How Ransomware Works — Analysis of WannaCry & Ryuk

Ransomware — How Attackers Hold Data Hostage

Ransomware is malware that encrypts a victim's files and demands a ransom payment to decrypt them. In 2023, ransomware caused over $30 billion in global damages. Understanding how it works is crucial for defense.

How Ransomware Infects Systems

1. Phishing Emails (Most Common)

An email with a malicious attachment (Word document, Excel file, PDF) or link. When the victim opens it, a macro or script executes and downloads the ransomware payload.

2. RDP Brute Force

Attackers scan the internet for machines with Remote Desktop Protocol (port 3389) exposed. They brute-force weak passwords. Once inside, they deploy ransomware manually — this is how most enterprise attacks work.

3. Exploit Kits and Zero-Days

WannaCry used EternalBlue (NSA exploit) targeting unpatched Windows SMB. It self-propagated across networks without any user interaction.

WannaCry — The Ransomware That Attacked 150 Countries

In May 2017, WannaCry infected 230,000+ computers in 150 countries in 24 hours. It hit the UK National Health Service, Telefónica, FedEx, and many more.

How WannaCry Worked

1. Initial infection: Phishing email or direct exploitation
2. EternalBlue: Exploited MS17-010 vulnerability in Windows SMB v1
3. DoublePulsar: Installed backdoor kernel implant (also NSA tool)
4. Worm module: Scanned for other SMB hosts on port 445 and infected them automatically
5. Encryption: AES-128-CBC encrypted each file with unique key
6. Master key encryption: Each unique key was encrypted with attacker's RSA public key
7. Ransom demand: $300-600 in Bitcoin displayed to user

The Kill Switch

Security researcher Marcus Hutchins discovered WannaCry checked for an unregistered domain. He registered it for $10.69 — and WannaCry stopped spreading globally. This kill switch was a flaw in the malware's design.

Ryuk — The Enterprise Ransomware

Ryuk is a highly targeted ransomware that specifically targets large enterprises. It has generated over $150 million in ransoms.

Ryuk Attack Chain

1. TrickBot or Emotet trojan delivered via phishing (initial access)
2. Lateral movement across the network over days/weeks
3. Attackers gain domain admin privileges manually
4. Deploy Ryuk simultaneously across all machines
5. Demands range from $100,000 to millions

How Ryuk Encrypts Files

# Ryuk uses hybrid encryption:
1. Generates unique RSA-2048 key pair per victim
2. Generates unique AES-256 key per file
3. Encrypts each file with AES-256
4. Encrypts the AES key with RSA-2048 public key
5. Stores encrypted AES key with each file
6. Only attacker's RSA private key can decrypt AES key
7. Without private key: mathematically impossible to decrypt

Defense Against Ransomware

Technical Controls

• Regular offline backups: 3-2-1 rule (3 copies, 2 media types, 1 offsite). Test restores monthly.
• Patch management: WannaCry exploited a patch released 2 months before the attack
• Disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false
• Restrict RDP: Never expose port 3389 to the internet. Use VPN or Bastion Host
• Email filtering: Block macro-enabled documents from external emails
• Application whitelisting: Only allow approved executables to run

Detection

• Monitor for mass file rename events (ransomware adds extensions like .encrypted)
• Alert on shadow copy deletion commands: vssadmin delete shadows
• Monitor for unusual network scanning (lateral movement)
• Behavioral EDR solutions detect encryption patterns

🔥 Learn to analyze malware at ONLY4YOU →