Active Ransomware Protection: How Exactly Antivirus Software Blocks Ransomware?

By:
Active Ransomware Protection

How to Actively Protect Against Ransomware

So, if you keep up to tabs on the market of anti-malware solutions, you probably know about the new and growing epidemic called ransomware.

According to all predictions and market research, this is not something that will go away; on the contrary, we will see a steady rise in ransomware infections and more creative ransom demands.

We have an article about ransomware, but basically the concept is very simple:

A hacker takes control of your files and encrypts all your data, and unless you pay up (in most cases via bitcoin) in a limited time frame, you will not gain back access to your original files.

Before I talk about ransomware protection, it is very important to mention that no protection is bulletproof and you should always have an active and redundant back up plan, which in this case is actually backing up all your data.

Active Ransomware Protection

Active Ransomware Protection

Traditional Malware and Ransomware Detection

Anti-Malware and antivirus will try to quarantine the ransomware file by comparing it to the known signature database of documented ransomware.

This is done by comparing the malware or the payload to an MD5/SHA256 database that contains known ransomware.

Signature Database

Signature Database

Some programs will even use a more advanced methodology (Heuristic Scanning) by comparing parts and segments of the ransomware code to already classified and documented ransomware.

Sandbox Ransomware Analysis

In this method, the antivirus software executes the ransomware file in a specialized controlled environment (virtual machine) allowing the antivirus program to inspect all behavioral activities of the ransomware file while isolating the ransomware from the PC and from the data needed to be protected.

If the antivirus software observes activities that are considered malware/ransomware-related (replication, file overwrites, hiding ransomware activity), or if one of the virus-like behavioral flags are detected, then the process is flagged for termination.

Heuristic Ransomware Analysis

Heuristic Ransomware Analysis

Active Ransomware Protection

If the traditional detection methods fail, we have to rely on other means to mitigate the data loss, so it is advised to use several methods in order to “trap” the ransomware activity.

We are talking about proactive function and monitoring that detects ransomware activity even when we are attacked by 0-day ransomware that can’t be detected via signature-based traditional protection.

High Risk Folder Monitoring

Monitoring the high risk folders (for example: My Documents or Desktop), is to see if a new process alters files in an unnatural rate (read or overwrite too many files too quickly), so that the process will be blocked/flagged immediately by the security program.

High Risk Folder Monitoring

High Risk Folder Monitoring

Increase in File Renames

File renames are not a common task when you monitor the activity of a normal PC user or a shared network storage.

When a ransomware strikes, you will probably see a dramatic increase in number of file renames per second.

Setting a local threshold on this value can trigger a user alert and block the process that renames the files.

File Renames

File Renames

Entropy Values

When a file is encrypted, it has a more uniform distribution of byte values (their contents are more uniform).

If a modified file has a higher entropy, it might have been encrypted and the process should be blocked or flagged immediately.

In this demo you can see a visual analysis of two binary files.

The first image is a simple word file and the second image is a file encrypted by ransomware.

You can clearly see that the entropy visualization of the ransomware file is much more uniform.

Entropy Value of a Word File

Entropy Value of a Word File

Entropy Value of an Encrypted File

Entropy Value of an Encrypted File

Honeypot Files

This involves placing randomly hidden and unhidden decoy files in high-risk folders or network paths and monitoring access to these files/folders.

If a process tries to alter the file, it will be blocked and quarantined.

Honeypot Folder

Honeypot Folder

Honeypot File

Honeypot File

Sacrificial Disk/Network Path

This creates a local or remote folder with millions of random generated files in very deep folder structure that will slow down the ransomware process and triggers security alerts.

You can even improve this methodology by limiting the bandwidth allocated to this resource by mounting this drive/folder behind a slow network connection (Router with Bandwidth management or connection via Wi-Fi with a long distance interference).

Because the ransomware malware works with 0-9 A-Z scanning methodology, it will be busy for hours and even days to generate the list of files that need to be encrypted.

This can give you a heads up to mitigate the attack or to even shut down your PC as a counter measure.

Limit Bandwidth by Distance

Limit Bandwidth by Distance

Ransomware Sinkholes – Infinitely Recursive Directories

This creates an infinite directory structure in the Windows file system, so when a ransomware attempts to traverse the file structure to create the list of files it needs to encrypt, it will get stuck because there are always more folders to scan for its list.

Infinitely Recursive Directories

Infinitely Recursive Directories

Summary

Please bear in mind that the bad guys are getting smarter and they are discovering new ways to improve ransomware and adjust the values/threshold to bypass the active ransomware protection.

It will always be a game of trial and error, but the attackers will seek the weakest point.

If your environment is secure enough, the attackers will simply move on to the next victim.

And again, it is very important to have a good and redundant backup strategy with endpoint security that blocks malware from reaching your computer in the first place.

Some examples of endpoint security products with active ransomware detection are Bitdefender, Norton Security and Malwarebytes.

By Ami Zivov

A cyber-security expert and researcher

A cyber-security expert with many years of experience in the field. Ami does the majority of our hands-on testing, he writes and contributes to our antivirus reviews, and he leads the innovation for improving our readers’ experience on the site.

More Stories By Ami Zivov

Trend Micro Malware Detection Test Video - Hands-On Test

Trend Micro is one of the top antivirus vendors on the... More >

Avira Malware Detection Test Video - A Top Performer

Avira performs excellently in our hands-on zero-day malware detection test performed... More >

Video: Malwarebytes's Performance in our Malware Detection Test

Malwarebytes, one of the best malware removal software providers, has now... More >

Logo
Fat Security

JOIN OUR MAILING LIST

We promise to only send really good deals and important updates. No spam.