* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/)
* A Different View: Underst...

# A Different View: Understand and Prevent Encrypting Ransomware

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2015%2F01%2Fdifferent-view-understand-prevent-encrypting-ransomware%2F)  
[](https://twitter.com/share?text=A+Different+View%3A+Understand+and+Prevent+Encrypting+Ransomware&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2015%2F01%2Fdifferent-view-understand-prevent-encrypting-ransomware%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2015%2F01%2Fdifferent-view-understand-prevent-encrypting-ransomware%2F&title=A+Different+View%3A+Understand+and+Prevent+Encrypting+Ransomware&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2015/01/different-view-understand-prevent-encrypting-ransomware/&ts=markdown)  
\[\](mailto:?subject=A Different View: Understand and Prevent Encrypting Ransomware)  
Link copied  
By [Jenny Kitaichik](https://www.paloaltonetworks.com/blog/author/jenny-kitaichik/?ts=markdown "Posts by Jenny Kitaichik")  
Jan 07, 2015  
6 minutes  
[Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)

### Ransomware

In recent years, the cybersecurity world has observed various changing trends in the malware landscape. From plain viruses and worms through DDoS botnets and banking Trojans, criminal organizations and malware authors are always trying to ramp up their attack abilities to adapt to the advancing security market and stay ahead of detection and prevention technology.

One of the most recent evolutions of this cat and mouse game is encrypting ransomware, which has lately become very popular with cyber criminals. The figure below shows the number of encrypting ransomware variants that have been spotted in attacks around the world, according to the date they were spotted on:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-1.png?ts=markdown)  
[![ransomware 1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-1-500x99.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-1.png?ts=markdown)

An encrypting ransomware is a malicious piece of software that infects a computer and encrypts all of its valuable files. The ransomware reaches the computer by way of exploiting a vulnerability (typically in a browser or a document reader), or via a downloaded executable run by an unsuspecting user. The malicious [payload](<http://en.wikipedia.org/wiki/Payload_(computing)>) then [encrypt](http://en.wikipedia.org/wiki/Cryptography)s valuable files on the machine (e.g. documents, images, certificates, etc.), requesting payment for their decryption within a certain time-frame.

The key needed for decryption is uploaded to a remote C\&C server and is not stored on the local machine, making remediation very difficult. Removing the malware is not enough, since the bulk of the user's files are encrypted and cannot be recovered without the key. Thus, if the victim chooses not to oblige within the given time-frame, the files remain encrypted with very little hope of recovery.

The effectiveness of this threat has contributed to its popularity among cyber criminals, which use it to infect individuals and organizations alike.

### Looking at Things Differently

Most of the publications on encrypting ransomware focus on the infection methods, the encryption algorithm, or the C\&C server communication. In this post, we look at ransomware from another angle, by analyzing the file operations they perform on the files they encrypt. A high-level overview using simple methods can provide significant insight into malware behaviors -- insight that might otherwise go unnoticed when delving into the little details.

We can divide encrypting ransomware into three categories, based on the way they access and modify files:

1. Write-in-place
2. Rename-and-encrypt
3. Create-encrypt-and-delete

As part of our ongoing research into battling these pieces of ransomware, we analyzed many samples and variants, coming from different origins. We present a summarized study of some of the samples we analyzed, one for each of the aforementioned techniques.

#### Write-in-place

The ransomware in this category operate in the following manner:

1. Create a temporary file
2. Read the original file
3. Encrypt the data and write it to the temporary file
4. Read the encrypted data from the temporary file
5. Write the data back to the original file
6. Delete the temporary file

Ransomware of this type includes CryptoLocker, CryptoWall, CryptoDefence and DirCrypt.

Note that process memory can be used as the temporary storage area instead of a temporary file, and the malware still belongs to this category.

As an example, let us analyze a sample of the DirCrypt ransomware (md5: [0e5e8f6edd2c1496614bb6a71ba3f256](https://www.virustotal.com/intelligence/search/?query=43f608f8965e49f27c355ece5d080edfb377372360ef93881d6be4d87e186950)), which uses the process's memory as its temporary workspace, as depicted below:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-2.png?ts=markdown)  
[![ransomware 2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-2-500x79.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-2.png?ts=markdown)

1. Open the file using *CreateFile*
2. Get the file size and data length using *GetFileInformationByHandle*
3. Read the file's data (piece by piece), encrypt the data in memory, and write it back to the same file
4. Finally, close the file, as shown below

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-3.png?ts=markdown)  
[![ransomware 3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-3-500x45.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-3.png?ts=markdown)

Upon opening the encrypted file, the user is faced with this message:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-4.png?ts=markdown)  
[![ransomware 4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-4-500x372.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-4.png?ts=markdown)

#### Rename-and-encrypt

Ransomware belonging to this category operate as follows:

1. Rename the original file.
2. Read the renamed file.
3. Encrypt the data and write it back to the renamed file.
4. Rename the file again to the original name (+ some extension).

