We Put Ransomware on Our Machine and Here’s What Happened
Ransomware is running wild across IT networks worldwide, with more than 4,000 cyberattacks occurring since the beginning of the year.
In order to get a better look at this growing problem, we wanted to see how it’s affecting people first-hand. So we saved the ransomware executable to a folder for the purpose of demonstrating the user experience when infected by the malware. Here’s what happened.
Ransomware Demo — Part 1
Watch what happens when ransomware runs on an unprotected Windows computer.
https://youtu.be/z5I8J7stBGg
- 0:00—0:07 We open a standard PDF document. This is actually the FBI ransomware recommendation document. Since the machine is not infected yet, the document opens without a problem.
- 0:08—0:14 We use VirusTotal to show that this executable is indeed a ransomware.
- 0:15—0:32 We run the ransomware executable. The desktop becomes grayed out as the ransomware encrypts all documents in the background and a threatening message appears.
- 0:33—0:59 We restart the machine, and when it comes back on, we navigate to the folder that hosts the FBI PDF document. This is the same document we opened without a problem before running the ransomware. Since the ransomware encrypted this document and even injected itself into this document, when we double-click it this time, the ransomware runs again and we get the same threatening message. We are unable to read/open the document.
Ransomware Demo — Part 2
Watch what happens when ransomware runs on a Windows computer that is running Ivanti Security Suite.
In the first video, we simply ran ransomware on an unprotected Windows machine. Part two demonstrates the same scenario, the only difference being that Ivanti security file protection is running in the background.
https://youtu.be/QwvdfLuAi30
- 0:00—0:07 We open a standard PDF document. This is actually the FBI ransomware recommendation document. Since the machine is not infected yet, the document opens without a problem.
- 0:08—0:14 We use VirusTotal to show that this executable is indeed a ransomware.
- 0:15—0:32 We run the ransomware executable. The desktop becomes grayed out as the ransomware encrypts all documents in the background, and a threatening message appears.
- 0:33—0:44 We restart the machine.
- 0:45—1:34 We navigate to the FBI document and open it without a problem.
What this shows us is that Ivanti file protection prevents any process from encrypting documents, including PDFs. As a result, after we ran the ransomware, the system was infected but no document was encrypted. There was no need to restore this machine’s data from a backup.