malware will phone home to its command and control (C&C) server for instructions. This isn’t true of all malware. However, when they do, an antivirus program can spot specific IP addresses known to host C&C servers, and attempt to prevent communication. In this case, malware developers simply rotate the C&C server address, evading detection.
  • False Operation — A cleverly crafted fake program is perhaps one of the most common notifications of a malware infection. Unwitting users assume this is a regular part of their operating system (usually Windows) and blithely follow the on-screen instructions. These are particularly hazardous for unskilled PC users and, while acting as a friendly front-end, can allow a host of malicious entities access to a system.

This list isn’t exhaustive. However, it does cover some of the most common methods malware uses to remain obscured on your PC.

Is Ransomware Simple?

Simple is perhaps the wrong word. Ransomware is different. A ransomware variant uses encryption more extensively that its counterparts, as well as in a different manner. The actions of a ransomware infection are what make it notable, as well as creating an aura: ransomware is something to fear.

Ransomware uses somewhat novel features, such as:

  • Encrypting large amounts of files.
  • Deleting shadow copies that would ordinarily allow users to restore from backup.
  • Creating and storing encryption keys on remote C&C servers.
  • Demanding a ransom, usually in untraceable Bitcoin.

Whereas the traditional malware “merely” steals your user credentials and passwords, ransomware directly affects you, disturbing your immediate computing surroundings. Also, its aftermath is very visual.

Ransomware Tactics: Master File Table

Ransomware’s “Wow!” factor certainly comes from its use of encryption. But is the sophistication all it seems? Engin Kirda, Co-Founder and Chief Architect at Lastline Labs, thinks not. He and his team (using research undertaken by Amin Kharraz, one of Kirda’s PhD students) completed an enormous ransomware study, analyzing 1359 samples from 15 ransomware families. Their analysis explored deletion mechanisms, and found some interesting results.

What are the deletion mechanisms? About 36 percent of the five most common ransomware families in the data set were deleting files. If you didn’t pay up, the files were actually being deleted. Most of the deletion, in fact, was quite straightforward.

How would a professional person do this? They would actually aim to wipe the disk so that it’s difficult to recover the data. You would write over the disk, you would wipe that file off the disk. But most of them were, of course, lazy, and they were directly working on the Master File Table entries and marking things as deleted, but the data was still remaining on disk.

Subsequently, that deleted data could be retrieved, and in many cases, fully recovered.

Types of Ransomware Used in Study


Ransomware Tactics: Desktop Environment

Another classic ransomware behavior is locking the desktop. This type of attack is present in more basic variants. Instead of actually getting on with the encrypting and deleting files, the ransomware locks the desktop, forcing the user from the machine. The majority of users take this as meaning their files are gone (either encrypted or completely deleted) and simply cannot be recovered.

Ransomware Tactics: Forced Messages

Ransomware infections notoriously display their ransom note. It usually demands payment from the user for the safe return of their files. In addition to this, ransomware developers send users to specific web pages while disabling certain system features — so they cannot get rid of the page/image. This is similar to a locked desktop environment. It doesn’t automatically mean that the user’s files have been encrypted or deleted.

Think Before Paying

A ransomware infection can be devastating. This is undoubted. However, being hit with ransomware doesn’t automatically mean your data is gone forever. Ransomware developers aren’t all amazing programmers. If there is an easy route to immediate financial gain, it will be taken. This, in the safe knowledge that some users will pay up 5 Reasons Why You Shouldn't Pay Ransomware Scammers Ransomware is scary and you don't want to get hit by it -- but even if you do, there are compelling reasons why you should NOT pay said ransom! Read More because of the immediate and direct threat. It is completely understandable.

The best ransomware mitigation methods remain: backup your files regularly to a non-networked drive, keep your antivirus suite and internet browsers updated, watch out for phishing emails, and be sensible about downloading files from the internet.

Image Credit: andras_csontos via

Related topics: Computer Security, Online Security, Ransomware.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Bryan
    March 27, 2017 at 5:32 pm

    So has there been any accounts of a Linux distro having issues with Ransomware?

    • Gavin
      March 29, 2017 at 8:42 pm

      Yes. Fairware attacks Linux servers. Linux.Encoder1 attacks regular Linux installations, though has had very limited success. KillDisk also attacks Linux, as well as asking for a 222btc ransom. It also has no way of storing an encryption key, so even if payment is made, those files ain't coming back.

      Thanks for reading and commenting.

  2. analogtek
    March 25, 2017 at 9:21 pm

    Simple--Back-up! And learn low level format VIA command line to wipe drive clean.

  3. ReadandShare
    March 21, 2017 at 7:17 pm

    Thinking more... isn't MBR part of Windows OS? Then messing with MBR should not cause computer to be unbootable - so long as BIOS / UEFI is still good - correct?

  4. ReadandShare
    March 21, 2017 at 4:22 pm

    I feel pretty safe because I have made system backup's plus more frequent data backup's ' both stored offline. My one question: are there now ransomware that can prevent system restore - rendering a computer completely unusable if ransom isn't paid?

    • Gavin Phillips
      March 21, 2017 at 4:30 pm

      Certainly, ReadandShare. The Petya ransomware I talked about above encrypts the Master Boot Record, rendering the entire computer essentially unusable except to interact with the ransom. It stops any access to Safe Mode or the Command Prompt. Other ransomware exhibiting this behaviour include Petya+Mischa and Satana.

      Cisco Talos actually created and released a tool to help stop these types of ransomware modifying or encrypting the MBR.

      Here is a video of it in use:

      Hope that helps!

      • Gavin Phillips
        March 21, 2017 at 4:45 pm

        I just realised I didn't talk about Petya in this article! I'm thinking of an upcoming article looking at how Ransomware can also encrypt cloud drives and unmapped network shares. You see, Petya is really quite a nasty ransomware!

        Just as an aside, here is some info on the Petya crack:


        • ReadandShare
          March 21, 2017 at 7:00 pm

          Thank you for the scary (but necessary and useful) additional info!