Network Security Fundamentals Part 8: Malware and Ransomware Response

Introduction: The Evolution of Malware Threats

Malware is a general term for software created with malicious intent, and is one of the most serious threats in modern cybersecurity. Ransomware in particular causes massive damage to businesses and institutions, resulting in billions of dollars in losses worldwide.

Malware has evolved from simple prank-level viruses to nation-state level cyber weapons. Attackers use increasingly sophisticated techniques and strategies to bypass existing security solutions, and security technologies are evolving in response.

In this Part 8, we'll examine malware types and characteristics, infection vectors, the latest endpoint security solutions, and response strategies in detail.

1. Types of Malware

1.1 Virus

A virus is the oldest form of malware that infects normal files or programs by inserting its code.

Characteristics:

• Self-replication: Spreads by copying itself to other files
• Host-dependent: Parasitic on executable files to activate
• User action required: Operates when infected file is executed

Major types:

• File infector virus: Infects executable files (.exe, .com)
• Macro virus: Exploits macro functionality in Office documents
• Boot sector virus: Infects disk boot area
• Polymorphic virus: Transforms code on each replication to evade detection

1.2 Worm

A worm is malware that replicates and spreads itself through networks.

Characteristics:

• Independent propagation: Replicates and spreads on its own without a host file
• Network utilization: Spreads through email, network shares, vulnerabilities, etc.
• Fast propagation speed: Automated spreading causes large-scale infection in short time

Historical cases:

• Morris Worm (1988): First internet worm, infected approximately 6,000 systems
• ILOVEYOU (2000): Email-propagated worm, tens of billions of dollars in damage
• Conficker (2008): Exploited Windows vulnerability, millions infected
• WannaCry (2017): Exploited EternalBlue vulnerability, combined with ransomware

1.3 Trojan Horse

A Trojan horse is malware that disguises itself as a legitimate program to trick users into installing it.

Characteristics:

• Disguise: Masquerades as useful programs, games, utilities
• Non-replicating: No self-replication capability, spreads through social engineering
• Backdoor functionality: Provides remote access path

Major types:

• RAT (Remote Access Trojan): Provides remote control functionality
• Banking Trojan: Targets financial information theft
• Downloader: Downloads additional malware
• Dropper: Installs embedded malware

1.4 Ransomware

Ransomware is malware that encrypts or locks systems or data and demands payment.

Characteristics:

• Encryption: Encrypts files with strong encryption algorithms
• Ransom demand: Demands payment in cryptocurrency (mainly Bitcoin)
• Time pressure: Threatens to increase amount or delete data if not paid within deadline
• Double extortion: Encryption + data leak threat

Ransomware evolution:

Generation	Characteristics	Examples
1st Gen	Screen lock, fake warnings	Police Locker
2nd Gen	File encryption	CryptoLocker
3rd Gen	Worm capability, mass propagation	WannaCry, NotPetya
4th Gen	RaaS (Ransomware as a Service)	REvil, LockBit
5th Gen	Double/triple extortion, data leaks	Maze, Conti, BlackCat

1.5 Spyware

Spyware is malware that secretly monitors user activities and collects information.

Collection targets:

• Keyboard input (keylogger)
• Screen captures
• Browser history
• Login credentials
• Financial information
• Personal documents

1.6 Other Malware Types

• Adware: Displays unwanted ads, some include spyware functionality
• Rootkit: Hides deep in the system to evade detection and maintain persistent access
• Botnet: Remotely controls infected systems for DDoS, spam distribution, etc.
• Cryptominer: Unauthorized use of victim's computing resources for cryptocurrency mining
• Fileless Malware: Executes in memory without leaving traces on the file system

2. Malware Infection Vectors

2.1 Email-Based Infection

Email remains the most common malware distribution channel.

Attack techniques:

• Phishing email: Disguised as trusted sender
• Malicious attachments: Office documents, PDFs, executable files, etc.
• Malicious links: Redirects to drive-by download sites
• HTML smuggling: Malicious JavaScript embedded in HTML email

# Suspicious email attachment extensions
.exe, .com, .bat, .cmd, .scr, .pif, .js, .vbs, .wsf
.doc, .docm, .xls, .xlsm (macro-enabled documents)
.zip, .rar, .7z (malware in compressed files)
.iso, .img (disk images)
.lnk (shortcut files)

2.2 Web-Based Infection

Infection methods:

• Drive-by download: Automatic download through vulnerable browser/plugins
• Malvertising: Infection through ads on legitimate websites
• Watering hole attack: Infecting sites frequently visited by targets
• Fake software updates: Malware disguised as legitimate updates

2.3 Removable Media

Infection through removable storage devices like USB drives remains a threat.

