Researchers Unleash Ransomware AnnihilationNew Tool Spots File Changes Then Halts Ransomware
Security software isn't doing a great job of detecting the file-encrypting malware known as ransomware. As a result, unless victims have backed up their files in advance, they're faced with either forking over a ransom - and trusting cybercriminals to pay up - or forfeiting their data (see Please Don't Pay Ransoms, FBI Urges).
See Also: HIPAA Audits: A Revised Game Plan
But researchers at the University of Florida and Villanova University say they've developed a defense that takes an unconventional approach to stopping ransomware. The Windows-only software, called CryptoDrop, watches for common tactics wielded by ransomware families, such as targeting photos, presentations, documents and more. Ransomware also acts very differently from legitimate software in that it very quickly makes drastic changes to many files.
"Our solution watches your files to see how they're changing and if they're changing in a way that is indicative of the way ransomware will modify your files," says Nolen Scaife, a graduate student in the Department of Computer Science and Engineering at the University of Florida. "This is really more of an early warning system. We don't make any attempt to stop the ransomware from actually being downloaded and installed and running on your computer."
Spotting Cryptolockers at Work
Ransomware is often missed by anti-virus applications because malware authors use tools known as packers, which compress and change malware executables in a way that leaves functionality intact while generating a new checksum. Many anti-virus programs still heavily rely on preloaded checksums, known as signatures, in order to detect malicious programs. The result is a lot of it gets missed, and computers get infected.
"You change a single bit, and all of the sudden, the SHA256 checksum no longer matches, and it's missed by the detector," says Patrick Traynor, co-director of the Florida Institute for Cybersecurity Research at the University of Florida.
Accordingly, CryptoDrop is designed to look for three indicators which, when seen together, are a strong indication that ransomware is kicking into action. One is a file's entropy, or its randomness. Encrypted content has higher entropy than unencrypted files. Another indicator is the file type. For example, CryptoDrop will notice if a document that was formerly a Word file transforms into something unreadable.
The third characteristic is similarity. Ransomware will often open a file and then encrypt it. CryptoDrop compares the two files - the old one and the new one - and determines whether the second file is a derivative of the first. If one copy is encrypted, "it looks absolutely nothing like the original file," Scaife says, which is a strong sign of ransomware. The trio of indicators appearing at the same time doesn't happen with normal applications, which makes CryptoDrop a strong detector with a low false-positive rate.
If CryptoDrop detects the three indicators, it suspends the suspicious processes associated with the ransomware and warns the user. Traynor and Scaife say they're under no illusion that CryptoDrop is a foolproof, long-term solution to the ransomware epidemic; it's a cat-and-mouse game. But Traynor says the goal of CryptoDrop is to raise the bar high enough that ransomware developers will have to do some tough engineering to avoid triggering all of the indicators and tripping CryptoDrop's defenses.
"We won't deny that this is an arms race and will likely always be an arms race," Traynor says. "I would be cautious of anybody who would claim that they would sell you a 'this work will forever' technique. But that said, we think this is a pretty significant advance."
Pending: Patent and Partners
To date, the software has been tested against 492 ransomware samples downloaded from VirusTotal, which encompassed some 14 families: CryptoDefense, CryptoFortress, CryptoTorLocker, Filecoder, PoshCoder, CTB-Locker, CryptoLocker and a clone of it, TeslaCrypt, CryptoWall, GPcode, Virlock, MBL Advisory and Xorist.
"We took a long time to test this against a wide range of ransomware families to make sure that the claims that we made were grounded in real data and that they reflected what would happen on real systems," Traynor says.
CryptoDrop detected all of the samples, but not without some loss: A median of 10 files out of 5,100 on the test machines were encrypted before CryptoDrop halted the ransomware. Then again, while that result isn't perfect, it's still much better than losing all files.
"Ideally what we're doing is relieving the user of some of the burden of paying the ransom," Scaife says. "And ideally that will choke off some of the revenue stream for ransomware authors."
The software, developed over eight months by Scaife, hasn't yet been reviewed by a third party, Traynor says. But the researchers presented an academic paper describing CryptoDrop at the Institute of Electrical and Electronics Engineers' International Conference on Distributed Computing Systems conference in June in Nara, Japan. The IEEE uses a program committee that reviews papers, and five independent experts reviewed CryptoDrop before the paper was accepted, Traynor says.
The two researchers have now filed for a patent for CryptoDrop and are looking for partners in the security industry to commercialize it. "We felt like this was a potentially complementary approach," Traynor says. "We stress that this could be part of a larger anti-virus or intrusion prevention system."