Versa just launched a new white paper analyzing the top ransomware over the past year.

Ransomware is a class or malware that lures victims, infects and encrypts their files and then demands a ransom to free those files. Versa’s Threat Research Lab analyzed some of the top ransomware over the last year – “Cerber,” “Locky,” “WannaCry,” “Petya,” “Spora,” “Cryptomix,” “Jaff,” “JigSaw,” “NemuCode.” The entire lifecycle of each and their behavior was tested against the threat response capability of the Versa Networks security solutions.

Ransomware Lifecycle

  1. Email drive by download exploit kits
  2. Initial infection of victim
  3. Infected victim talks to attacker-controlled server
  4. Search for common files encrypt and display ransom note
  5. In some cases, move laterally within the network

The most common way to lure victims and infect their files is through Microsoft Office document files with embedded macros. Attackers use emails and social engineering tactics to get the user to open the document and enable the macros. Macros are by default disabled. However, using cleverly worded messages the attacker entices the victim to enable them, which initiates the infection process.

Ransomwares like “WannaCry”, “Spora” etc. have a public RSA key embedded in their code. The private key is typically in the possession of the attacker. The public RSA key and AES keys, generated at runtime, are used to generate the encryption key to encrypt a select list of files.

Email is not the only tool to spread Ransomware.  There is also the “drive-by-download” method when the victim browses to a website that gets redirected to a server hosting exploit kits. Common applications for this exploitation are web browsers, media players, and document renderers. Ransomware like “WannaCry” and “Petya” used lateral movement techniques which made them self-replicate and able to infect more machines on the network.


The FlexVNF inspects both files and traffic at different stages of the ransomware infection. As we stated earlier, the two most popular methods of infection are email and drive-by-download, the Versa FlexVNF is capable of extracting files transferred over several different protocols – HTTP, SMB, and SMTP attachments – even when encoded. Once extracted, they’re forwarded to the Anti-Malware engine for deeper analysis – where it’s inspected for any malicious artifacts – thereby catching the Ransomware before the initial infection starts.

In case of payloads delivered by exploit kits, the IPS engine is updated regularly to detect and prevent different exploits. The IPS content is also enhanced to detect techniques to move laterally within a network – preventing the spread of Ransomware.

During the analysis, ransomware samples were seen communicating with IP address/URL’s embedded in the malicious code. The URL reputation feature in the FlexVNF can prevent an end host from communicating with these machines. The DNS security solution, updated several times a day, can prevent a DNS query to a malicious domain from resolving. This will prevent contact with the malicious domain.

Interested in more information? Download the Versa 2017 Ransomware Report Here.