Ransomware is a type of malware that targets corporate businesses, public agencies, or even individuals by means of digital extortion. In general terms, Ransomware denies the victim access to their content until a fee (the ‘ransom’) is paid, and promises to restore access subsequently. Generally, Ransomware can be categorized into two main classes: those strains that encrypt files and deny access to data (crypto ransomware) and those that incapacitate the use of a device, typically by locking its interface (locker ransomware).

The first appearance of Ransomware dates back to 2005, when attackers would use misleading application notifications to make false statements about the infection of the victim’s computer and offer to remedy them for a fee. That same year crypto ransomware using asymmetric encryption hit its first targets.

In 2011, there was a significant increase in the popularity of locker ransomware, and attackers began leveraging anonymous payment services to capture payments. Shortly thereafter, anti-malware started becoming very successful in mitigating Locker Ransomware, and we saw a shift back towards crypto ransomware, including the particularly well-known CryptoLocker from 20131. Since then, new Ransomware samples are discovered constantly, and we’ve also seen a steady increase in market size and average ransom fee to present day.

Ransomware – the 5-step process

The Ransomware cyber kill chain has the following general structure2:

1) Infection

Malicious components are deployed to the victim’s endpoint. This is achieved usually by:

  • Drive-by-download: automatic download that occurs without user’s knowledge or consent.
  • Phishing emails: emails with instructions or attachments that lead to infection.
  • Other vulnerabilities: the victim may be infected because of a network vulnerability and not a self-initiated action.

2) Payload Execution and Installation

Ransomware installs itself on the system exploiting different vulnerabilities depending on OS (Operating System) and strain and breaks down its components to go undetected by signature based AVs (Anti-Virus). Depending on the variety, the malware may not start its destruction phase and remain dormant, trying to spread through the network before making itself known.

3) C2 (Command & Control)

Once the ransomware is installed, it will attempt to communicate with the C2 server to receive further instruction. The exchange will vary widely depending on the specific implementation, but it will usually contain some system specifications (e.g. when to start running), and most importantly, the key exchange. Historically, Ransomware has moved away from symmetric key encryption, despite having less performance overhead, since at some point the key would necessarily be in memory in order to encrypt the files, which creates a possibility of retrieval. If asymmetric key encryption is used, the C2 exchange will consist of the delivery of the public key, with promise of delivery of the private key upon payment.

4) Encryption

Once the encryption key is secured and the Ransomware has the instructions of what directories and files to target, it will begin encrypting them. Depending on the strain, and in order to try and avoid any kind of behavioral detection, the exact procedure will vary. This will usually consist of a partial or total encryption of targeted files (enough to make them unusable) and will sometimes even include encrypting filenames and changing file types.

5) Ransom

After the data has been encrypted, the malware will make itself known. Unlike most types of malware, Ransomware does not want to remain covert after execution. The extortion phase will consist of an array of intimidation techniques to pressure the victim into payment. A carrot and stick approach may be taken, with the attackers offering to decrypt one file in a show of good faith, or alternatively, starting to delete files with increasing frequency to panic the victim into immediate payment. Of course ransom fees vary, and in many cases the price is a function of time from first contact, and according to industry research, the average ransom demanded today is around $650, over twice the average demanded from 2015. The payment is often demanded as cryptocurrency (such as Bitcoin), which makes it difficult to trace back the origin of the attackers.

The 4 most popular ransomware strains

These are some of the most prevalent strains of the last few years3:

1) CryptoLocker

Although not active anymore, CryptoLocker has great historical significance as it had wide success when it first appeared in 2013. It propagated through email, targeting specific files types and demanding approximately $400 as ransom. It’s estimated to have generated $30 million in ransom fees. Although the botnet was shut down in 2014, the CryptoLocker approach has been widely mimicked.

2) CryptoWall

One of CryptoLocker’s ‘protégés’, with several iterations, first appeared in 2014 and has seen incremental improvements. CryptoWall is known for being distributed using exploit kits and email spam campaigns, implementing an improved encryption procedure to avoid AV detection, deleting volume shadow copies to ensure no alternative recovery, and communicating with the C2 server over a Tor anonymous network.

