Open in app

Sign in

Write

Sign in

Ransomware Attack — An increasing Menace for today’s internet

The Hackers Meetup
4 min readMar 14, 2025

Introduction

Ransomware is one of the most widespread and destructive cyber-attacks at present. It encrypts a victim’s files and requests payment of a ransom in cryptocurrency to unlock them. Whereas older ransomware attacks entailed basic file encryption, contemporary forms use more complex methods, including double extortion, worm-like propagation, and evasion techniques, and are thus more sophisticated and harder to protect against.

1. Ransomware Attack Vectors

Attackers use a variety of methods to pass ransomware, including:

  • Phishing Emails:
    Social engineering methods force victims into opening a malicious link or attachment.
    Common formats :.docx,.pdf,.zip, or.js files with macros or payload droppers.
    Example: Emotet malware spreading Ryuk ransomware through phishing.
  • Exploit Kits:
    Automated frameworks (e.g., RIG, Magnitude, Fallout) that exploit browser or software vulnerabilities.
    Drive-by downloads take place when a user browses to a hacked website.
  • Remote Desktop Protocol (RDP) Attacks:
    Attackers' brute-force or take advantage of weak credentials to access.
    Utilization of nltest, quser, and qwinsta to list active users.
    Installation through PsExec or wmic for lateral movement.
  • Malvertising (Malicious Advertising):
    Injected malicious scripts within online advertisements activate exploit kits.
    Redirecting to attacker-controlled sites that host malware.
  • Supply Chain Attacks:
    Infected software updates (e.g., Kaseya VSA attack distributing REvil ransomware).
    Embedded ransomware within legitimate installers or plugins.

2. How Ransomware Works (Technical Breakdown)

Step 1: Initial Infection & Execution

Once reaches the destination, ransomware gets executed through malicious scripts, executables, or PowerShell commands. Attackers may use:

  • PowerShell-based execution:
  • LOLBins (Living-off-the-land Binaries) like mshta.exe, rundll32.exe, wmic.exe to execute malicious code.
    Example:
rundll32.exe malware.dll,EntryPoint.
  • Process Injection Techniques like DLL Injection, APC Injection, or Process Hollowing.
    Example

Step 2: Privilege Escalation & Lateral Movement

  • Token Theft like Extracting admin credentials via Mimikatz:
  • Pass-the-Hash-like Exploiting stored NTLM hashes for authentication.
  • Scheduled Tasks & Services:

Step 3: Encryption Mechanism

Most modern ransomware variants use robust encryption algorithms:

  • AES-256: Used for file encryption.
  • RSA-2048/4096: Encrypts the AES key, making decryption nearly impossible.
  • ChaCha20 & Salsa20: Fast stream ciphers used by some strains.

Step 4: Data Exfiltration & Extortion

Ransomware actors steal sensitive information before encrypting the files. Exfiltration Tools like RClone, MEGAsync, and Cobalt Strike beacons are commonly used. Data compression and staging call for using software like 7z.exe or tar.gz to package the stolen data for easier transport. Finally, the attackers use Dark Web leak sites to publicly embarrass any victim refusing to pay up.

Step 5: Ransom Note & Payment

Once encryption is completed, attackers drop ransom notes in HTML/TXT files (such as decrypt_instruction.html and READ_ME.txt) or modify registry entries (HKCU\\Software\\RansomNote) to make sure the victims see their demand. The ransom is usually requested to be paid via cryptocurrencies like Bitcoin or Monero for the sake of anonymity.

Real-world examples of Ransomware

  1. Ryuk — The virus is disseminated by the TrickBot and Emotet botnets; in terms of propagation, it uses Wake-on-LAN and aims primarily at enterprise settings.
  2. Conti — Offers the unfortunate feature of multiple encryption threads, uses brute-force attacks against RDP, and opts for double-extortion to make money.
  3. LockBit– Spreading in a worm-like fashion by accessing credentials for lateral movement and functions as a Ransomware-as-a-Service (RaaS).

4. Detection & Prevention Strategies

1. Methods of Proactive Detection

  • Monitoring File Systems: To detect mass file modifications and notify of them.
  • Honeypots: To detect unauthorized access and understand attack mechanisms, fake files (.decoy) are deployed.
  • Behavioral Analysis: Alien PowerShell executions, DLL injections will be analyzed, and so on.

2. Mitigation Tactics

Conclusion

Ransomware is becoming smarter with newer mechanisms of encryption, persistence, and exfiltration. An excellent cybersecurity stance in the form of active monitoring, user awareness, and incident response is needed in order to stave off the ransomware assault. Organizations should remain one step ahead by utilizing a multi-layered defense against this ever-rising threat of protecting their cyber assets.

Written by: Bikram Sadhukhan

Cybersecurity
Ransomware Attack
Attack
Security
Malware

--

--

The Hackers Meetup
The Hackers Meetup

Written by The Hackers Meetup

551 followers
8 following

Initiative of @viralparmarhack to provide a proper platform for cyber security researchers & like-minded people to establish a community.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech