Dumb questions about ransomware

Stupid Questions Department:

  1. If ransomware spreads by phishing, then how come antivirus doesn’t pick up the virus?
  2. Encrypting a file requires file access; how come antivirus doesn’t stop it immediately?
  3. Are “victims” just silly people who don’t even try to secure their networks? Or is there something else going on here?

Not looking for any secrets… just wondering why ransomware is even a “thing”?

They chain a lot of vulnerabilities together. Sometimes even starting with a vulnerability that doesnt need user interaction.

First, it tries to escape the sandbox of the browser. Then it tries to escalate itself from a regular user to a superuser/admin.

Then comes lateral access. They will try to probe the local network and infect other susceptible computers.

They will need to wait a while to get a “complete” picture of the network, so as not to miss the NAS, where there are backups and try to find if there are backups of backups (usually in remote servers). After key computers and files have been identified and the malicious actors then determines a time to begin encryption, usually friday or saturday evenings when people are away from the office for a long time.

When you get back on monday after the flag ceremony or morning prayer - when you first turn your computer, you will find a ransom message instructing to pay in bitcoin or monero.

Sometimes the ransomware groups also exfiltrate critical data to threaten to expose to the internet if the ransom is not paid.


Antivirus is signature based. They only pick-up known, widely distributed malware code. With the prospect of earning millions of dollars, ransomware gangs spend the time to make sure their payload is new and undetected. They try out antivirus scanners on their own code before they send it to a target, and make any changes needed if it does get flagged.


It’s not really all that simple. If you got the ransomware from downloading it from an email or pirating gone wrong there was not even an exploit involved.

Furthermore telling the difference based on program behaviour is really hard. Many legit programs encrypt, edit or/and delete files. You would flag them as virus too when you do it aggressively based on behaviour.

1 Like

Not stupid questions at all

Phishing is usually an email (or text etc) that tricks a person into clicking a link / opening another app. The malware is not often in the email anymore Because anti-virus has been catching the malware that used to be in the email.
You are not asking the wrong question, and it was a legit vector, but has been addressed.

then, as regular mentions, a chain of vulnerabilities are used in stead- the email link takes you to a website, that has a hidden exploit to trigger some other malware

The malware itself varies, but might run as the logged in user, or might use exploits to elevate it’s privileged in which case, the elevated privilege might Over-ride any anti-virus.
But, as AV vendors learn viruses, they do look for the apps, and block them regardless of the level.
it’s like a game of whack-a-mole

The victims could be anyone. Simply being aware that phising exists reduces risk, but people are not universally aware.
BUT even those who Are aware can be tricked.
It is an ever changing landscape, and the bad actors have a vested interest in making the phis look as legit, and masking sending addresses / numbers.

More awareness is more better, but anyone can accidentally click a link.
Just gotta spread the word to people you know, Be Aware. Bad guys are getting better and better at their job…


String of escalating exploits: Sure, but both the initial stuff and the thing doing the encryption should be stopped by A/V (as long as the signature is known), right?

Unknown signature: That can only happen once, yes? So if, say, a government attacks another government, sure. But the FBI seem to have a pretty good handle on this ransomware vendor; surely they know the signatures used (and have reported them so that they are now in everyone’s antivirus)?

Phishing victims could be anyone: Oh, I know. I’ve seen some pretty good phishing attempts, and I think I am sort of hyper-vigilant. Plenty of people who would never be aware. But, even if you click a link on a website, that downloads a virus, right? It’s that virus that should be flagged (again, assuming that the signatures are known).

Whack-a-mole: Sure. But we’ve got a small number of ransomware builders against all of the security firms, NSA, FBI, and CyberCom, at least. That is a lot of security horsepower; how come they can’t stay on top?

Some of these ransomware attacks began with a password hack, so there may not have been a click on a website. But even the hacked user must install software in order to penetrate a system, yes? I mean, it’s not like all this could happen with RDP through a firewall… could it? That would be a chilling scenario if it were possible.

Disabled antivirus: That is obviously a problem, so how come it is as easy as an admin clicking a button? Maybe that is OK for a home user, but one would think that an installation with thousands of users/servers would require more than that. There should be logs and warnings, at least. No?

