Explode ransomware on your computer (don’t try this at home)



This article was written by Topher Tebow, Senior Cyber ​​Security Researcher Acronis The focus is on malware monitoring and analysis.

Heading Ransomware Attack It’s like a daily routine, bringing a new level of danger and turmoil to the already complex business of data protection. One of these threats is Conti, which is often used to target healthcare facilities and retailers.

How it works tells us a lot about modern ransomware attacks. So I recently detonated the Conti ransomware in a controlled environment to show the importance of proper cyber protection.

Prepare for an attack

This attack used three virtual machines to simulate different scenarios. The first machine was a clean install of unprotected Windows. This machine demonstrates the functionality of ransomware. The other two machines had ransomware protection to correct the attack or URL filtering to prevent the installation of malicious payloads.

SysInternalsSuite process monitor and process explorer activity during the attack. Of course, there are normal processes, but there are also processes generated by ransomware, as well as registry modifications.

As an attack vector, I created a malicious fake email based on tax invoices to mimic the general phishing temptation. The email was based on the actual email, so it looked legitimate. After quickly updating my email settings, I also saw my company name as the sender. I used the official logo and colors but replaced the invoice details with a download link and someone who might expect such an email created an email instead of just seeing it with which I allowed to communicate.

On this link, I uploaded an “invoice” with a built-in Visual Basic script that automatically downloads and runs the ransomware using a trusted file sharing service.

Attackers often hide content up to this point, as victims typically need to activate active content before running this script. In this case, I intended to pay the ransom myself, so I configured Word to run the content automatically. This is a simple change of configuration and should not be overlooked as a potential vulnerability in corporate networks.


My attack begins with a prepared email sent to the “victim”. Victims click a link in an email to download a document from a trusted file sharing service. The Visual Basic script runs as soon as the document opens, disabling the ransomware and running it automatically.

After a few seconds, the ransomware file will appear as a sub-process of WINWORD.EXE in Process Explorer. The Windows registry displays ransomware requests that begin with the CurrentControlSet entry. After that it goes to the restart setting. This shows that Conti is looking for a way to get persistence in the system.

When the ransomware encrypts files, it slows down the machine. If the user does not notice anything abnormal, Conti will continue to encrypt new files added to the machine.

From spam to encryption

Poor system performance can be the first sign of a problem, but there are several other indicators. Others include changing the file extension with “.ZSSCI” appended to the filename (although different ransomware uses different extensions). The file icon is replaced with a blank page icon because the file type is no longer recognized. For Conti and most other modern ransomware, the readme.txt file is placed in any directory where the file is encrypted.

The readme.txt file is a ransom note that notifies the victim of the attack and provides payment instructions. Gone are the days of flashy ransom notes that replace wallpapers and open web pages with horrible messages and lots of bad gif images. Here you can see that the .onion address is used to contact the attacker. This requires the use of the Tor browser and uses a clear web HTTPS alternative.

Attackers also threatened to expose the stolen data if ignored, in the spirit of the double-blackmail method adopted by the majority of recent ransomware gangs.

Conti ransom memo
Conti ransom memo

Need is the mother of invention

At this point, there are several ways to get your data back. You can pay the ransom and expect the decryption key to work, restore it if you have a clean backup, or find the time machine. Instead of funding criminals, shutting down while recovery, or inventing time travel, there are viable ways to avoid being a victim.

One approach cannot solve all problems, so a multi-layered solution is the most effective way to protect your data against this type of attack.

Organizations have stepped up their fishing training in recent years, which is a great first step. Unfortunately, even the best trained individuals can be fooled by well-designed attacks. Therefore, it is essential to implement tools to prevent attacks. Let’s see what happens when the protection is applied.

With ransomware protection in place, the attacks started to look a lot like attacks on unprotected systems. Conti continued to run, accessing the registry and starting to encrypt the files. But Conti suddenly quits and Word document opens safely.

The difference this time is that the entropy of the file is monitored and after only eight files have been encrypted the software has stopped the process started by Conti. Ransomware protection software automatically restores the encryption from the cached copy generated when the encryption begins, avoiding the hassle and downtime associated with restoring from backup.

Acronis Cyber ​​Protect to detect malware
Acronis Cyber ​​Protect to detect malware

Of course, stopping the attack before installing the payload is always the recommended option. Advanced email security solutions can prevent malicious emails from reaching the end user, but the correct URL filters block access to known malicious URLs from which the payload is downloaded. ..

No matter how complex your organization’s data protection is, faking an attack proves that all hope is not lost. Through education, planning, and diligence, you can fend off these attacks by recognizing the signs of potential attacks and implementing tiered solutions that automate detection and response to attacks.

Start building your own layered protection plan by uniquely integrating backup, disaster recovery, cybersecurity, and endpoint management. Acronis Cyber ​​Protect ..

Topher Tebow I’m a senior Acronis cybersecurity researcher. The focus is on malware tracking and analysis. Topher spent nearly a decade fighting web malware before moving on to endpoint protection. He creates technical content for multiple companies, from security trends and best practices to malware and vulnerability analysis.

Topher has been published in trade magazines such as Cyber ​​Defense Magazine and Security Boulevard, and has contributed articles to several major publications.


Leave A Reply

Your email address will not be published.