Identity theft, credit card fraud, password breaches and other hacker attacks have been cast into the shade by news about ransomware lately. According to a recent research, crypto viruses were behind 42% of IT security breaches in UK organizations over the course of 2015. Ransomware is trending among all types of cyber criminals. It is growing in the number of infection instances, the number of active variants, and the amount of losses that the victims suffer.
The security industry has been playing catch-up with computer viruses for years. Now that antimalware vendors are confronted with such a serious adversary, they are bound to work a lot harder to device detection and prevention techniques that will do the trick in ransomware onslaught scenarios.
How to get Protected from Ransomware:
Just removing the ransomware virus is not a win because the main problem perseveres regardless – the frozen data has yet to be decrypted. Proactive detection of file-encrypting threats is, therefore, vital in this context. AV companies should invest heavily in tools tasked with thwarting ransomware attacks and preventing the encryption from being launched.
For a ransomware compromise to go all the way, the Trojan needs to successfully perform several actions: scan the target system for personal files based on extension criteria, encrypt a lot of files within a short time span, erase the original data, disable VSS (Volume Snapshot Service), generate and send the private decryption key to a remote Command and Control server, negotiate the ransom details with the victim, etc. No matter how sophisticated and stealthy a malware program is, it can’t entirely hide its tracks and behavior as complex as that. Ability to identify this type of activity can help fighting ransomware attacks. Dissecting ransomware deployment patterns beyond the commonplace behavioral analysis is what AV companies should focus on – in fact, some vendors have stepped on this ground already.
Behavior Blockers:
Behavior blockers are modules built into security products that currently have the highest potential for fighting ransomware. This is a term denoting a virtual layer between your operating system and the processes running on your machine. Essentially, its objective is to continuously monitor the system for suspicious or malicious behavior. If an arbitrary application has no digital signature, adds an autorun entry to the Registry, transmits data over the Internet or launches without a visible user interface, a behavior blocker will keep it from being executed and notify the user of the possible risk. All programs and processes are monitored in real time. They are checked against an extensive cloud database of all known processes and apps that may be harmful.
Instead of triggering their own executables, some of the present-day ransomware strains incorporate their code into regular safe processes. This approach makes the injected processes appear legitimate. The technique referred to as “Injection check” should be widely introduced in security software products in order to detect this impostor tactic. If injected code is spotted, it is treated as a hostile process.
A number of behavior blocker modules on the market boast good user reviews. Antimalware and Internet security products by Emsisoft go with a behavior blocker panel. GData utilities feature this functionality as well. Malwarebytes recently launched their Anti-Ransomware beta, which is great to know.
The concept of behavior-based detection is not new. It has some traits in common with a heuristic analysis, which has been shipped with many antivirus solutions for quite a while. Heuristics is good at identifying zero-day malware that hasn’t been cataloged yet, whereas behavioral analysis helps to deal with files or processes that have the legit code but perform bad actions. Both techniques are powerful but not perfect. Combining the two would definitely enhance the efficiency of each and eliminate most of their weak sides.
Further evolution of behavior blockers is reflected in Kaspersky System Watcher. It analyzes the most relevant data on system events, including information regarding the modification of files. Whenever the tool encounters a dubious application that tries to access a user’s personal files such as documents or photos, it instantly makes a secure backup copy of these objects. Consequently, even if the ransomware threat manages to fly under the radar of system defenses and infiltrates a computer, and encrypts files, it won’t do any damage as the changes can be rolled back.
Sandboxing:
Another dependable technology to address ransomware is sandboxing. It is a type of software virtualization that allows running programs and processes in an isolated virtual environment. Applications running in the sandbox usually have restricted access to the user’s data and the system. They lack privileges to make any critical changes. Launching a web browser within the sandbox is a great habit as well since the overwhelming majority of viruses attack PCs through malicious or compromised web pages. A few examples that are worthwhile include Comodo Internet Security with Sandboxing and the Sandboxing feature in Avast Antivirus.
What else can be done on the security vendors’ end? Improving signature-based detection mechanisms is important for the simple reason that they are much less likely to report false positives.
Conclusion:
Antivirus publishers can and should come up with more technology solutions to combat present-day ransomware and other viruses. There are commendable technologies that should be invested in, developed, refined and introduced to the public. Given the considerable scope of risk emanating from crypto viruses, vendors should not compete but combine efforts and implement new top-notch layers of protection.
This article is written by David Balaban. He is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Follow him: Facebook | Twitter | Google+.