Could ransomware be automatically stopped in its tracks by an anti-ransomware program? Researchers in the US believe their prototype software can do it.
The researchers from the University of Florida and Villanova University developed CryptoDrop, software which detects when a process has begun to encrypt a significant number of files.
In tests of 492 distinct ransomware samples, they report that CryptoDrop detected and stopped the samples from encrypting the entire contents of a hard drive – in some cases before it had managed to encrypt any files but on average (median) after just 10 files had been lost. In the worst case scenario, 33 files were encrypted before CryptoDrop identified the ransomware process.
Ransomware is notoriously difficult to stop. Users are frequently tricked into downloading and installing the software which, when activated, encrypts key content files such as word processing documents, pictures, spreadsheets and emails. When complete, the attacker deletes the encryption key from the system and displays a ransom note instructing the victim to make a payment, usually in a crypto-currency, to get the encryption key and unlock their files.
Attackers can easily make variants of ransomware which makes detection via virus signatures more challenging.
“Ransomware is indeed a global problem, reaching epidemic levels given many high-profile cases this past while, where ransom payments have been made. The industry is constantly striving to innovate in ransomware detection and prevention, with technologies across the stack (endpoint to point of entry into network) trying all in their power to come up with new and effective mechanisms to protect end-users and business data better,” said Richard Cassidy, cyber-security evangelist at Alert Logic in emailed comments to SCMagazineUK.com.
The researchers are Nolen Scaife, Patrick Traynor and Kevin R.B. Butler from the University of Florida and Henry Carter at Villanova University.
In their paper, “CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data”, the researchers claim to make several contributions to the fight to control ransomware.
CryptoDrop takes a fundamentally different approach to detecting ransomware, claiming it is the first to monitor the user data rather than attempt to analyse the function of new processes.
It monitors files on the system which are being modified, targeting the core behaviour of the malware, which enables it to detect ransomware regardless of the delivery mechanism or file signature. They emphasise that it won't stop all files from being encrypted and is intended to act as a backstop for when the anti-virus system has failed to detect the ransomware package.
They have identified three primary indicators of malicious file changes, which they claim results in a very low number of false positives. This enables CryptoDrop to remain robust despite significant variations in the functionality of different families of ransomware.
- File type changes – through the use of “magic numbers”, it is possible to detect significant changes in the data type of a file. As files generally retain their data types over their lifetimes – eg, text documents don't change into graphic files and emails don't change into movie files – bulk changes in file types can be taken as an indicator of compromise.
- Similarity measurement – strong encryption produces content that is completely dissimilar to the original content which can be measured using sdhash. A low score indicates a high probability that a file has been encrypted.
- Entropy – based on previous research into using entropy to classify ransomware, the researchers have extended this concept to identify encrypted files as an indicator of ransomware activity.
The researchers said that, taken together, the indicators gave a high probability that a process running on a computer was ransomware.
They said they hope that CryptoDrop will reduce the number of victims who have to pay a ransom to retrieve their files, eventually choking off attackers' revenue streams.
Tim Erlin, director of security and IT risk strategist at Tripwire, said the research was promising and “it will be exciting to see how it works in the real world”.
However, he observed, “Limiting the damage an attack can do isn't a new security tactic. Response, as described in this paper, is a valid part of a comprehensive approach to managing security.”
Mark James, security specialist at ESET, praised the research but cautioned that losing even a few files, if they were your most valuable ones, could be a disaster. “Don't get me wrong, I wholeheartedly welcome anything that will help the victim but there are lots of things we can already do to protect against ransomware. It's always mentioned time and again but backup and disaster recovery will protect you against ransomware every time,” he said.
The team is looking for commercial partners to bring CryptoDrop to market.
“This threat is real and growing. If the team behind CryptoDrop have a product that works as well as they say it does, their growth will be explosive,” said Michael Patterson, founder and CEO of Plixer.