Two Ways to Stop Ransomware in Its Tracks
The malware that holds files hostage until payment may have met its match.
Ransomware has become a menace that strikes companies and individuals alike, but researchers have offered tantalizing evidence that we may soon be able to stop it before it does any damage.
The most rapidly growing category of malware is cryptographic ransomware, software that infects a computer through the same means as other malicious software, and then quietly scrambles users’ files, making them unreadable. By the time victims discover the problem, the malware explains to them they have to pay a fee for the encryption key that will make their files usable again.
Two research teams have advanced new ways to detect ransomware before it can do real damage. Antivirus software makers lag on specific ransomware detection, but they say it's coming.
With strong encryption readily available to malware creators, there's no way in most cases for users whose files have been encrypted to get the originals back unless they have an archive predating the infection or pay the fee. Ransomware relies on “honor among thieves,” and most of the time paying the fee does release the necessary encryption key. Preventing an infection or stopping it in its tracks is the only other way out.
According to a recent Symantec report, attackers make millions of attempts to infect users each day, and tens of thousands of systems are held hostage each month. While reports of high fees may dominate the news, such as a hospital whose files were held hostage until it paid $17,000 to unlock them, ransomware distributors typically look for a quick hit that most consumers will grudgingly pay. The average fee required to unlock files more than doubled from $294 at the end of 2015 to $679 by June 2016, Symantec says.
Researchers recently presented two papers that offer effective detection of the unique actions ransomware uses to take user files hostage. Antivirus makers say that while those approaches might work in the lab, it's harder to duplicate in real-world conditions due to fast adaptation by malware creators. However, changes are coming that should reduce the economic value of deploying ransomware.
Researchers at Northeastern University have created an offline scanning system, dubbed Unveil, that launches suspected malware in a protected virtual environment—like a brain in a box—to monitor its behavior in a controlled way, and then rapidly scores whether or not it was ransomware. A separate group of researchers from the University of Florida and Villanova University created a real-time monitoring system called CryptoDrop that could halt ransomware almost immediately.
Both projects watched for the fundamental behavior ransomware engages in: reading data from lots of documents and then replacing those files (by deleting or overwriting them) with new contents that are not just entirely different but also clearly encrypted. Amin Kharraz of the Unveil team says that the low-level behavior of all ransomware fits a pattern that can be identified.
Unveil could also check whether a ransom-style screen appeared while the software was running, as those messages demanding money are quite different from what most operating systems and software show normally.
Vincent Weafer, vice president of Intel Security's McAfee Labs, finds the work interesting, but he's not sanguine about it being fully effective in real-world usage. "If 90 percent of defenders use the same characteristics, then the bad guys will try to modify and obfuscate."
For instance, if a tool looks at whether a file has shifted from plain text to an encrypted format, attackers might encrypt only parts of a file to make it unreadable and unrecoverable, without signaling to software that it changed enough. Or if rapid changes to large numbers of files trigger an alert, ransomware could tick away slowly and patiently. The two papers' authors in separate interviews contend that the basic ransomware behavior can only be lightly disguised, however, not effectively hidden.
Unveil researchers tested a large sampling of malware collected in the wild, and estimated a nearly 97 percent accuracy rate in identifying a subset of about 14,000 ransomware variants; they even discovered a new family that anti-malware firms didn't know about. CryptoDrop authors tested 492 known examples (drawn from 14 major ransomware families) and recognized 100 percent in real time with a median loss of 10 files before the activity was recognized and halted.
The two sets of academics have found fertile ground for exploration, but Weafer at McAfee Labs and Sean Sullivan, a security advisor at F-Secure Labs, caution that testing a set of mock files and a subset of malware doesn't match the messiness of the real world. Both emphasize earlier-stage detection by software that examines application activity. They also say that ransomware is no different from other infections that spread indiscriminately in hitting older operating systems, unpatched systems, and those running Flash and Java.
It's also the case that ransomware gets more attention because it's "in your face," as Weafer puts it, whereas most malware hides and may carry out business unrelated to the user whose machine has been compromised.
While the specific work by these two academic teams might not find its way directly into anti-malware software, Weafer says by year's end new approaches to blocking ransomware will start to be incorporated across the security software industry. Putting in stricter checks before an application can launch, such as checking a central database as to whether the app has ever been run on any computer anywhere in the world, is among the strategies firms are willing to discuss.
"High-profile threats don't last forever," Weafer says. Ransomware will fade—and be replaced by the next threat.