University of Florida researchers say the answer to stopping ransomware is to let it onto your system first
Researchers at the University of Florida claim to have developed technology that can stop ransomware attacks before they cause too much damage.
Ransomware is malware that encrypts the files of an infected system before demanding a ransom, usually payable in Bitcoin, for them to be unlocked. If this isn’t paid, the files are usually lost.
The authors of a paper detailing ‘CryptoDrop’ say many businesses resign to being compromised by ransomware and have set aside budget accordingly when this needn’t be the case.
While antivirus software can detect ransomware before it installs itself on a targeted system, ‘CryptoDrop’ helps mitigate the assault by actually letting the malware encrypt a number of files before acting.
“Our system is more of an early-warning system,” said Nolen Scaife, one of the authors. “It doesn’t prevent the ransomware from starting … it prevents the ransomware from completing its task … so you lose only a couple of pictures or a couple of documents rather than everything that’s on your hard drive, and it relieves you of the burden of having to pay the ransom.”
“These attacks are tailored and unique every time they get installed on someone’s system. Antivirus is really good at stopping things it’s seen before.
“That’s where our solution is better than traditional anti-viruses. If something that’s benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted.”
This does mean some files are irrecoverably lost, but only a tiny fraction, the report claims.
“We ran our detector against several hundred ransomware samples that were live and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted,” continued Scaife.
“About one-tenth of 1 percent of the files were lost,” added Patrick Traynor, another author. “But the advantage is that it’s flexible. We don’t have to wait for that anti-virus update. If you have a new version of your ransomware, our system can detect that.”
Scaife, Traynor and their colleague Kevin Butler at the University of Florida, along with Villanova University’s Henry Carter, claim to have a working prototype and are looking for partners to commercialise CryptoDrop.
New strains have targeted all kinds of software, systems and organisations, including Office 365 and healthcare institutions, but aside from antivirus software that prevents the initial infection, recovery solutions have not yet been developed.
“Any deterrent or recovery from ransomware is a fantastic idea. It’s one of those prolific threats that can quite literally affect anyone and everyone and anything we can do to help or even stop it gets all the support from me,” said Mark James, security expert at ESET.
“But as with anything like this, it relies on uptake and of course cost, this particular method will stop ransomware after it has encrypted a few files, what happens if those “few” files are your most important?
“Don’t get me wrong, I wholeheartedly welcome anything that will help the victim but there are lots of things we can already do to protect against ransomware. It’s always mentioned time and again but backup and disaster recovery will protect you against ransomware every time. It can be low cost, it can be easy, it’s available now and anyone can get it and use it.
“Multi layered protection is the best way to combat modern day threats, those layers will include, internet security software, firewalls, backup software, updated hardware and operating systems, knowledge and of course common-sense. All these things are available to everyone reading this right now to protect your very valuable often priceless memories or data.”