Ransomware – curse of 2020

Helga Smith

Ransomware - the curse of 2020

Ransomware is one of the most dangerous types of virus. It encrypts your files, then spamming your file system with “readme.txt” files, where the victim can find an instruction about paying the ransom. Anti-malware software developers are doing their best to intercept this hazardous malware, and to decrypt the files if the attack has been tolerated. This persistent competition is very interesting, however, the history of ransomware development is exciting, too. Let me tell you, how did ransomware develop, why is it linked to trojans and why is it so popular nowadays. 

System locker era

First malicious programs that were similar to ransomware appeared in the middle 00s. Windows 7 has just been released, average knowledge about cybersecurity was on the beginners level. People were browsing the Web without any fears and downloading any files to avoid losing it in the depth of the Internet, which was growing day-to-day. But there was a category of users who decided to have a profit on such carelessness.

Mentioned users created the programs which were showing the scary banner covering the screen. On this banner victims saw the reason for its appearance – a note that described the way this malware injected, or some scary lines like “your Windows is locked because you browsed the websites forbidden in your country; pay a fine or all your data will be deleted and your PC will be confiscated by FBI”. The way of paying the ransom was described on the same banner – that was usually a payment to a bank account or mobile phone number top-up1. However, despite its scareness, it can be easily closed by stopping the malware process in the Task Manager, as well as disabled after the reboot.

Winlock virus shows a scary banner


With the time flow, such malware (also called WinLock) was evolving. It got the ability to intercept the key combinations (Ctrl+Alt+Del) and add itself to the Run registry key. It became impossible to open the task manager or interact with the operating system while the banner was displayed. However, tricky users decided to disable the banner by pseudo-shutdown of the computer when you have the programs working in the background: malware was closing together with the system, but before the shutdown, Windows was offering you to stop the shutdown and save the possibly unsaved data in mentioned programs. Your system was turning back, but the WinLock was closed, so you could perform the actions against it. To avoid WinLock running with the system start, you may use safe mode with command prompt (that hint is still actual against malware!).

Final stage before transforming in ransomware

The last (and the hardest in removal) Winlockers got an ability to infect not only the system, but also BIOS/UEFI. Such viruses are launching before Windows, so you have no chance to use tricks described higher. Because of BIOS integration, these Winlockers are very hard to remove : the majority of antimalware solutions are not able to fix BIOS changes, as well as delete the malware that injected itself into it.

How is it distributed?

As it was mentioned, the distribution of such viruses was based on the users’ foolishness. While browsing the Web, you may easily meet abandoned websites/online forums. There is no moderation on these pages, hence, users are free to post any file and any content – no one will check it and delete it in case if there is something forbidden or malicious in the message. Inside of the files (even if it is PDF, .docx, .xlsx or .pptx) was hidden whatever, including mentioned Winlock. Besides dubious websites, described malware could easily be got when using the p2p networks or cracked software distribution sites. Such methods are actual up to this day, however, the common name of malware, as well as its behavior have changed.

Loaris detected KMS Activator - app which is used for cracking the Windows
Loaris detected KMS Activator - the app which is used for cracking Windows

Modern appearance: trojan-ransom/trojan-encryptor a.k.a. ransomware

First case of ransomware in its “classic” form was spotted in 2012. At the beginning of its way ransom trojans were not considered as a significant danger: antivirus software added a new type of virus in their databases relatively fast. However, malware creators were working on the distribution model of their brainchild, and in 2017-2018 we could see a world-wide ransomware attack. WannaCry virus infected tens of thousands of PCs all over the world, using the vulnerability in TCP/IP protocol version used in the majority of infected systems. Corporations got the biggest share of total encryption cases, having millions of dollars of loss. Microsoft, who left this vulnerability in the final release of their operating system, started the distribution of hotfix for this issue. However, companies were quite sceptical about the severity of this virus, so the patch was often installed only after the attack.


The main harm that is caused by ransomware is file encryption. Even the oldest versions of WannaCry, STOP/Djvu, Sodinokibi or any other ransomware family are using AES-256 encryption algorithms. That means that there are 2*10^256 possible keys, so there is literally no possibility to decrypt your files with common methods, like brute force. Modern variants of mentioned families use RSA-1024 or even RSA-2048. Last one is considered as an encryption standard for all popular web browsers, so that’s no need to explain why it is very hard to decrypt the files which are encrypted with this key.