• Autorun exploitation: Exploiting auto-run features (now mostly disabled)
• Shortcut files: .lnk files disguised as normal files
• BadUSB: Firmware-modified USB devices masquerading as keyboards

2.4 Network-Based Infection

• Vulnerability exploits: Attacking unpatched systems
• Lateral movement: Spreading within internal network
• Supply chain attacks: Infecting software update channels
• RDP brute force: Remote Desktop Protocol attacks

3. Ransomware Operation Principles

3.1 Infection Stages

1. Initial access: Infiltration through phishing email, vulnerability, RDP, etc.
2. Persistence establishment: Registry modification, service registration, scheduled task creation
3. Privilege escalation: Attempting to gain administrator privileges
4. Internal reconnaissance: Understanding network structure, identifying critical data locations
5. Security bypass: Deleting backups, disabling security software
6. Lateral movement: Spreading to other systems in the network
7. Data exfiltration: Pre-theft of data for extortion (double extortion)
8. Encryption execution: File encryption and ransom demand

3.2 Encryption Technology

Modern ransomware uses strong encryption technology.

Common encryption method:

• Hybrid encryption: Combination of symmetric + asymmetric keys
• Generates unique AES-256 key for each file
• Encrypts AES key with RSA-2048 public key
• Private key kept on attacker's server

# Ransomware encryption flow (conceptual)
1. Generate RSA key pair or receive public key from attacker server
2. For each file:
   a. Generate random AES-256 key
   b. Encrypt file with AES key
   c. Encrypt AES key with RSA public key
   d. Append encrypted AES key to file
3. Delete original file
4. Display ransom note

3.3 RaaS (Ransomware as a Service)

RaaS is a business model that operates the ransomware ecosystem as a service.

Components:

• Developer: Develops and maintains ransomware code
• Operator: Operates infrastructure, negotiation, payment processing
• Affiliate: Performs actual attacks, revenue sharing
• Initial Access Broker (IAB): Sells corporate network access

Revenue distribution:

• Developer/Operator: 20-40%
• Affiliate: 60-80%

4. Endpoint Security Solutions

4.1 Limitations of Traditional Antivirus

Signature-based antivirus is difficult to respond to modern threats.

Limitations:

• Only detects known threats: Cannot detect new malware not in signature database
• Polymorphic malware: Bypasses signatures through code transformation
• Fileless malware: Cannot detect with file-based scanning
• Zero-day attacks: Difficult to respond to attacks using unknown vulnerabilities
• Advanced evasion techniques: Obfuscation, packing, encrypted payloads

4.2 EDR (Endpoint Detection and Response)

EDR is a solution that continuously monitors endpoint activities and detects, analyzes, and responds to threats.

Core features:

• Continuous monitoring: Tracks process, file, network, registry activities
• Behavior analysis: Detects malicious patterns and abnormal behavior
• Threat hunting: Proactive threat searching
• Forensic data collection: Detailed logs for incident investigation
• Automated response: Threat blocking, isolation, remediation

EDR data collection items:

# Telemetry data collected by EDR
- Process creation/termination
- File creation/modification/deletion
- Registry changes
- Network connections
- DNS queries
- User login/logout
- Command line arguments
- Module loading
- Script execution (PowerShell, WMI, etc.)

4.3 XDR (Extended Detection and Response)

XDR extends EDR to integrate not only endpoints but also networks, cloud, email, and other security domains.

Integration domains:

• Endpoint: Workstations, servers, mobile
• Network: Firewalls, IDS/IPS, NDR
• Email: Email gateway, phishing detection
• Cloud: CASB, CWPP, cloud logs
• Identity: IAM, Active Directory

XDR advantages:

• Correlation analysis of various data sources
• Visibility across entire attack chain
• Reduced alert fatigue (consolidated alerts)
• Automated cross-domain response

Category	AV	EDR	XDR
Scope	Endpoint	Endpoint	Entire IT environment
Detection method	Signature	Behavior analysis	Integrated correlation analysis
Visibility	Limited	Detailed endpoint	Integrated environment
Response	Block/Delete	Isolate/Investigate/Remediate	Automated cross-domain
Forensics	None	Available	Integrated forensics

5. Behavior-Based Detection

5.1 Principles of Behavior Analysis

Behavior-based detection analyzes behavior patterns exhibited during execution rather than malware signatures.

