{
	"id": "217d0905-6c8e-4355-950d-6e2b96ad6faa",
	"created_at": "2026-04-06T00:13:42.48029Z",
	"updated_at": "2026-04-10T03:20:40.657958Z",
	"deleted_at": null,
	"sha1_hash": "4e2aa358187ee63c329093f6aba0b5cf9096355a",
	"title": "The Road to Ransomware Resilience, Part 2: Behavior Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3504837,
	"plain_text": "The Road to Ransomware Resilience, Part 2: Behavior Analysis\r\nBy CyCraft Technology Corp\r\nPublished: 2022-06-10 · Archived: 2026-04-05 14:50:32 UTC\r\nPress enter or click to view image in full size\r\nUnderstanding Active and Emerging Threats \u0026 Developing a More Effective Novel\r\nResponse\r\n*This is the second in a series of articles. Follow this link to read from the beginning.\r\nThe road to constructing an effective novel response against ransomware begins with understanding the recent\r\ntrends of the underground ransomware ecosystem: common targets of ransomware, typical ransomware behavior,\r\ncommon ransomware encryption schemes, as well as the construction and application of decryptors and other\r\neffective response approaches and tools.\r\nIn this upcoming series of articles, we will discuss each of these factors one by one.\r\nRansomware Behavior Trends\r\nWe’ve looked at trends in victim selection as well as the underground ecosystem; however, what has proven most\r\ninteresting has been the trends within the ransomware itself.\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 1 of 16\n\nWe analyzed 9 different ransomware and focused on these aspects of ransomware behavior: triggers, evasion and\r\nobfuscation techniques, and encryption schemes.\r\nPress enter or click to view image in full size\r\nFig. 2 — Ransomware Analyzed\r\nTrigger Analysis\r\nRansomware typically wants to encrypt and extract as many files as it can, as fast as it can, as long as it can;\r\nhowever, it needs to first ensure the targeted files are their worth encrypting — whatever the attackers’\r\nmotivations might be. In order to accomplish all of this, prior to execution, ransomware will typically perform\r\nenvironment and atomic execution checks.\r\nEnvironment Check\r\nRansomware will check the environment it’s currently located in to ensure it is not located in a sandbox,\r\nhoneypot, or other virtual machine but in the target victim’s real environment. “Big game” targets typically have\r\nmore mature defenses, meaning that ransomware only has one chance to trigger execution.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 2 of 16\n\nFig. 3 — WastedLocker Environment Check\r\nWastedlocker, for example, checks for a specific interface to ensure the environment it’s currently located in is\r\nreal and not a virtual machine.\r\nAtomic Execution Check\r\nRansomware developers are constantly looking for ways to increase encryption efficiency — encrypt more files in\r\nless time. One method commonly used across different ransomware is an atomic execution check that ensures files\r\nselected for encryption are only encrypted once.\r\nSome take a more streamlined approach with a static mutex, such as ColdLock, Crypt7, and Prometheus. On the\r\nother hand, some ransomware took a more complicated approach with a dynamic mutex. RansomEXX generated\r\nthe mutex name via MD5 hashing the endpoint’s computer name while Prometheus went a step further and\r\ndirectly hardcoded the process name into the code, and then later double-checked the targeted process name to\r\nensure targeted files wouldn’t be double encrypted.\r\nPress enter or click to view image in full size\r\nFig. 4 — WastedLocker Atomic Execution Check\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 3 of 16\n\nWastedLocker (pictured above) also took a much more dynamic approach with its mutex by only beginning\r\nencryption if the newly created mutex were “unique” for each endpoint. While WastedLocker seemed to\r\n“randomly” generate “unique” mutex names; however, this “random” mutex name was actually deterministic on\r\nthe same endpoint and could therefore be reversed. That is, different endpoints would have different mutex names\r\n(“random” across “different endpoints”, making it harder for EDR/AV to detect), but the same endpoint would\r\nalways have the same mutex name (so it wouldn’t double encrypt on the same endpoint).\r\nFor your reference, we created the chart below to help you better compare each of the studied ransomware\r\nsamples.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 4 of 16\n\nFig. 5 — Ransomware Trigger Behavior\r\nIdiosyncratic Checks\r\nWhile different strains of ransomware share similarities due to the specific nature of ransomware attacks,\r\nransomware is still a reflection of the more unique motivations driving the developers.\r\nEgregor, for example, checks for languages native to the Ex-Soviet CIS countries (Commonwealth of Independent\r\nStates); this is most likely due to Egregor developers being located in, or from, one of the CIS countries and\r\nwanting to avoid attention from local law enforcement agencies.\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 5 of 16\n\nWhen asked if they check the location of their victim, the leader of the LockBit ransomware group responded,\r\n“Yes, that’s a code of honor. You cannot attack your own nation. I was born in the Soviet Union.”[8]\r\nSome checks could have been developed and implemented due to the cultural environment of the target as\r\nopposed to their digital environment. In the ColdLock case[5], the attackers waited for a long holiday weekend to\r\nallow the GPO to automate the distribution of the ColdLock ransomware throughout the entire system,\r\nmaximizing the number of affected endpoints for the day of the attack. When the ransomware did trigger, it was at\r\nprecisely 12:10 in the afternoon — Monday lunch break.