Apr 16, 2018

Ransomware Detection Methods

Ransomware is undoubtedly the biggest threat among modern day malware. Since the advent of CyrptoLocker in 2013, the number of yearly attacks has been constantly on the rise. The first quarter of the previous year has seen two biggest ransomware attacks ever in the face of WannaCry and NotPetya.

According to data, presented by eSecurity Planet, the number of ransomware attacks for the first quarter of 2017 has increased on 62% as compared to 2016. The number of detected ransomware has increased on 2000% in 2017, as compared to 2015.

According to Barkly, roughly 60% of all malicious payloads detected in the first quarter of 2017 have been ransomware.

The number of mobile ransomware has also increased dramatically over the past year. According to Kaspersky, in the Q1 of 2017 218,265 new types of mobile ransomware have been discovered. Ransomware have also been exploding on the dark web, with new strains constantly being created for sale. The new model, called ransomware-as-a-service has become popular, where all you need to do is simply pay, and you will get a ready-to-use ransomware that you can start distributing via a botnet in a couple of clicks.

Ransomware has also been increasingly targeting more and more businesses as of late as opposed to individuals. The question then is what can be done about it? When ransomware initially appeared, there was no good way to combat it. CryptoLocker public-key encryption was basically impossible to break, and beyond just regular backups there was little you could do. But even if infection meant that operations within your company were halted only for a couple of hours, it still could mean huge lost profits. Ideal scenario – is to detect ransomware attack early and stop it completely

What is ransomware

Ransomware is generally defined as malicious software, designed to extract ransom from users based on restricting their access to their own data. The most popular way to restrict access to user data is to encrypt it, and thus, ransomware that uses encryption techniques is called Crypto ransomware. Such ransomware usually employs sophisticated public-key cryptography that is impossible to crack and goes for certain types of files that is supposed to be the most valuable to the user, such as text documents, images and specialized formats.

However, encryption-based ransomware is not the only type of ransomware there is. Other types also exist, called:

  • Locker ransomware – this type is designed to block user’s access to the system or certain specific applications. Ransomware like that either replaces the desktop with a custom one, making it unavailable, or targets popular apps like browsers by modifying certain files.
  • Scareware – ransomware that uses scare tactics in order to force users into paying ransom. Often uses social engineering and other similar tactics in order to make users pay. One of the most common tactics is to display a message from supposedly law enforcement that includes personal information such as location and name of the ISP provider, making the message more believable. The message will demand a “fine” for certain made-up offense, such as copyright infringement or watching child pornography, and threatens user that if they refuse to pay they will be jailed.
  • Fake ransomware – many modern ransomware strains don’t even bother encrypting user’s data. Instead, they just delete it right away, creating a bunch of dummy files in order to fool the user into thinking that their data is still recoverable. Since it is impossible to distinguish fake and paid ransomware, it is always best to never pay ransom, unless the situation is actually critical.

How ransomware works

There are several ways that ransomware uses to get into your system. The most popular one is using infected spam emails, that are usually distributed by vast networks of botnets. Such an email will usually contain a message that uses social engineering techniques in order to prompt the user to click on an infected link or download the malicious attachment.

Another similar method of spreading ransomware is infected adverts on the net. Once the user clicks on the advert, a malicious JawaScripts starts running, downloading a payload on the user’s PC. Beyond that, ransomware can also be spread on removable drives, or self-propagate via a network by searching for open ports and unprotected connections.

Perpetrators will also use exploit kits in order to leverage known vulnerabilities and get ransomware into your system. Once there, it will phone back (usually, without encrypting network traffic), and then start looking for certain types of data to encrypt. After the data has been encrypted, a ransom note is displayed.

Ransomware uses various techniques in order to protect yourself from being detected or analyzed, including obfuscation and system mapping, designed to distinguish between real system and a honeypot.

How to detect ransomware

While there are ways to mitigate or even prevent some ransomware infection (making regular backups and keeping your system updated), it is always best to have capabilities to detect infection as it happens and be able to prevent any damage.

Traditional malware detection methods rely on known signatures, proving extremely effective against known malware, but almost completely useless against unknown strains. Considering the number of ransomware variants that pop up every day, it becomes clear that signature-based detection is not enough to establish reliable protecting.

Thus, behavior-based detection is often used, aimed at detecting not the malicious file itself, but rather certain attributes and behavioral indicators, that can point to a specific file as being malicious. Such behavior-based detection is supported by advanced data mining and analysis technologies, including machine learning algorithms able to go through large quantities of data and detect anomalies in real time.

When it comes to ransomware, key behavioral indicators include:

  • Encryption API – the majority of ransomware skips reinventing the wheel and just uses already available encryption APIs for encrypting user data. Often times, standard Windows functions, such as CryptEncrypt are used. And while the use of said function can’t reliably point to a ransomware by itself, it can be combined with other indicators to make detection more reliable
  • File type change detection – data within each file can be described via a specific signature. Mass changes in file signatures can be used to detect mass file type changes, which can be taken as an indicator of malicious mass file encryption.  
  • Comparing similarities between different versions of the file – another indicator of the file being encrypted is when there are significant differences between the new and old version of the file. If significant differences in hash functions of many files have been detected over a short period of time, they can indicate ransomware infection.
  • Moving, renaming or deleting files – monitoring changes to Master File Table can lead to the discovery of ransomware. When encrypting files, ransomware often changes the flag of the original file in the table, thus deleting it and overwriting with the encrypted version. Mass changes to the status of many files on the table can be indicative of ransomware infection.
  • System mapping activity – ransomware will check certain system parameters in order to make sure that the targeted endpoint is valid. It can be something as simple as checking a location and language settings and searching for certain file types, or full system mapping. Any such activity can serve as an indication of ransomware.

These are only some indicators that can be used in ransomware detection. Depending on the ransomware type, you may need to detect system locking activity, such as creating a new persistent desktop, rather than any file operations. Also, ransomware files can be scanned for things like ransom note text, while network communications can be checked for an attempt of ransomware to connect to the server.

However, it is worth remembering that any single one indicator cannot be reliably used for detecting ransomware. It’s only when several indicators are detected together that the behavior analysis system can reliably pinpoint malware.

Behavior analysis systems like this have become the backbone of next-generation anti-viruses and other anti-malware systems, aimed at catching not only ransomware but also other elusive threats, such as compromised accounts, fileless malware, insider threats and fraudulent activity, etc.

Protecting yourself from ransomware

Ransomware protection is not something that you can set and forget. Instead, it’s a layered, continuous process, that involves multiple different types of controls. Having a reliable detection tool is great, but it can only get you so far. Beyond that, you also need to make sure that your software is always up to date and that you always have backups ready in case attack wasn’t caught early.

Filter network traffic, block ads in corporate browsers, and prohibit email attachments in order to minimize the possibility of getting infected. Also, you should make sure that your employees are educated on the dangers of spam emails, social engineering, and compromised accounts, and that they thoroughly follow all security policies that are enacted in your company.

Remember, while combating ransomware initially looks hard, it will allow you to strengthen your general security posture, and it will immensely help you when it counts the most – when your data is under threat.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam