So, if you keep up to tabs on the market of anti-malware solutions, you probably know about the new and growing epidemic called ransomware.
According to all predictions and market research, this is not something that will go away; on the contrary, we will see a steady rise in ransomware infections and more creative ransom demands.
We have an article about ransomware, but basically the concept is very simple:
A hacker takes control of your files and encrypts all your data, and unless you pay up (in most cases via bitcoin) in a limited time frame, you will not gain back access to your original files.
Before I talk about ransomware protection, it is very important to mention that no protection is bulletproof and you should always have an active and redundant back up plan, which in this case is actually backing up all your data.
Anti-Malware and antivirus will try to quarantine the ransomware file by comparing it to the known signature database of documented ransomware.
This is done by comparing the malware or the payload to an MD5/SHA256 database that contains known ransomware.
Some programs will even use a more advanced methodology (Heuristic Scanning) by comparing parts and segments of the ransomware code to already classified and documented ransomware.
In this method, the antivirus software executes the ransomware file in a specialized controlled environment (virtual machine) allowing the antivirus program to inspect all behavioral activities of the ransomware file while isolating the ransomware from the PC and from the data needed to be protected.
If the antivirus software observes activities that are considered malware/ransomware-related (replication, file overwrites, hiding ransomware activity), or if one of the virus-like behavioral flags are detected, then the process is flagged for termination.
If the traditional detection methods fail, we have to rely on other means to mitigate the data loss, so it is advised to use several methods in order to “trap” the ransomware activity.
We are talking about proactive function and monitoring that detects ransomware activity even when we are attacked by 0-day ransomware that can’t be detected via signature-based traditional protection.
Monitoring the high risk folders (for example: My Documents or Desktop), is to see if a new process alters files in an unnatural rate (read or overwrite too many files too quickly), so that the process will be blocked/flagged immediately by the security program.
File renames are not a common task when you monitor the activity of a normal PC user or a shared network storage.
When a ransomware strikes, you will probably see a dramatic increase in number of file renames per second.
Setting a local threshold on this value can trigger a user alert and block the process that renames the files.
When a file is encrypted, it has a more uniform distribution of byte values (their contents are more uniform).
If a modified file has a higher entropy, it might have been encrypted and the process should be blocked or flagged immediately.
In this demo you can see a visual analysis of two binary files.
The first image is a simple word file and the second image is a file encrypted by ransomware.
You can clearly see that the entropy visualization of the ransomware file is much more uniform.
This involves placing randomly hidden and unhidden decoy files in high-risk folders or network paths and monitoring access to these files/folders.
If a process tries to alter the file, it will be blocked and quarantined.
This creates a local or remote folder with millions of random generated files in very deep folder structure that will slow down the ransomware process and triggers security alerts.
You can even improve this methodology by limiting the bandwidth allocated to this resource by mounting this drive/folder behind a slow network connection (Router with Bandwidth management or connection via Wi-Fi with a long distance interference).
Because the ransomware malware works with 0-9 A-Z scanning methodology, it will be busy for hours and even days to generate the list of files that need to be encrypted.
This can give you a heads up to mitigate the attack or to even shut down your PC as a counter measure.
This creates an infinite directory structure in the Windows file system, so when a ransomware attempts to traverse the file structure to create the list of files it needs to encrypt, it will get stuck because there are always more folders to scan for its list.
Please bear in mind that the bad guys are getting smarter and they are discovering new ways to improve ransomware and adjust the values/threshold to bypass the active ransomware protection.
It will always be a game of trial and error, but the attackers will seek the weakest point.
If your environment is secure enough, the attackers will simply move on to the next victim.
And again, it is very important to have a good and redundant backup strategy with endpoint security that blocks malware from reaching your computer in the first place.
We promise to only send really good deals and important updates. No spam.