Ransomware such as Onion/CBT/Critroni exhibit this method of operation.

This type of sequence is more complex than the first technique presented, since the file is renamed before the encryption. The defender might therefore need to keep track of all the different names a file may have.

An analysis of an Onion ransomware sample (md5: [10a472ec4a6687f1c432c639effbae00](https://www.virustotal.com/intelligence/search/?query=73af46fc8bca26ecc9d15e7808c204b7412ce9390215c8d157c403445c723590)) shows the following actions being performed on the files to be encrypted:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-5.png?ts=markdown)  
[![ransomware 5](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-5-500x170.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-5.png?ts=markdown)

1. Open the file using *CreateFile*
2. Rename the file using *SetFileInformationByHandle* to a file in a Temp directory, named 0.tmp
3. Get the file size, and data length using *GetFileInformationByHandle*
4. Read the renamed temp file, encrypt the read data, and write it back to the same file
5. Set a new file size with *SetFileInformationByHandle*
6. Rename the file again, this time to the original name, in the original path, with ".ctb2" extension with *SetFileInformationByHandle*

Note that the malware uses *GetFileInformationByHandle* and *SetFileInformationByHandle* to preserve the original timing attributes of the file.

After all files of interest had been encrypted, the following message appears:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-6.png?ts=markdown)  
[![ransomware 6](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-6-500x358.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-6.png?ts=markdown)

#### Create-encrypt-and-delete

The operations performed by malware in this category are:

1. Create a new file
2. Write the encrypted data to the new file
3. Delete the original file

Ransomware such as ZeroLocker and TorrentLocker use this method when encrypting files.

This technique is the hardest to identify as a malicious activity, since the API calls by themselves can't associate the events of creation, writing and deletion together and show that they correspond to the same files. Furthermore, legitimate operations, such as moving files between different hard drives, might produce similar logs.

Analysis of a sample of the ZeroLocker ransomware variant (md5: [3772a3deeb781803a907ed36ee10681d](https://www.virustotal.com/intelligence/search/?query=e292cbe7ddbc036009d7ef0deaab49d12005c9267e12a338bbba7782925ef1a6)) shows that for each of the files in a set of predetermined directories, the following actions are performed:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-7.png?ts=markdown)  
[![ransomware 7](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-7-500x142.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-7.png?ts=markdown)

1. Open the file using *CreateFile*
2. Create a new file in the same location, with the same name and an additional ".encrypt" extension
3. Get the file size and data length using *GetFileInformationByHandle*
4. Read the original file, encrypt it, and write it to the newly created file
5. Delete the original file using SetFileInformationByHandle

At the end of this procedure, the ransomware creates a directory named "ZeroLocker" with two files. One of the files contains the following message:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-8.png?ts=markdown)  
[![ransomware 8](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-8-500x403.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/01/ransomware-8.png?ts=markdown)

### Conclusions

In this post we examined the methods of operation for several common ransomware samples. The first method, write-in-place, is the most simplistic method in terms of file operations. The second method, rename-and-encrypt, is very similar to the first method, but adds the complexity of tracking all the different names a file may possess.

The last method, create-encrypt-and-delete, is the file operation method, used by ransomware, that is the most challenging to identify. This stems from the fact that the file operations involved can be seen in everyday use-cases, and it is hard to relate them to malicious activity that aims to encrypt files on the machine.

Palo Alto Networks has been researching a solution in Advanced Endpoint Protection that, based on our lab tests, would have blocked the ransomware families mentioned above and prevented malicious activity. We hope to share more details of this solution in the coming months.

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### From Ransom to Revenue Loss](https://www.paloaltonetworks.com/blog/2025/10/from-ransom-to-revenue-loss/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Announcing Traps 5.0: Cloud-Delivered Advanced Endpoint Protection](https://www.paloaltonetworks.com/blog/2018/03/traps-5-0/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown)

[#### 2018 Predictions \& Recommendations: The Ransomware Epidemic Continues](https://www.paloaltonetworks.com/blog/2017/12/2018-predictions-recommendations-ransomware-plague-just-beginning/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps Prevents Ransomware Attacks](https://www.paloaltonetworks.com/blog/2017/11/traps-prevents-ransomware-attacks/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps Protections Against WanaCrypt0r Ransomware Attacks](https://www.paloaltonetworks.com/blog/2017/05/traps-protections-wanacrypt0r-ransomware-attacks/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps Prevents Cerber Ransomware's Bite](https://www.paloaltonetworks.com/blog/2017/04/traps-prevents-cerber-ransomwares-bite/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language