Ransomware gets the big headlines, because of the enormous blackmail demands that typically arrive at the end of ransomware attacks.

Indeed, the word “ransom” only expresses half the drama these days, because modern ransomware attacks usually involve the crooks making copies of all your data first before scrambling it.

The crooks then demand a combination payout, part ransom and part hush-money.

You’re not only paying to get the local copies of your data unscrambled, but also paying for a promise from the crooks that they’ll delete all the data they just stole instead of releasing it to the public.

But what about the very start of a ransomware attack?

Technically, that’s often a lot more interesting – and often more important, too, given that many ransomware attacks are merely the final blow to your network at the end of what may well have been an extended attack lasting days, weeks or even months.

Given the danger that arises as soon as the crooks sneak into your network, it’s as important to learn how malware gets delivered in the first place as it is to know what happens to your files when ransomware finally scrambles them.

With this in mind, SophosLabs has just published an intriguing report on a malware delivery ecosystem dubbed Gootloader.

You may have heard reference to Gootkit, a name given to the malware family of which Gootloader forms a part, because it’s been around for several years already.

But SophosLabs decided to give the initial delivery mechanism a name of its own and study it in its own right:

The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.

In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.

The report goes into the sort of detail that is well worth knowing if you’re interested in how modern malware embeds and extends itself inside a network, including a discussion of so-called “fileless” attacks.

Search crimes – how the Gootkit gang poisons Google searches