Detection target behaviors:

• File system: Mass file modification, extension changes, encryption patterns
• Process: Injection, privilege escalation, abnormal parent-child relationships
• Network: C2 communication, beacons, abnormal port usage
• Registry: Run key registration for persistence
• Memory: Shellcode injection, process hollowing

5.2 MITRE ATT&CK Framework

MITRE ATT&CK is a knowledge base that systematizes attacker Tactics, Techniques, and Procedures (TTPs).

Key Tactics:

1. Initial Access
2. Execution
3. Persistence
4. Privilege Escalation
5. Defense Evasion
6. Credential Access
7. Discovery
8. Lateral Movement
9. Collection
10. Command and Control (C2)
11. Exfiltration
12. Impact

# Ransomware-related ATT&CK techniques examples
T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery
T1489: Service Stop
T1562: Impair Defenses
T1070: Indicator Removal on Host

5.3 Machine Learning-Based Detection

Modern security solutions use machine learning to detect unknown threats.

Application areas:

• Static analysis: PE file structure, string, entropy analysis
• Dynamic analysis: Learning execution behavior patterns
• Anomaly detection: Detecting deviations from normal behavior baseline
• Threat intelligence: Automatic threat information classification and correlation analysis

6. Sandbox Analysis

6.1 Sandbox Concepts

A sandbox is a technology that executes suspicious files or URLs in an isolated virtual environment to analyze their behavior.

Advantages:

• Can detect unknown malware
• Safe analysis without affecting actual systems
• Generates detailed behavior reports
• Extracts IOC (Indicators of Compromise)

6.2 Sandbox Evasion Techniques

Advanced malware detects sandbox environments and hides its behavior.

Evasion techniques:

• Environment checks: VM artifacts, process, registry inspection
• Time-based evasion: Executes malicious behavior only after certain time
• User interaction required: Detects mouse clicks, scrolling, etc.
• Geo-based evasion: Operates only in specific countries/languages
• Hardware checks: Verifies CPU, memory, disk size

# Sandbox detection techniques example (educational purposes)

# VM detection - Process check
vm_processes = ['vmtoolsd.exe', 'vmwaretray.exe', 'vboxservice.exe']

# VM detection - Registry check
# HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest

# Time-based evasion
import time
time.sleep(300)  # Execute after 5 minutes wait

# User interaction check
# Operate after detecting mouse movement, click events

6.3 Sandbox Solutions

Major sandbox solutions:

• Open source: Cuckoo Sandbox, CAPE Sandbox, Any.Run
• Commercial: FireEye AX, Palo Alto WildFire, Cisco Threat Grid
• Cloud: VirusTotal, Hybrid Analysis, Joe Sandbox

7. Malware Analysis Basics

7.1 Static Analysis

Static analysis is a method of analyzing malware code and structure without executing it.

Analysis items:

• File hash: MD5, SHA-1, SHA-256
• PE header analysis: Sections, imports, exports
• String extraction: URLs, IPs, commands, etc.
• Packing detection: UPX, Themida, etc.
• Signature matching: YARA rules

# Static analysis tool usage examples

# Calculate file hash
certutil -hashfile malware.exe SHA256

# Extract strings
strings malware.exe > strings.txt

# PE header analysis (pestudio, PEview, etc.)
# Check import functions
# - CreateRemoteThread: Code injection possibility
# - VirtualAllocEx: Remote memory allocation
# - WriteProcessMemory: Remote process memory write

7.2 Dynamic Analysis

Dynamic analysis is a method of executing malware and monitoring its real-time behavior.

Monitoring items:

• Process: Creation, injection, privileges
• File: Creation, modification, deletion
• Registry: Changes
• Network: DNS queries, HTTP/HTTPS requests, C2 communication
• API calls: System call tracing

Dynamic analysis tools:

• Process monitoring: Process Monitor, Process Hacker
• Network analysis: Wireshark, Fiddler
• System change tracking: Regshot, Autoruns
• Debugger: x64dbg, OllyDbg

7.3 IOC (Indicators of Compromise)

IOCs are technical indicators used to identify security incidents.

