Security researchers have developed what they claim to be an “early warning detection system” that can stop ransomware in its tracks. CryptoDrop was developed by University of Florida and Villanova University boffins and presented at a recent IEEE conference on distributed computing systems. It works by detecting suspicious activity rather than trying to inspect the malware’s execution or contents, primarily through three indicators.
These are: bulk modification of data; “similarity measurement” – where ransomware-encrypted data is completely dissimilar to its original content; and entropy, with encrypted data expected to be “naturally high entropy.” Secondary indicators include bulk deletion of files, and “file-type funnelling” – when an app reads a hugely disparate set of file types but then writes just a single type.
The researchers claim that CryptoDrop stops ransomware from executing with a median loss of only 10 files out of nearly 5100 available files.
“Our experiments test CryptoDrop against 492 real-world ransomware samples (representing 14 distinct families, the largest study of encrypting ransomware to date) and find a 100% detection rate with as few as zero victim files lost before detection. With few files lost, the burden to pay for victims of ransomware is reduced or removed, protecting users and dismantling the economy of attackers.”
Security experts gave the findings a cautious welcome.
“Don’t get me wrong, I wholeheartedly welcome anything that will help the victim but there are lots of things we can already do to protect against ransomware. It’s always mentioned time and again but backup and disaster recovery will protect you against ransomware every time,” said Eset security specialist, Mark James.
“It can be low cost, it can be easy, it’s available now and anyone can get it and use it. Multi layered protection is the best way to combat modern day threats, those layers will include internet security software, firewalls, backup software, updated hardware and operating systems, knowledge and of course common-sense.”
Alien Vault security advocate, Javvad Malik, added that firms should take a unified approach that looks for different behaviors across the network and host machines.
“This includes communication established with command and control centers or files changed locally. In order to stay up to date with the methods and infrastructure that attackers are using, timely and reliable threat intelligence plays a crucial role,” he argued.
“This is particularly important as attackers will often change their tactics in response to evolving defenses, in the classic cat-and-mouse game we have witnessed in cybersecurity over the years.”