Inside Different Generations of Ransomware
Introduction
This page serves as the central hub for my series “Inside Different Generations of Ransomware”.
Unlike completed analysis articles, this page focuses on outlining the research scope, methodology, and planned targets for future analysis.
This page will be continuously updated as new research is added.
Research Scope
This series aims to analyze representative ransomware samples across different stages of evolution. The goal is not only to understand how they work, but also to identify how design patterns change over time.
The analysis will focus on:
- Encryption mechanisms and key management
- Propagation techniques (if applicable)
- Anti-analysis and evasion techniques
- Operational design (e.g., monetization strategies)
Evolution Overview
Based on existing reports and preliminary observations, ransomware appears to have evolved through several stages:
- Early stage: Screen lockers with limited technical sophistication
- Crypto ransomware era: Adoption of strong encryption mechanisms
- Worm-enabled ransomware: Self-propagating attacks (e.g., WannaCry)
- Modern ransomware: RaaS ecosystems and data exfiltration
These hypotheses will be further validated through detailed analysis in this series.
Roadmap
Planned analysis in this series includes:
- TeslaCrypt
- Thanos
Articles
The table below lists all articles in this series analyzing various ransomware families and variants.
It will be updated continuously as new research is published.
| Ransomware | Article |
|---|---|
| Preface of this series | Inside Different Generations of Ransomware |
| Thought of Ransomware and RATs | Ransomware vs. RAT |
| CryptoLocker | Analyzing CryptoLocker |
| Jigsaw | Analyzing Jigsaw |
| WannaCry | Analyzing WannaCry |
| Protocol Analysis of WannaCry | Inside WannaCry: Exploit, Worming, and TOR Communication Explained |
| GlobeImposter 2018 | Analyzing GlobeImposter 2018 |
| GLobeImposter 2021 | Inside GlobeImposter 2021: Multi-Stage Payload & In-Memory Execution Analysis |
| Petya | Analyzing Petya |
| NotPetya | Analyzing NotPetya |
Supplement
Tutorials for Malware Analysis
- How to Setup Your Experimental Environment for Malware Analysis
- Installing VMware Tools on Windows XP and Windows 95 with VMware WorkStation 17
Underlying Mechanism
This section provides links to related articles that introduce the underlying principles behind techniques commonly used by ransomware.
Petya
Petya is a milestone in the evolution of ransomware, demonstrating how bootkit techniques can be used to compromise a system before the operating system is loaded.
The bootkit mechanism implemented by Petya is particularly valuable for studying bootloaders, NTFS internals, and low-level system behavior.
- Simple MBR And Bootloader: Something Before Analyzing Petya
- OpenBootloader: Understanding Boot Process and Bootloaders
- OpenPetya: A Proof-of-Concept of Petya Ransomware
THANKS FOR READING
