Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape, affecting individuals, businesses, and critical infrastructure worldwide.
A ransomware attack typically begins when the malware infiltrates a system through various vectors such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once activated, the malware encrypts files using strong cryptographic algorithms, rendering them inaccessible to the legitimate owner. The attackers then demand payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key.
Modern ransomware variants have evolved beyond simple file encryption. Some employ double extortion tactics, where attackers encrypt data, exfiltrate sensitive information, and threaten to publish it publicly if the ransom is not paid. This puts pressure on victims, particularly organizations handling confidential customer data or proprietary business information.
Ransomware development and propagation
Understanding ransomware creation and distribution is essential for developing effective defense strategies. The ransomware lifecycle involves sophisticated development processes and diverse propagation methods that exploit technical vulnerabilities and human behavior.
Ransomware development
Ransomware is typically developed by cybercriminal organizations or individual threat actors with programming expertise. The creation process involves:
- Malware coding: Developers write malicious code using various programming languages, incorporating encryption algorithms and command-and-control communication protocols.
- Ransomware-as-a-Service (RaaS): Some criminal groups operate subscription-based models that provide ransomware tools to affiliates in exchange for a percentage of ransom payments.
- Customization and testing: Attackers test their malware against security solutions to ensure it can evade detection.
Propagation methods
Ransomware spreads through multiple attack vectors:
- Phishing emails: Malicious attachments or links that appear legitimate trick users into downloading ransomware.
- Exploit kits: Automated tools that scan for and exploit known vulnerabilities in applications and operating systems.
- Remote Desktop Protocol (RDP) attacks: Attackers gain unauthorized access through weak or compromised RDP credentials.
- Malicious websites and downloads: Downloads from compromised or malicious websites install ransomware with or without the user’s knowledge.
- Supply chain attacks: Compromised trusted software or service providers can distribute ransomware to customers.
- Removable media: Infected USB drives and external storage devices can spread ransomware when connected to computer systems.
Effects of a ransomware attack
The impact of ransomware extends far beyond the immediate encryption of files. Organizations and individuals affected by ransomware experience multiple consequences that can have long-lasting repercussions on operations, finances, and reputation.
Financial consequences
Ransomware attacks inflict financial damage beyond file encryption. Victims may face ransom demands ranging from hundreds to millions of dollars, with no guarantee of data recovery even after payment. Additional expenses arise from incident response, forensic investigations, system restoration, and security enhancements, while regulatory non-compliance can lead to substantial legal fines and penalties for data breaches.
Operational consequences
Ransomware attacks cause significant operational disruption by crippling access to vital resources. Critical business data, customer information, and intellectual property may be lost or compromised, while essential services become unavailable, impacting customers, partners, and internal workflows. The resulting operational downtime often surpasses the ransom cost, as businesses can experience weeks or months of halted operations.
Reputational damage
Ransomware incidents often lead to lasting reputational damage as data breaches erode customer trust and confidence in an organization’s ability to safeguard sensitive information. Public disclosure of such attacks can weaken market position, strain business relationships, and create a competitive disadvantage.
Preventing ransomware attacks
Preventing ransomware attacks requires a multi-layered defense strategy that combines technical controls, organizational policies, and user awareness. Understanding and implementing these protective measures reduces the risk of successful ransomware infections.
Technical defenses
- Security Information and Event Management (SIEM) and Extended Detection and Response (XDR): Implement continuous monitoring to detect and respond to suspicious activities and anomalous behavior.
- File integrity monitoring: Track changes to files, folders, and system configurations. This helps you identify malware behavior within your environment.
- Network traffic analysis: Monitor for unusual data exfiltration patterns or command-and-control communications.
- Regular backups: To ensure recovery without ransom, maintain frequent, automated backups of critical data stored offline or in immutable storage.
- Patch management: Keep operating systems, applications, and firmware up to date to remediate known vulnerabilities that ransomware exploits.
- Network segmentation: Isolate critical systems and limit lateral movement opportunities for attackers.
- Email filtering: Implement robust email security solutions to block phishing attempts and malicious attachments.
- Access controls: Enforce the principle of least privilege and implement strong authentication mechanisms, including multi-factor authentication.
- Application whitelisting: Allow only approved applications to execute in your environment, preventing unauthorized malware from running.
Organizational practices
- Security awareness training: Educate employees about phishing tactics, social engineering, and safe computing practices.