EDIT: Also, in order for ransomware to spoil backups, doesn’t that require malicious software to exist on the system for at least days or weeks? Again, how come antivirus scans (and the backup software itself) doesn’t flag that?

1 Like

Malware devs will test it against available antivirus software, because antivirus software is available and some are available to pirate, even the corporate stuff. They will engineer around that. Remember, ransom payout is at stake.

Yes, but they can vary the signature for each victim and test it at the same time.

Again, you are still thinking of these as the old school virus that exists in floppies and USBs. Some malware can exist solely on RAM and never writes itself out in the disk. Some malware exists on the website only and others even and executes code remotely on the actual malware servers because again, no actual virus/es are ever written on the disk. The recent SolarWinds attack is even more nefarious because the malware passes off itself with official software that is a known good signed and trusted signature.

Its because of the threat assymmetry. All they can really do is catch up since malware devs do the first move always. Three letter agencies also only pretty much works within the US sphere of influence and a lot of the malware devs comes from a US-hostile country that severely hinders cooperation.

Ransomware operations, the bigger ones at least, are not a spray and pray operation. No, it is targetted. I think all of it is targetted in these latter parts of this year. Why bother with joe schmoe and ransom his family pictures and payout only 500 USD (that is a dick move on a personal level) when you can be a professional and get a pipeline or a meat packing plant and get a 11 million USD?

These malware devs are poor people. In order to get salary that is the same as a single ransomware payout, they have to work hundreds of years of legitimate work. You can see the incentives there.

You are still thinking of ransomware as amateur hour script kiddie hobby for people with a lot of time. No longer. It is in a realm that is now more profittable than the antivirus industry combined [citation needed :wink:]. You get the idea.

1 Like

From the moment it’s noticed it takes between a week or two for typical malware to be analyzed and then about a month (is some cases a lot longer) for Microsoft to release a patch for the bug that malware was exploiting, and then some time for everyone to pick up on the update. At some point you end up unlucky.

Most serious malware is polymorphic/self encrypting and in case of botnet malware it’ll often patch itself through some kind of dht as soon as there’s any indication that someone might be onto them.

To avoid it, people started using things like bit9 and other solutions where instead of a denylist of things you can’t execute, you have code signing certs and a list of signatures you trust in an allowlist. This is great, but you’d need a separate solution for most script engines - they usually don’t hook into any code signing/validation system.

1 Like

Good points. OK, so I can see the value of whitelisting, which many companies do informally (by choosing which software most employees can install). To do a thorough job with it would be a colossal task; many legit programs update weekly. Even bit9 itself was hacked a while back.

Still, if that is the only way, then it is possible. If Elon Musk can land a rocket on its tail, then we ought to be able to find a way to register our software. (Who’s gonna pay for it is an open question).

Newbie here: I tried to reply to your post, but the topic does not appear to be threaded? In any case, thank you for your thoughtful reply.

Yes, some things are never-ending contests. Speeders vs police radar, DRM vs cracking, and malware in general vs security; there is no end in sight.

@ everyone: OK, here’s another dumb question: Am I correct in thinking that most exploits exist because of the way that systems (mis)behave when an address goes out of range? Would it be possible for some future hardware and compiler combination to work together to simply raise an error when that happens, rather than crashing out to some privileged root process?

(Is that what people are trying to accomplish with VM farms? A crash simply kills the VM, which may not have privilege to affect other VMs (or the host))?

I’m not even sure if I can ask the question correctly, but I am vaguely imagining a future in which the fundamental cause of all current exploits is simply removed. Is that possible?

1 Like

I’m not sure there is one root for All exploits.

Some rely on errors in code.
Some exploit bad configurations.
Others exploit legacy code that is still around.
Yet more exploits target hardware issues.

People wont intentionally include errors or holes that can be exploited, so I doubt it will be possible to ensure security, but some methods, like sandboxing, do increase security at the expense of speed, convenience, functionality and sometimes compatibility.

or, a more extreme example- it’s hard to hack into a computer not connected to the internet, but the disconnection severely reduces the effectiveness.

