Before starting the review of some of the most known strategies to fight Ransomware let me explain why nowadays Ransomware are not “fair” as they were few months ago. Indeed while back at the beginning of 2016 Ransomware writers would assure your data back once paid the ransom, today’s Ransomware writers don’t assure it (there are several paid ransoms with unrecovered files examples just few of them that you might have seen in the news: here, here and here ). This situation has been made possible by users who paid the ransoms during the past months. Those users arose the Ransomware ecosystem reputation by increasing the trust of entire supply chain.
For example, we experienced many infected users saying:
“Ok, I took a ransomware and my backup sucks. Let’s pay the ransom, it only asks for few bucks. I’ll pay more attention next time!”
This user’ behavior increased the Ransomware reputation such as today nobody doubts about paying the ransom and getting back own files. This “well reputation” made possible for “not super skilled” attackers and/or to attackers who wanted to make quick money, to implement “half of the Ransomware (without decryption module)”. This made very angry the whole Ransomware ‘s writer community (which happens to be a professional community) who actually is divided into two main parties: the one who wants to increase the Ransomware reputation by giving back files once the ransom has been payed (usually Ransomware as a service writers) and the one who exploits the Ransomware community reputation writing quick and dirty Ransomware (available on black market as a service as well) who actually won’t give back files once the ransom has paid (usually single hosted Ransomware).
Ok, nice story but how do we fight them?
Today there are two main known strategies so far:
- Try to block the ransomware infection before it “fires up”.
- Try to detect it before it can create a real “damage”.
Methods to try to block a Ransomware infection before it “fires up”.
Three main methods to try to block a Ransomware infection assuming the Malware already landed into victim’s PC are implemented so far:
- Signature Based (AV) Approach
As common virus the known Ransomware own signatures. If the signature (that could be static ore dynamic) matches the sample file, the sample itself is blocked and trashed away.mThis is the romantic approach that will work only for known ransomware. Useless in today’s technology.
- Policy Based Approach
Files executable could not be run from every folder (for example from the e-mail folder or from temporary folders). It could be a first and important way to “decelerate” the infection rate. In fact, many infections happen through “avid clickers” who open untrusted email and/or click on untrusted links. Having them to move the “downloaded file” or to copy the malicious attachment to another destination often helps the “avid clickers” to get distracted and to not get infected.
- Callback Based approach
Every recent Ransomware needs to communicate to external servers to get encryption key or to communicate the infection to the attacker and later on to get back the decryption key. A primitive approach is to detect the callback and to block it avoiding the initial communication.
This approach is hard in the real life since the communication methods can be very brilliant and innovative. Indeed, the communication to command and control could be (just for example) end-to-end encrypted and/or the contacting addresses could be a legitimate hacked domain.
Methods to try to detect it before it can create a real “damage”
Some of the main methods implemented by commercial products try to block the Ransomware Infection once it has been fired up. Following the most implemented strategies.
- Flag processes who read and write too many files too quickly.
This method, is used by MalwareBytes AntiRansomware which is based on Nathan Scott’s CryptoMonitor. It counts how often untrusted processed have modified “a certain number of personal files, under a certain time.” A similar method implemented by Adam Kramer’s hande_monitor tool on the frequency with which processes create handles through which they can access files.
Implementing this method solo could have a tons of false positives (and white/black listing on them). Let’s image Drop Box process or Google Drive during a sync phase. How many file does it modify/delete/create and how quickly does it? Another case example is CAD software who constantly saves tons of partial rendered piece of files before assembling them? It’s clear that this strategy solo has a low chance of success
- Flag processes that changes file’s entropy values
Encrypted files tend to have a more uniform distribution of byte values than other files. Their contents are more uniform. Our tool could compare the file’s entropy before and after the change. If a modified file has higher entropy, it might have gotten encrypted, indicating that the responsible process might be ransomware.
Implementing this method solo you might find issues on real encrypted files and/or on compressed files who tend to have a while flat ad uniform distribution of charset.
- Flag processes who change entropy of selected “untouchable” files.
Specific canary files are dynamically injected into hidden or not hidden folders and monitored. If a process tries to modify them, the process will be considered as malicious.
Implementing this method solo could generate false positives since an unsuspecting user could open the canary file at any time.
- Sync Holing folders
By creating a nested tree of recursive folders to trap single processes Ransomware who will loop into it by consuming a lot of resources but without encrypting any real user file. Once the process (Ransomware process) is identified by one or more techniques as expressed above the system could kill it or suspend it (putting it in holding mode) asking to user what to do.
The Solution?
Ransomware infections are one of the most spread threats in todays’ Internet (foreground internet). They have been evolved over years (a super great paper on the Ransomware evolution could be found here) since the last evolution defined Ransom worm (coined at the beginning of 2016), which includes self-propagating skills, such as for example: infecting public accessible folders and/or running vulnerability scanning on network machine for known exploitable vulnerabilities which will be used in order to propagate itself. The following image shows the activity of used bitcoin address in a Ransomware campaign. As you might observe the average time frame of a Bitcoin address used in a Ransomware fraud is between 0 to 5 days which makes super hard to catch the owner by cross-correlation over multiple transitions.
Presently, there are plenty quick fixes that promise to solve the issue but not a real solver has been released to public (at least as far as I know) so far. At this point I won’t give you the consolidated suggestion to keep up to date your OS and to download the last Antivirus Engine because it really do not matter at all.
Identifying increasing, Threat John Snow Lab’s Research team has combined game changing Data Analytics and Advanced Threat Intelligence, to actively defend the devastating effects caused by ransomware.
