The Methods Behind the Ransomware Madness and How to Prevent an Attack

The majority of ransomware attacks today are infecting users’ machines using two main methods.

In this post, I will describe these two methods, as well as provide actionable tips on how to reduce the risk of these types of ransomware infecting your end users.

Distribution Method 1: Ransomware as an Attachment

Cybercriminals are using social engineering to trick users into opening attachments that are embedded into seemingly convincing and legitimate-looking emails.

In some cases, the attachment is the ransomware itself (i.e., running it will run the ransomware code), but since ransomware is just an executable, security solutions have a good chance of catching the ransomware and preventing it from running.

For this reason, many types of ransomware are using different attachmentsand not pure executablesto trick users into opening them.

The common attachment type, until recently, was Microsoft documents. Specifically, cybercriminals were utilizing Microsoft macro capabilities to download the ransomware executable and run it on the victim’s machine.

This poses two challenges for them:

  1. First, they need to convince the user to open the document.
  2. Second, since Microsoft by default requires the user to approve running a macro, the user has to be tricked to allow Microsoft to run the macro.

Both are accomplished by different tactics, and one example is described here. However, even without reading the blog, the screenshot below provides a simple example:


Once the user enables macros, the macro will download the ransomware code and execute it in the background–effectively encrypting the victim’s files.

Warding off Ransomware as an Attachment

Tip 1: Protect against ransomware that uses Microsoft macros to download by disabling macros on end users’ machines. This will disallow users from running the macro and, as a result, the ransomware cannot be unleashed. LANDESK Security Suite provides an automated method for disabling macros on all endpoints, all of which can be done remotely from a central console.

As tricking users to run macros can be a bit challenging, cybercriminals have shifted their attention to a different kind of attachment: JavaScript-based ones.

In most cases, the attachment will actually be a ZIP file which includes the JavaScript malicious code. Users are tricked to open (unzip) the zip file and execute the JavaScript (.js) file inside it.

By default, Windows runs JavaScript code using the Windows script engine (wscript). Note that by default, JavaScript is not executed inside a web browser. The JavaScript code will download the ransomware code and execute it.

Tip 2: Protect against ransomware that uses JavaScript by preventing Windows from running the JavaScript code so users cannot run this malicious JavaScript code. This can also be done using LANDESK Security Suite, which allows you to define rules that prevent wscript (or any other scripting engine) from executing .JS (JavaScript) code.

Distribution Method 2: Compromised Websites

Like many other types of malware, ransomware is all about leveraging vulnerabilities. These vulnerabilities are mainly discovered in internet-facing applications such as web browsers, Adobe Flash and PDF Reader, Java, and others to infect the victim’s machine.

Using spam emails and other web technologies, the cybercriminals are doing a good job of convincing users to visit “their” websites. These websites were designed to detect the software used by the victim and apply the best exploit based on the software the victim is using. Once the exploit is applied, the ransomware is downloaded and executed on the victim’s machine.

Warding off Ransomware on a Compromised Website

Tip 3: Protect against ransomware that is spread via compromised websites by ensuring that your users’ software is up-to-date. This is especially important for internet-facing applications like web browsers, Adobe, Java and in many cases Microsoft Office.

Compromised websites are most likely to exploit known vulnerabilities in software as the cost involved in finding zero-day vulnerabilities is high and most users do not update their software, which means there is a good chance that users are still running software with known vulnerabilities that are easy to leverage.

Ensuring users are using the latest version of the software reduces dramatically the chance of a compromised website be able to infect the end user machine and successfully run a ransomware on that machine.

LANDESK Patch Manager allows security administrators to easily and cost-effectively scan for missing software patches (software updates) and install the latest software version remotely on each one of the end users’ machines. LANDESK Patch Manager also supports scanning and patching for most third party applications including all web browsers, Java, Adobe flash, PDF readers and Microsoft Office.

In addition, smart distribution and bandwidth management capabilities ensure that large and distributed deployments are possible.

Don’t catch ransomware on your system! Check out our free white paper below for more information on how YOU can avoid getting infected.