\r\nCompared to the rest of the analyzed ransomware, Prometheus was far more meticulous and sophisticated in both\r\nits environment and atomic checks.\r\nHowever, some ransomware took a much more complicated approach; WastedLocker and RansomEXX both\r\nleveraged a dynamic mutex, with WastedLocker being the most dynamic and complex.\r\nEvasion and Obfuscation Techniques\r\nRansomware follows the design philosophy of encrypting and extracting as many files as it can, as long as it can.\r\nWhile environment and atomic checks help ensure targeted files get encrypted as efficiently as possible,\r\nobfuscation and evasion techniques help ensure the attackers have enough time to locate and encrypt sensitive\r\nfiles.\r\nHowever, modern ransomware developers think in the long term. The longer it takes defense teams to reverse\r\nengineer ransomware and respond, the longer the ransomware gang can stay operational.\r\nHere are some highlighted obfuscation techniques.\r\nConti Ransomware: API Unhooking\r\nAPI Hooking is a common technique used by both AV and EDR solutions in order to monitor processes and code\r\nbehavior in near real-time and is typically done by adding jump instructions in front of functions the system wants\r\nto monitor.\r\nMITRE ATT\u0026CK (T1056.004) API HOOKING\r\nAdversaries may hook into Windows application programming interface (API) functions to collect user\r\ncredentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user\r\nauthentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include\r\nparameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be\r\nimplemented via hooks procedures, import address table (IAT) hooking, or inline hooking.\r\nConti (pictured below) bypassed this by meticulously searching for jump opcode. If found, Conti would attempt to\r\npatch the jump opcode and unhook the API, leaving the AV or EDR solutions blind to Conti’s behavior.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 6 of 16\n\nFig 6 — Conti Ransomware API Unhooking\r\nNote the two highlighted green sections labeled “check jmp code” and “unhook function by copying 16bytes”.\r\nThe first part of the code checks whether the opcode is a “jump” instruction, which is a potential sign of API\r\nhooking. Then, the second part of the code overwrites these instructions into ‘’nop” instructions to remove the\r\nhook.\r\nConti Ransomware: String Obfuscation\r\nConti ransomware leveraged more than 100 string obfuscation functions in our sample alone. The particular\r\nobfuscation method pictured below is quite simple to decrypt manually; however, this quickly becomes\r\nburdensome when tasked to manually decrypt over 100 string obfuscation functions. In this particular case, a\r\nscript was developed in order to automate the decryption process.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 7 of 16\n\nFig. 7 — Conti Ransomware String Obfuscation\r\nPrometheus Ransomware: GetString\r\nUnlike Conti, Prometheus is implemented in managed code (.NET MSIL) and did not develop their own\r\nobfuscation method but rather used the commercial obfuscator SmartAssembly v7.5.2.4508. While this version of\r\nSmartAssembly gives Conti access to numerous obfuscation techniques, we wanted to highlight Prometheus’ use\r\nof the GetString function.\r\nGet CyCraft Technology Corp’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nEvery string reference has been replaced by the GetString function. From the code below, we see that function\r\n.\\u001F is, in fact, the GetString function.\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 8 of 16\n\nPress enter or click to view image in full size\r\nFig. 8 — Prometheus Ransomware GetString Obfuscation\r\nFig. 9 — Prometheus Ransomware GetString Function Revealed\r\nIn addition, every class within Prometheus ransomware has its own GetString function.\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 9 of 16\n\nFig. 10 — Prometheus Ransomware with Multiple GetString Functions\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 10 of 16\n\nFig. 11 — Prometheus Ransomware GetString Function Simplicity\r\nAs seen directly above, the GetString function itself is not complicated — just a few integer operations. After the\r\nransomware has offset the string, it will reference resource stream {c4633a62–8069–4a7e-9e5d-1429bccb887a},\r\nwhich after unzipped and decoded from the revealed Base64 format, will reveal the final string buffer where every\r\nstring used by the ransomware is located.\r\nPress enter or click to view image in full size\r\nFig. 12 — Prometheus Ransomware CreateGetStringDelegate Function\r\nThe CreateGetStringDelegate function generates IL code during runtime and dynamically adjusts arguments\r\npasted into GetString. This approach allows for not only every GetString function to have a unique metadata token\r\nbut for each class to also have a unique formula to calculate the string index.\r\nRansomware Encryption Schemes\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 11 of 16\n\nRansomware we analyzed typically followed the same two-layered encryption scheme seen in most ransomware.\r\nThe first layer is file encryption leveraging symmetric encryption algorithms (such as AES); typically, a unique\r\nfile encryption key is generated for each encrypted file. The second layer is the key encryption, often leveraging\r\nasymmetric encryption algorithms (such as RSA) and encrypting the file encryption key. The public key is used to\r\nencrypt the file encryption key on the victim’s computer while the private key is kept by the attackers.\r\nPress enter or click to view image in full size\r\nFig. 13 — Ransomware Encryption Schemes\r\nHere, you can see that RSA is the most commonly used asymmetric encryption and AES the most common choice\r\nfor symmetric encryption.\r\nSome ransomware (as pictured above) used system built-in APIs, such as CryptEncrypt and Random.random().