After the encryption is finished, ransomware will inform you in a specific way. It can be a wallpaper changed to the one where you are told about file encryption, as well as tens of files with money ransom note which can be found in different parts of the file system.


Ransom note created by STOP/Djvu ransomware

Important facts about ransomware families

Ransomware from mentioned families has a lot of common signs, however, there are a lot of differences between them. They are described below:

Shows you a browser page which tells you that your files have been encrypted; readme file is named as ******-readme.txt, where ****** is a randomized numbers-and-letters bunch. Ransom amount is not specified in the ransom note. Can change the wallpapers on ones where user is told that his files are encrypted.

Shows you a window of its own program, where the details about decryption/ransom are described. Is able to be injected through vulnerable SMB ports in Windows. Max ransom amount is 600$. Capable of BIOS encryption, so you will see a WannaCry banner instead of Windows launching process, just like with late-version system lockers.

Summons the readme.txt files only in the folders with the encrypted files. Ransom amount is specified in the readme file (1000$). Makes changes in the deep part of Windows registry. Capable of browser controlling: browser will be closed immediately in case if you try to open any website besides specified one in ransom note.

Has a single ransom note that is created on the main screen. The extension is quite specific: the email address which is supposed to be used for getting decryption instructions is contained in the extension. In some cases, a readme file can be absent at all.

Ransomware activity in 2020. Data from ESET quaterly report

How ransomware is distributed?

The circumstances are changed, and so did ransomware. As it was mentioned several times, the most massive ransomware attack was committed through the vulnerability of TCP/IP protocol in Windows. Nowadays, when the majority of systems have the fixing patch installed, ransomware uses other ways of injection. As of fall 2020, all mentioned ransomware families have two main distribution ways : injection through a trojan virus, and injection through false emails.

Trojan viruses are a popular source for all types of malware. These days, such types of malware as stealer, backdoor, worm, adware and browser hijackers are distributed as a pack, and trojan virus acts as a carrier for such a zoo. Such a scheme is very profitable for malware developers, and ransomware is a part of this bundle.

But how are trojans spreading? 

The biggest share of trojans distributions is against questionable and dubious programs with sometimes outlaw functionality (program crackers, Windows activators, et cetera). Such apps may have no functionality, as well as have the declared functions, however, there is still a risk that there is something non-declared inside of the installation file with this app. These programs are usually distributed on the special websites, which are full of such software, or through peer-to-peer networks - eMule, ThePirateBay and so on. There is no ability to check if there is any malicious content inside of the program, so its usage is done at one’s own risk.

False emails hold a leading position as a method of ransomware distribution. One day you may see an ordinary email, telling you, for example, about the unpaid fine for parking or the arrived parcel. Inside of the letter text you will see a call to open the attachment. These attachments are a perfect container for ransomware: after opening this file, your PC will be infected. The other suspicious detail is the email address: it does not look like a real email of the local police department or FedEx delivery service, consisting of randomly chosen numbers and letters (like 7ggalwqp@gmail.com). If you saw such a letter on your email, delete it and add its sender to the blacklist. 

Fake message mimic Zoom notification
Fake message mimic Zoom notification

How can I prevent ransomware injection into my PC?

Mentioned methods of injection can be easily analyzed to figure out the counteraction method. But it is important to assume them and mention several really important ways of avoiding the ransomware. 

Stop using questionable software. Applications which are created for program cracking are carrying the danger not only because of the possible viruses inside. Cracked software usage is an outlaw action, so in case if the executive authorities spot that fact, they may start a lawsuit that will cost you much more than the price of the license for this programme2

Do not open any attachments until you are sure that the sender is legit. Organizations will never create a mailbox named “7ggalwqp@gmail.com”, because it can harm the recognition of this company. To check the list of real emails of any company, open the “Contacts” tab on their website. 

And the most important advice is to use anti-malware programs. Trojans, which can inject not only ransomware, but also a lot of other viruses, are quite easy to remove with specialized programs. Loaris Trojan Remover is one of them. It is capable of fast and effective detecting and removing the hazardous program, saving your system and data of any problems which can be created by viruses.



  1. About Winlockers on Wikipedia
  2. More about cracked software danger


Leave a Reply