Malware is old news, but recent years have seen an increase in the type known as ransomware. Ransomware locks the affected computer and demands payment from the victim in order to restore their files. Once infected, the victim has few choices but to pay the ransom. In this way, ransomware presents a Gordian knot - a metaphor for a complex problem, one that cannot be ‘untied’ using conventional thinking, so must be ‘cut’.
Kharraz et al. examined characteristics of the most common types of ransomware. The 1,359 samples from 15 ‘families’ of malware cover most of the ransomware observed in the real world between 2006 and 2014. The researchers allowed the malware to run in a controlled laboratory test environment, in which they can limit damage and also monitor the malware behavior. The traits observed in the lab can inform design of detection mechanisms. Fortunately, defending against attacks is not as complicated as previously assumed.
Most ransomware are not very sophisticated. Many types lack the ability to execute a comprehensive attack; they rely on superficial approaches to disabling user access, such as by locking the desktop, rather than more thorough methods like encrypting or deleting files. Several different classes of ransomware cause similar changes in file system activity. Because this pattern is different from the activity of benign – or non-malware – processes, malware activity stands out among file system requests. For example, a system that receives a large number of similar encryption or deletion requests might be infected. A useful protection capability would be to intercept file system requests, then discard or confirm suspicious requests before implementing them. This early detection would also allow an earlier intervention to recover deleted files.
The malware may not be overly complex, but an analysis of ransom payment data suggests cybercriminals who use ransomware have been evolving their financing methods to avoid detection. In order to make tracing more difficult and to improve the portability to other currency, payments are made using Bitcoin, often in small amounts, and receiving Bitcoin addresses are used for only a few transactions over a short time period. The attack software may be simplistic, but the financial side is increasingly deliberate and sophisticated.
There are ways to detect and limit damage from ransomware attacks. With an improved knowledge of the patterns and processes involved in executing a ransomware infection, system managers can focus on improved monitoring and so enhance defenses against this particular malware.
Intercepting suspicious patterns of file system requests would greatly limit the effectiveness of the worst forms of ransomware.