I’m not in IT, and some of the others have actual experience detecting, diagnosing and repairing breaches, I’m just an old man yelling at clouds here. But feel free to ask questions, and don’t get disheartened if a question doesn’t gain much traction, keep asking others

1 Like

Huh. Interesting that you gave one of the better replies, then. :slight_smile:

Obviously I’m new here, and I don’t know who knows what (yet). I appreciate everyone who replied.

Yes, they have different beginnings, but as far as I know they all end up with a pointer going out of bounds, with the effect of corrupting a register. Not sure that would be easy to prevent, because it may not be obvious when an address change is legitimate and when it is not.

However, I am thinking that the crashing part might be possible to fix; thoroughly and forever. I guess that’s my question; can it be done?

EDIT: added second quote for easier reading.

1 Like

Sort-of/Kind-of it’s possible to have better checks on the compiler / language level. (e.g. Go and Rust vs. C/C++).
There’s tooling that helps point out bad code through static or dynamic analysis, “sanitizers” and “fuzzers” and sandboxing (VMs, kernel/user space, browser, …). Where you limit the available API surface.
There’s a performance cost and development complexity cost and all these are imperfect. It typically requires considerable skill to setup and use and then there’s places where code interacts with hardware and you end up fuzzing hardware.

Then you have things like western digital my book where the auth check was written, buy was temporarily commented out and that somehow made it though into the release version, and spear phishing where a user installs something thinking it’s their IT. And you have things like hardware bugs like spectre and that let any website read any memory on a system given enough time, VM or no VM.

Here’s a somewhat grim perspective/point that one of my colleagues often makes:

While neither scenario is realistic, it’s a useful tool that changes the engineering paradigm to think in terms of engineering policies and setting up a system of incentives.
I said it’s grim in this case because, from that perspective malware and ransomware are actually an important actor in the overall story of how we get to more safer systems in the end - If they didn’t exist, fewer people would bother with backups and data integrity. It’s like yin and yang - it all rolls into one balanced system.


Can I add (what may be) a dumb question to this thread?

What proportion of the exploits used by ransomware attackers involve Microsoft Windows?

So far almost all of them, but that is because it is a much wider spectrum. More a case of almost all desktops run windows. but even Macs have them

Most of the Unix / Posix / Linux boxes running, are headless machines / appliances etc, and so less easy to catch.

But not because Windows is at fault, more because it is such a more tempting target. Also the defaults for user convenience, allow people to be manipulated, not just code…

I suppose it will be a while before better languages eclipse C++ in popularity, but it would be nice if we could solve the exploit problem at its core. I mean, in a First Principles sort of way.

I am familiar with analysis tools and sandboxing. Fuzzing sounds similar to automated testing tools for microchips. As you said, they can help but are not complete solutions.

Yeah, that was just a bug. A bad one, to be sure. I’m more thinking about exploits, although I suppose that bug prevention matters, as well.

That’s an excellent thought exercise. Maybe machine learning for game development? :thinking:

But, naw… ATM, I am more curious about security. It might be time to learn a new language.


If Windows didn’t automatically run stand-alone executables in e-mails, downloaded from the web, etc., the moment you clicked on them, the world would be a much safer place. You may think you’re opening an image, but actually running untrusted code. That kind of trick wouldn’t on Linux, or any other reasonably designed operating system.

1 Like

Does Windows not “block” apps from running if downloaded from the web?

And if it comes from an email app, Microsoft rely on the user to vet their contacts.

Don’t mistake me for a lover of MS or Windows, but it is the incumbent, and is not without flaws.

But they play to the average user / lowest common denominator

There’s an extra UAC prompt when you click on a downloaded exectuable these days (if you haven’t shut it off for some reason, and some Microsoft Technet articles do direct you to shut it off to resolve some issues), but it’s mostly a non-descript “Do you want to run this?” not the big red “THIS IS NOT AN IMAGE” warning it should be, and not refusing to run executables like it should.

Those UAC prompts show up so often for every little thing that users are desensitized to them, don’t read or think about them and just click the button to get on with their day.

And your contacts are probably running Windows, too, so just as vulnerable to getting malware as you are. The first thing many viruses do is read your contacts list and send copies of themselves to everyone you’ve ever e-mailed.