- Incident response planning: Develop and regularly test comprehensive incident response procedures for ransomware scenarios.
- Security audits: Conduct regular vulnerability assessments and penetration testing to identify security weaknesses.
- Vendor risk management: Assess and monitor the security posture of third-party service providers.
What Wazuh offers for ransomware protection
Threat detection and prevention
Wazuh employs multiple detection mechanisms to identify ransomware activities. These include:
- Malware detection: Wazuh integrates with threat intelligence feeds and utilizes signature-based and anomaly-based detection methods to identify known ransomware variants.
- Vulnerability detection: This Wazuh capability scans systems for known vulnerabilities that ransomware commonly exploits, enabling proactive patching and reducing the likelihood of successful compromise.
- Log data analysis: This Wazuh capability analyzes security events collected from user endpoints, servers, cloud workloads, and network devices to detect ransomware indicators.
- Security configuration monitoring (SCA): The Wazuh SCA evaluates system configurations against security best practices and compliance frameworks.
- File integrity monitoring (FIM): This Wazuh capability monitors critical files and directories, detecting unauthorized modifications that may indicate ransomware encryption activity.
- Regulatory compliance monitoring: This Wazuh capability helps organizations maintain security standards and regulatory compliance requirements that deter ransomware attacks.
Incident response capabilities
- Active response: The Wazuh Active Response capability automatically executes predefined actions when threats are detected, such as isolating infected systems, blocking malicious processes, or quarantining files.
- Integration with external solutions: Wazuh integrates with other security tools and platforms to improve organizations’ security posture.
Use cases
The following sections show some use cases of Wazuh detection and response to ransomware.
Detecting and responding to DOGE Big Balls ransomware with Wazuh
The DOGE Big Balls ransomware, a modified version of the FOG ransomware, combines technical exploits with psychological manipulation targeting enterprise environments. This malware variant delivers its payload through phishing campaigns or unpatched vulnerabilities. It then performs privilege escalation, reconnaissance, file encryption, and note creation on the victim’s endpoint.
Detection
Wazuh detects the DOGE Big Balls ransomware using threat detection rules and a Wazuh Custom Database (CBD) list to match its specific pattern.
- CBD list containing DOGE Big Balls reconnaissance commands.
net config Workstation: systeminfo: hostname: net users: ipconfig /all: route print: arp -A: netstat -ano: netsh firewall show state: netsh firewall show config: schtasks /query /fo LIST /v: tasklist /SVC: net start: DRIVERQUERY:
<group name="doge_big_ball,ransomware,">
<rule id="100020" level="10">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\.*.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\DbgLog.sys</field>
<description>A log file $(win.eventdata.targetFilename) was created to log the output of the reconnaissance activities of the DOGE Big Balls ransomware. Suspicious activity detected.</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
<rule id="100021" level="8" timeframe="300" frequency="2">
<if_sid>61603</if_sid>
<list field="win.eventdata.commandLine" lookup="match_key">etc/lists/doge-big-balls-ransomware</list>
<description>The command $(win.eventdata.commandLine) is executed for reconnaissance activities. Suspicious activity detected.</description>
<options>no_full_log</options>
</rule>
<!-- Ransom note file creation -->
<rule id="100022" level="15" timeframe="300" frequency="2">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\.*.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\readme.txt</field>
<description>DOGE Big Balls ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible DOGE Big Balls ransomware detected.</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
<rule id="100023" level="15" timeframe="300" frequency="2" ignore="100">
<if_matched_sid>100020</if_matched_sid>
<if_sid>100021</if_sid>
<description>Possible DOGE Big Balls ransomware detected.</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
</group>
These rules flag the execution of known reconnaissance commands and detect when multiple ransom notes appear across directories. These are DOGE Big Balls ransomware IOCs that indicate file encryption and other ransomware activities.
Automated response
Wazuh enables ransomware detection and removal using its File Integrity Monitoring (FIM) capability and integration with YARA. In this use case, Wazuh monitors the Downloads directory in real-time. When a new or modified file appears, it triggers the active response capability to execute a YARA scan. If a file matches known YARA ransomware signatures like DOGE Big Balls, the custom active response script deletes it automatically and logs the action. Custom decoders and rules on the Wazuh server parse those logs to generate alerts showing whether the file was detected and successfully removed.