\r\nRyuk’s use of AES-256 and CryptEncrypt() for symmetric encryption and Conti’s use of CryptGenRandom() for\r\nRNG (random number generation) are good examples of this. Some ransomware, such as Conti, used statically\r\nlinked libraries for cryptography operations.\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 12 of 16\n\nFig. 14 — Conti Ransomware’s use of ChaCha8\r\nSome ransomware leveraged encryption algorithms from other well-known malware, such as Conti’s use of\r\nChaCha8 (pictured above) or Prometheus’s use of SALSA20 (pictured below). This approach was most likely\r\ntaken to increase encryption efficiency.\r\nPress enter or click to view image in full size\r\nFig. 15 — Prometheus Ransomware’s use of SALSA20\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 13 of 16\n\nEncryption Optimization\r\nAs mentioned earlier, ransomware typically has three priorities: find sensitive data fast, leverage evasion and\r\nobfuscation techniques to prolong the attack, and encrypt targeted data quickly and efficiently.\r\nEncryption optimization is on every ransomware developer’s mind. The two main methods we have observed\r\nfrom our analysis were increasing the number of CPU threads and employing different encryption methods for\r\nfiles of different sizes.\r\nConti ransomware was notorious for its speed, which was due to its leveraging 32 threads. Conti isn’t alone in\r\nusing multiple threads. Other ransomware developers have explored this approach, such as REvil, LockBit, Rapid,\r\nThanos, Phobos, and MagaCortex.\r\nOther ransomware (e.g., Prometheus and REvil) increased efficiency by employing different encryption methods\r\nbased on file size. Smaller files would be fully encrypted while larger files, such as image or video files, would\r\nonly be partially encrypted; even encrypting only the header to make the file inaccessible could be enough to serve\r\nthe attackers’ purposes. Read more: Cycraft Releases Decryptor for Prometheus Ransomware\r\nThe Long and Winding Road\r\nOn our next stop on the road to ransomware resilience, we will explore defense and preventative solutions: how to\r\ngather and leverage intelligence from hacker forums, the dark web, OSINT, and other sources to identify potential\r\nenterprise-targeting threats. Learn how to prevent attacks in advance by locating leaked documents, leaked PII,\r\ncredentials for sale on the dark web, enterprise-related credentials leaked from 3rd party services, and more.\r\nIn addition, we will also discuss new innovative defense approaches including AI-based threat hunting, AD\r\nenvironment assessments, and developing digital vaccines for ransomware.\r\nIf you’re interested in learning about compromise assessments to ensure the health and security of your\r\nnetwork, engage with us directly at engage@cycraft.com\r\nEverything Starts From Security\r\nCyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to\r\nnetwork, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to\r\nprovide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions\r\nneeded to defend from all manner of both existing and emerging security threats with real-time protection and\r\nvisibility across the organization.\r\nEngage with CyCraft\r\nBlog | LinkedIn | Twitter | Facebook | CyCraft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 14 of 16\n\nCyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and\r\nfinancial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being\r\nFast / Accurate / Simple / Thorough.\r\nCyCraft powers SOCs using innovative AI-driven technology to automate information security protection with\r\nbuilt-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat\r\nintelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC)\r\noperations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise\r\nAssessment, CA), and Secure From Home services. Everything Starts From Security.\r\nMeet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com\r\nAdditional Resources\r\nLearn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed\r\nDetection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make\r\nbetter-informed decisions when choosing an MDR service or vendor.\r\nOut of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5\r\nare based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity\r\nproducts and services — CyCraft.\r\nRead our latest white paper to learn what threat actors target Taiwan, their motivations \u0026 how Taiwan\r\norganizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the\r\nworld.\r\nIs your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective\r\nSOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from\r\nGartner, Inc. on why Midsize enterprises are embracing MDR providers.\r\nNew to the MITRE Engenuity ATT\u0026CK Evaluations? START HERE for a fast, accurate, simple, thorough\r\nintroductory guide to understanding the results.\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 15 of 16\n\nOur CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration\r\nchanges and zero delayed detections straight out of the box.\r\nSource: https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nhttps://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd\r\nPage 16 of 16\n\n https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd  \nFig. 10-Prometheus Ransomware with Multiple GetString Functions\nPress enter or click to view image in full size \n  Page 10 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd"
	],
	"report_names": [
		"the-road-to-ransomware-resilience-c1ca37036efd"
	],
	"threat_actors": [],
	"ts_created_at": 1775434422,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e2aa358187ee63c329093f6aba0b5cf9096355a.pdf",
		"text": "https://archive.orkl.eu/4e2aa358187ee63c329093f6aba0b5cf9096355a.txt",
		"img": "https://archive.orkl.eu/4e2aa358187ee63c329093f6aba0b5cf9096355a.jpg"
	}
}