IOC types:

• File-based: Hash values, filenames, file paths
• Network-based: IP addresses, domains, URLs
• Host-based: Registry keys, mutex, service names
• Behavior-based: Process trees, command lines

# YARA rule example (malware detection)
rule Ransomware_Generic
{
    meta:
        description = "Generic ransomware detection"
        author = "Security Analyst"
        date = "2026-01-22"

    strings:
        $ransom1 = "Your files have been encrypted" nocase
        $ransom2 = "bitcoin" nocase
        $ransom3 = ".onion" nocase
        $ext1 = ".locked"
        $ext2 = ".encrypted"
        $ext3 = ".crypted"

    condition:
        any of ($ransom*) and any of ($ext*)
}

8. Ransomware Response Strategy

8.1 Prevention Strategy

Technical measures:

• Patch management: Keep OS and software up to date
• Backup strategy: 3-2-1 rule (3 copies, 2 media types, 1 offsite)
• Network segmentation: Prevent spread through segmentation
• Principle of least privilege: Minimize user/system privileges
• Email security: Phishing filtering, attachment scanning
• RDP security: VPN required, MFA applied, port change

Administrative measures:

• Security awareness training: Phishing awareness, safe computing habits
• Incident response plan: Establish ransomware-specific response procedures
• Cyber insurance: Mitigate financial damage in case of incident

8.2 Detection and Initial Response

Detection indicators:

• Mass file extension changes
• Surge in encryption-related API calls
• Volume shadow copy deletion attempts
• Abnormal process behavior
• Suspicious network communication

Initial response:

1. Isolation: Immediately disconnect infected system from network
2. Containment: Block network segments, disable shared folders
3. Evidence preservation: Memory dump, log backup
4. Reporting: Notify executives, legal team, law enforcement if necessary

8.3 Recovery Strategy

Recovery options:

• Backup restoration: Most recommended method, verify backup integrity beforehand
• Decryption tools: Free tools provided by No More Ransom project, etc.
• Volume shadow copies: Restore previous versions if not deleted
• Data recovery firms: Attempt recovery through specialized companies

Warning: Paying the ransom is not recommended. You may not receive the decryption key even after payment, and you fund criminal organizations. Additionally, paying once makes you a likely target for future attacks.

8.4 Post-Incident Analysis and Improvement

• Root cause analysis: Identify initial infiltration path
• Impact assessment: Confirm affected systems and data
• Security gap identification: Identify vulnerabilities and missing security controls
• Improvement measures: Strengthen security to prevent recurrence
• Documentation: Record incident details and response process

9. Malware Response Checklist

Category	Check Item	Recommendation
Endpoint protection	Security solution	Deploy EDR or next-gen AV
Patch management	Update frequency	Auto-update, regular patching
Backup	Backup strategy	3-2-1 rule, regular testing
Email security	Filtering	SPF, DKIM, DMARC, sandbox
Network	Segmentation	Critical asset isolation, microsegmentation
Privilege management	Least privilege	Deploy PAM, restrict admin privileges
Remote access	RDP security	VPN required, MFA, NLA enabled
Security awareness	Training program	Regular phishing drills, security training
Logging	Log collection	Central log management, SIEM integration
Response plan	IR procedures	Establish and drill ransomware playbook

Conclusion

Malware and ransomware continue to evolve and become more sophisticated. Here's a summary of what we covered in Part 8:

• Malware types: Various types exist including viruses, worms, trojans, ransomware, and spyware, each with different characteristics and purposes.
• Infection vectors: Infiltrates through various routes including email, web, removable media, and network vulnerabilities, requiring defense in depth.
• Endpoint security: Deploying EDR/XDR solutions is important to overcome limitations of traditional antivirus.
• Behavior-based detection: Behavior analysis and machine learning-based detection that doesn't rely on signatures is key.
• Response strategy: Systematic strategies across all stages of prevention, detection, response, and recovery are needed.

Effective malware response requires investment not only in technical solutions but also in processes and people. Security levels should be continuously improved through regular security training, incident response drills, and staying informed about the latest threat trends.

In the next part, we'll cover another important topic in the network security series. Security is a journey, not a destination, so continuous learning and improvement are necessary.