Detecting Gunra ransomware with Wazuh
The Gunra ransomware is typically used by private cybercriminals to extort money from its victims. It utilizes a double-extortion model that encrypts files and exfiltrates data for publication should its victim fail to pay the ransom. The Gunra ransomware spreads through Windows systems by encrypting files, appending the .ENCRT extension, and leaving ransom notes named R3ADM3.txt. It deletes shadow copies, disables backup and antivirus services to block recovery, and uses Tor networks to hide its operators. These actions make data restoration difficult and help the attackers maintain anonymity during ransom negotiations.
Detection
The following Wazuh rules alert when ransom notes named R3ADM3.txt appear, system components like VSS or amsi.dll are tampered with, or suspicious modules such as urlmon.dll are loaded for network activity. The rules also track attempts to delete shadow copies or disable backup and admin functions, indicating behavior typical of ransomware preparing for file encryption.
<group name="gunra,ransomware,">
<!--Ransom note file creation-->
<rule frequency="2" id="100601" ignore="100" level="15" timeframe="100">
<if_sid>61613</if_sid>
<field name="win.eventdata.Image" type="pcre2">[^"]+.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">[^"]*R3ADM3.txt</field>
<description>Possible Gunra ransomware activity detected: Multiple ransom notes dropped in $(win.eventdata.targetFilename)</description>
<mitre>
<id>T1543.003</id>
<id>T1486</id>
</mitre>
</rule>
<!--Antimalware Scan Interface Access Modification-->
<rule id="100602" level="7">
<if_sid>61609</if_sid>
<field name="win.eventdata.Image" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
<field name="win.eventdata.ImageLoaded" type="pcre2">C:\\Windows\\System32\\amsi.dll</field>
<description>Possible ransomware activity detected: Suspicious Volume Shadow copy Service (VSS) loaded amsi.dll for tampering and evasion attempt.</description>
<mitre>
<id>T1562</id>
<id>T1562.001</id>
</mitre>
</rule>
<rule id="100603" level="7">
<if_sid>61609</if_sid>
<field name="win.eventdata.Image" type="pcre2">(C:\\Windows\\SystemApps\\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\\CHXSmartScreen.exe)</field>
<field name="win.eventdata.ImageLoaded" type="pcre2">C:\\Windows\\System32\\urlmon.dll</field>
<description>Possible ransomware activity detected: Urlmon.dll was loaded, indicating network reconnaissance.</description>
<mitre>
<id>T1562.001</id>
</mitre>
</rule>
<!--Volume Shadow copy Service (VSS) deletion-->
<rule id="100604" level="7">
<if_sid>60103</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">Backup Operators</field>
<field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-551</field>
<field name="win.eventdata.callerProcessName" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
<description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion attempts, gearing up to disable backups.</description>
<mitre>
<id>T1562</id>
<id>T1562.002</id>
</mitre>
</rule>
<rule id="100605" level="7">
<if_sid>60103</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">Administrators</field>
<field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-544</field>
<field name="win.eventdata.callerProcessName" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
<description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion shadow attempts, gearing to disable local admin accounts</description>
<mitre>
<id>T1562</id>
<id>T1562.002</id>
</mitre>
</rule>
</group>
Automated response
Wazuh performs automated responses to Gunra ransomware malicious file activities using its FIM capability and integration with VirusTotal. In this use case, the Wazuh File Integrity Monitoring (FIM) module monitors the Downloads folder in real-time, triggering scans whenever files are added or changed. A custom active response executable, then securely deletes any file that VirusTotal flags as a threat.
Ransomware protection on Windows with Wazuh
Wazuh provides ransomware protection and file recovery on monitored Windows endpoints using its command module and the Windows Volume Shadow Copy Service (VSS). This integration allows administrators to automatically take snapshots of monitored endpoints to recover files to a state before they are encrypted by malware.
The following image shows successful Wazuh Active Response file recovery alerts.
Conclusion
Ransomware attacks pose significant financial, operational, and reputational damage. They require multi-layered defenses that combine early detection with incident response. Organizations that invest in these practices are better equipped to withstand and recover from such attacks.
Wazuh provides capabilities that enable early detection and rapid response to contain ransomware attacks. It offers out-of-the-box capabilities for vulnerability detection, file integrity monitoring, log data analysis, and automated responses to prevent ransomware-caused data loss and downtime.