3) Cerber

Originating in 2016, Cerber belongs to a new family: RaaS (Ransomware-as-a-Service). It has played an important role in making Ransomware the fastest growing cyber-crime and a projected billion-dollar industry.

4) Jigsaw

Using a theme inspired by the movie franchise ‘Saw’, Jigsaw ransomware encrypts and then begins deleting the victim’s files if the ransom fee in not paid in 72 hours. Several countermeasures in the form of decryptors have been released in response, but Jigsaw ransomware remains a good example of scareware, where the attackers rely on the victim’s anxiety and fear to ensure payment.

The growing trend in Ransomware prevalence is undeniable and can in part be attributed to the wide availability of cryptographic products as well as the growth of cryptocurrency4. IT security teams should be aware that ransomware is quickly making the transition from sparse and disorganized attacks by cyber-criminals on individual users, to well-funded expert teams that deploy clean code–with constant iterations and improvements to avoid detection–aimed at large corporations5. Although its impact on mobile phones, tablets, and other day to day devices is not significant yet, it will only increase in the near future, and the need for countermeasures will become imperative.

How Skyhigh mitigates cloud ransomware risk

Skyhigh CASB’s comprehensive UEBA (User and Entity Behavior Analytics) modeling provides powerful prediction capabilities based on a fundamental understanding of how a user and their peers interact with the different cloud service providers (CSPs). These dynamically learnt models are combined with Skyhigh’s activity monitoring, which surfaces all the meta information for files that are being acted upon, enabling customers to detect characteristic Ransomware activity signatures and report them in real time.

Most AVs that claim protection against Ransomware are entirely signature based (they detect based off of a set of fixed and static rules) and fail to adapt to this rapidly growing threat. While regular security patches and a strong enterprise backup solution are key to protecting corporate data from ransomware, more is needed.  Skyhigh’s ability to differentiate organic user behavior from a machine generated attacks can be key in countering those strains that get through AV filters and potentially avoiding further spread inside the company.

The above figure provides a visualization of Skyhigh’s approach to Ransomware risk mitigation. Two main engines are used to generate alerts: Horizontal Triggers (focused on activity correlation and consistency for one entity with itself over time) and Vertical Triggers (looking at how these different entities compare to their peers in one snapshot of time).

By analyzing the baseline activity patterns of a user, Horizontal Triggers call out deviations from the expected behavior at that time, and an alert is generated if this deviation matches characteristic Ransomware signatures. For example, if the number of files a user interacts with sees a pronounced increase over a small window of time, this will contribute as an indicator of Ransomware detection. Notice that because of the variety of strains of Ransomware, no imposition on the specific activity sequence is made (some Ransomware families edit files in place, others generate an encrypted copy and delete the original, etc.).

Such alerts are correlated with any Vertical Triggers (analysis in the user dimension). Shown in the example above, after a small time interval, an account that has a large shift in its ratios of encrypted files compared to their peers will increase our confidence of infection.

This analysis is then enriched by Skyhigh’s registry of known C2 servers, malicious IPs, and other security intelligence data. The model goes back through the account’s past interactions prior to the alert being generated to further validate and assess the Ransomware risk.

By researching and understanding the telltale signs of Ransomware, Skyhigh has been able to develop advanced detection algorithms that alert customers to Ransomware attacks on their cloud-based file sharing systems early, mitigating potential loss.


[1] Deloitte (2016, Aug 12th), Ransomware. Holding Your Data Hostage. [Report]. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-ransomware.pdf

[2] Szathmari, Gabor. (2015, November 23rd). Ransomware Playbook – Guide for Handling Ransomware Infections. Retrieved from https://www.demisto.com/playbook-for-handling-ransomware-infections

[3] Brunau, Chris. (2017, March 1st). Common Types of Ransomware. Retrieved from https://www.datto.com/blog/common-types-of-ransomware

[4] Symantec (2016, August 10th), Ransomware and Business 2016. [Report]. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf

[5] Gallo and Liska. Ransomware Gallo, Timothy and Liska, Allan (2016) Ransomware: Defending against digital extortion. Sebastopol, CA: O’Reilly Media, Inc