Ransomware is a form of malware that encrypts files on a device and demands payment in order to decrypt them. If your organization has been infected with ransomware, it’s important to quickly identify the specific type in order to understand how it spreads, what variants may exist, and how to recover. Here are some tips on determining what type of ransomware you may be dealing with.
Examine Encrypted Files
One of the first things to look for is what type of files have been encrypted. Most ransomware will target specific file types to encrypt such as Office documents, images, PDFs, archives, and backups. For example, the REvil ransomware strain encrypts over 1,000 different file extensions including Office docs, images, audio, video, archives, programming files, databases, and backups.
You can check a sample of encrypted files to see what extensions are affected. If it’s encrypting a wide variety of files, that helps narrow it down malware that indiscriminately encrypts all files it finds. If only certain file types are encrypted, that provides a clue as to what ransomware strains target those specific files.
Examine Encrypted File Names
In addition to file extensions, look closely at the encrypted file names. Many ransomware variants will append or prepend the file names with certain strings that provide identifiers. These can include the ransomware name, email addresses for contacting the hackers, or random strings.
For example, the Cerber ransomware uses the following format for encrypted files: [original filename].CERBER.
The Locky ransomware meanwhile uses a 16 character random string at the start of the file name such as “C8A1551D-8869-79AJ-7F91826-2C59B4” [original filename].
By isolating and searching these strings, you may be able to quickly determine the ransomware responsible based on naming patterns.
Review Ransom Note Contents
The ransom note or text dropped onto systems by the malware provides another source of intel. Ransom notes will often specify the strain, provide payment instructions, and warn against trying to decrypt files. Looking for unique strings, email addresses, or word patterns can quickly correlate it with known ransomware.
You can also copy a unique phrase from the note and search it online to find matches tying it to a specific ransomware variant. For example, searching for the phrase “encrypted by Petya ransomware” will return results about the Petya ransomware specifically.
Examine Encryption Method
Looking at the encryption method used can also shed light on the type of ransomware. Ransomware encryption usually follows one of two standards – asymmetric and symmetric algorithms.
Asymmetric encryption uses a public and private key pair for encrypting and decrypting files. The private key is held by the ransomware operators to decrypt files after payment. This requires more processing power but provides stronger encryption.
Symmetric encryption uses a single password or key for both encryption and decryption. This takes less processing power but is easier to break. However, symmetric crypto is still strong enough in most cases to make decrypting files without the key very difficult.
You may be able to determine what type of algorithm is used based on behaviors, encrypted files, and ransom note contents. This can provide insight into the sophistication of the malware and possible attribution.
Analyze Registry Keys
Looking in the Windows registry for clues can also reveal signs of ransomware. Most strains will create registry keys and values containing their name or other identifiable strings.
For example, the Cerber ransomware creates a REG_SZ value named “README_FOR_DECRYPT” in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run containing its ransom text.
Searching for registry anomalies and correlating any identifying strings can tie activity to known ransomware. The registry clues will vary across strains, so focus on keys related to file encryption, persistence mechanisms, and info theft.
Examine Running Processes
Identifying active processes associated with ransomware can also help pinpoint the type. Though ransomware executables may delete themselves after encrypting files, background processes related to encryption, network activity, anti-detection, etc. may remain.
Look for unfamiliar process names that stand out or correlate to ransomware families. Also look for unusual spikes in utilization from short-lived processes that may be tied to file encryption. Connecting active processes with file, network, and registry anomalies can link them to ransomware behavior.
Analyze Network Traffic
Since most ransomware will contact a command and control server at some point, analyzing network traffic for indicators can also shed light on the strain. Common signs include traffic spikes to suspicious IPs, strange user agents or domain lookups, and potential use of TOR or IP anonymization services.
For example, researchers identified Locky ransomware infections by tracking traffic to a domain used by the malware operators to generate encryption keys. Look for odd connections that align with the timing of encryption or other ransomware activity.
Use Indicators of Compromise
Leveraging existing indicators of compromise (IOCs) published by cybersecurity researchers or vendors can quickly help identify known strains. IOCs include IP addresses, domains, file hashes, registry keys, and other attributes tied to confirmed ransomware samples.
Checking IOCs against system artifacts and network traffic may reveal matches, cluing you into which ransomware is present. Regularly updated IOC feeds are available from malware researches and through threat intelligence platforms.
Analyze Ransomware Mutexes
Many ransomware variants utilize mutexes which are used to ensure that only a single instance of the malware runs on an infected system. By examining active mutexes and correlating their naming patterns, you may be able to identify the strain.
Some examples include “Global\\F087A56D-5A22-401C-A4E0-9B2C848C7F45” used by Cerber and “Global\CryptoLocker” which was used by early CryptoLocker ransomware versions. Checking currently running mutexes against ransomware IOCs can reveal matches.
Compare Against Known Strains
Once you’ve gathered threat intel from the encrypted files, ransom notes, registry, processes, network connections, and other indicators – compare against known ransomware attributes to identify likely matches. Resources like ransomware tracker sites outline identifying characteristics, TTPs, file naming patterns, and other ransomware behaviors that can be correlated.
For example, if you see files encrypted as [8 random chars]-[original name].EXX, constant network traffic to TOR nodes, ransom notes mentioning “REvil”, coupled with registry and process anomalies – you can reasonably assume you’re dealing with REvil strain.
Bring in Outside Expertise
If you are still unable to determine the ransomware strain through internal investigation, consider engaging outside incident response expertise. Specialized IR firms and consultants have experience with a wide breadth of ransomware and can leverage vast threat intelligence repositories to identify the strain.
They can also use reverse engineering and malware analysis to pull apart samples and understand their workings, which aids identification. If facing an especially sophisticated or stealthy strain, outside expertise may be required.
How Accurate Identification Can Help
Having quick and accurate identification of the ransomware strain allows you to:
- Understand its methods of propagation so you can contain the spread.
- Obtain specific decryption tools if available.
- Check for weaknesses or flaws that can aid recovery.
- Learn the typical size of ransom demands.
- Find other victims for collaboration or shared intelligence.
- Determine the level of sophistication to expect.
Precise identification guides response and remediation, helps prevent the ransomware from spreading, determines if decryption is possible, and provides direction on recovery efforts.
Conclusion
Identifying ransomware strains takes the combined use of indicators from across the MITRE ATT&CK framework. File artifacts, system registry, running processes, network connections, mutexes, and other attributes can pinpoint the malware and guide response.
Leveraging existing threat intelligence on ransomware also accelerates identification when you can match indicators against known strains. If you are unsure of the ransomware type, bring in outside IR expertise to provide quick and confident attribution.
Accurate identification allows you to contain the incident, check for decryptors, find collaborative victims, and determine the most effective path to recovery. Knowing the specific ransomware strain provides direction for the response and improves outcomes.