Showing results for 
Search instead for 
Did you mean: 

The General Behaviors of Ransomware

AuthorEric Hulse  - Technical Lead - Cisco Research & Efficacy Ream

The General Behavior of Ransomware

A Unified Solution Against Malware Threat

Cisco AMP Threat Grid is a malware analysis and threat intelligence platform, which is available as a Cloud-based service subscription, as well as on-premises appliances for those customers with stringent data privacy requirements. AMP Threat Grid may also be integrated with other Cisco products and third party solutions

AMP Threat Grid performs static and dynamic malware analysis of unknown samples, which is combined with integrated threat intelligence into one unified solution. It provides the timely, in-depth information you need to protect your network from all types of malware threats. Threat Grid combines real-time behavioral analysis with up-to-the-minute threat intelligence feeds and existing security technologies, offering protection from both known and unknown malware attacks.

The power of Threat Grid lies in its analysis of suspicious behavior in your network, which it compares against over 610 behavioral indicators and a malware knowledge base sourced from around the world. As a result, AMP Threat Grid provides more accurate, context-rich analytics into malware than ever before.

Behavioral Indicators Morph Over Time

The initial indicators created for Threat Grid sought to identify strictly the behavioral elements of a submission. Over the years however, these indicators morphed beyond identifying simple behaviors, to include static forensic attributes, and finally to include the positive identification of malicious families and variants. The latter achievement leads directly to an increase in the contextual data provided to customers, and also makes a significant difference when addressing a specific threat.

In an effort to combat the growing threat of ransomware while providing this context-rich analysis, Threat Grid has positively identified over 25 different ransomware families and 15 variants to-date. With the ever-increasing amount of ransomware being seen on a weekly basis however, merely creating indicators or signatures in a purely reactive state is not enough. Threat Grid has therefore created several indicators that generically identify malicious behaviors related to ransomware.

One of the oldest behavioral indicators identifies the deletion of shadow copies. The deletion of shadow copies was first implemented in Cryptowall after a write up identified the fact that recovery could be made without paying the ransom. As a result, many authors moved to include this [behavior] through a variety of means to gain the use of Windows native utilities and Windows scripting host. When the results for this indicator were reviewed for efficacy, we discovered that 100% of the samples exhibiting the behaviors caused by this indicator were malicious. Having reviewed the data we concluded the threat of this behavior warranted an increase in threat score.

“Generic Ransomeware Notes Detected”

Several recent additions have contributed to an increase in detections of ransomware variants in the AMP cloud. These include a behavioral indicator titled “Generic Ransomware Notes Detected,” which detects the presence of ransomware notes identified by common characteristics of the instructions left by ransomware. Another addition is the “Generic Ransomware” indicator based on the modification of files with certain extensions commonly targeted by ransomware.

Overlapping Triggers

By taking any of these indicators in isolation and graphing search results in Maltego using the Threat Grid API Transform Pack from Malformity Labs, we begin to see there is some overlap in triggers. In this case we search for a single indicator: “generic ransomware”.  We pivot on the sample IDs, and then pivot again on the indicators for each sample. The results start to show overlap with each other but not every instance triggers on the same sets.


Figure 1: Visualizing behavioral indicators in Malformity Lab’s Maltego

The overlap allows us to group indicators together and to create indicators we’ve labeled as compound. That is, several actions combined indicate a higher degree of maliciousness. Absent the overlap, the results also allow us to identify new families of ransomware as well as new behaviors from existing variants.


Figure 2: Generic Ransomware Detected behavioral indicator with explanation

“Excessive Suspicious Activity Detected”

Another recent Behavioral Indicator is the “Excessive Suspicious activity Detected. With this Behavioral Indicator, Threat Grid is observing several traits over a set of files. If we observe these behaviors / traits, then there is a high level of confidence the sample is malicious and returns a higher threat score. In this way, Threat Grid is able to identify new ransomware families, and shifts in existing variants.


The Excessive Suspicious Activity indicator was added in early February of 2016, and at the time of this writing we’ve seen a total of 1,127,642 triggers in the field. To highlight the benefit of these generic indicators we turn to an article written by Lawrence Abrams, published on bleeping computer, April 20th [1] highlighting the discovery of TeslaCrypt 4.1b.

After reading the article and searching the Threat Grid Elastic Search instance for key indicators, it was discovered that because of the excessive suspicious activity indicator the first instance of TeslaCrypt 4.1b was observed in the Threat Grid environment on March 30th, 2016. That first instance, as well as subsequent observations of the new TeslaCrypt variant, were all given a malicious rating throughout the AMP portfolio a full 3 weeks prior to the public observation of the new variant. On March 25th,2016 prior to the publication of the article Threat Grid produced an indicator to identify this variant and had labeled it TeslaCrypt 3.2. This signature is currently in production and will be changing soon to reflect the industry label of 4.1b.


JavaScript Ransomware Downloaders

Finally, towards the beginning of April 2016 we started to see ransomware downloaders in the form of JavaScript files. Initially many sandboxes and even endpoint products did not support the analysis of this type of file, after all it’s rather difficult to identify and even Magic picks it up as Text more often than not. To address this delivery mechanism, Threat Grid has added support for JavaScript file submissions. These files will execute in the sandbox environment just as other submission types.

The Locky was one of the first families identified as using this technique. Finding one of the downloaders on Virus Total, we submit it to Threat Grid and once analysis is complete we get a full picture of everything the downloader - and subsequently the downloaded binaries - are doing.

Questions? Sign Up for a Trial Account

Threat Grid is delivered as a cloud-based or on-premises solution. If you would like a personalized Threat Grid demonstration and a trial account, you can go to and click on Sign up for a new account.