One of the most prominent threats in the current world of cybersecurity is ransomware. Major ransomware attacks involving never before seen strains are constantly on the front pages of the news outlets.
One of the recent examples of such an attack is Bad Rabbit ransomware that hit Ukraine and Russia in late October of 2017. Based on the well-known EternalBlue exploit, it targeted old Windows systems that weren’t properly updated. While the exploit itself has already been patched on the latest versions of Windows, users still remain vulnerable if they have legacy systems and fail to apply updates.
Current state of ransomware
Ransomware has gained prominence not only on Windows, but also on macOS, Linux, and popular mobile systems.
It is estimated by Kaspersky Lab, that over the first quarter of 2017 240,799 mobile users have become victims of ransomware infection. US government also says that the average number of daily ransomware attacks has increased dramatically over the past couple of years – from 1000 attacks in 2015 to more than 4000 attacks in 2016.
This increase in the number of attacks corresponds to the increase in popularity of ransomware on the black market. According to Carbon Black, the number of ready-to-use ransomware, offered on the dark web saw a 2,502% increase.
These numbers only prove how easy it for anyone to conduct ransomware attacks even without the specific knowledge on how to write a virus like that.
All of this leads to a high demand for anti-ransomware software that would be capable of detecting and preventing such attacks. However, ransomware protection solutions like this are usually fairly complex and hard to develop, requiring considerable investment and experienced development team. They often employ behavior-based algorithms coupled with wide system access and system control in order to effectively monitor the state of the OS and block all attacks in real time. Thus, the number of solutions that fit the bill in terms of capability of detecting new ransomware strains is still fairly limited.
Types of ransomware
Generally, ransomware can be defined as a malware specifically designed to extract ransom from its victims. However, numerous different types of ransomware put their own unique spin on this basic idea. All ransomware can be divided into four major groups:
- System lockers – this type of ransomware is focused on denying the user access to their operating system. Usually, a ransom message will appear as soon as the system is booted, not allowing to use it in any way.
- Application lockers – this type of ransomware is focused on blocking specific applications. The usual target is web browser – whenever user tries to access internet, a ransom note will appear preventing them from using the browser.
- Encryption ransomware – this is probably the most standard and well-known type. It encrypts data, blocking user’s access to files.
- Fake ransomware – this is a particularly nasty type of ransomware that displays a ransom note without any means to undo the damage, Even if the user pays the ransom, they wouldn’t get their files back, because they are usually deleted instead of being encrypted.
All modern different types of ransomware stem from the very successful 2013 malware named CryptoLocker. Despite the fact that the very concept of ransomware has appeared as early as late 80s, and that ransomware existed all throughout the 90s and 2000s, it wasn’t until CryptoLocker adopted Bitcoin as an innovative means to pay ransom that it became popular.
CryptoLocker spread through spam emails, encrypting files on Windows endpoints with the pair of public and private keys and demanding $400 in ransom, payed via Bitcoin. It was extremely successful, with the amount of paid ransom estimated to be in the vicinity of $3 million.
As a result, a huge number of malware tried to imitate the success of CryptoLocker, while at the same time expanding and improving upon its design.
Some of other the prominent ransomware examples include:
- Cryptowall – first appeared in 2014, this ransomware proved extremely successful. One of the main features of Crypowall is its ability to avoid detection by using various tricks, often employed by other Trojans. For example, it creates fake system processes to mask its presence and used actual digital signature.
- Locky – this ransomware uses several advanced techniques to encrypt data and avoid being detected. For example, it uses encryption algorithm with server-side key generation, rendering unauthorized decryption impossible. It is also capable of encrypting data on all types of storages, including removable and network ones.
- Wannacry – this is very famous ransomware that took out UK NHS (National Health Service) in May 2017. It infected more than 230,000 endpoints by using already mentioned EternalBlue exploit that was leaked prior to the attack. Despite the fact that the exploit was patched, many users failed to update their legacy systems, leaving them vulnerable to the attack.
- Petya – first appeared in 2016, this ransomware has been spreading through spam emails. It infects Windows Boot Record and encrypts main drive’s file system table in order to block user access to the system. Another, variation of this strain of ransomware appeared in 2017. Named NotPetya, to distinguish it from the original, it uses EternalBlue exploit to infect target endpoints.
Ransomware detection via behavior-based algorithms
One of the main dangers of ransomware is the fact that it grows extremely quickly. As already mentioned, new strains appear almost daily and traditional signature-based detection methods cannot be used to detect them.
Of course, timely system updates can minimize risks when it comes to dealing with already known malware, while having fresh backup will allow you to minimize the damage in case of an attack. But how to prevent ransomware attack from happening in the first place?
A popular approach to ransomware detection is to combine deep system monitoring with machine learning, resulting in a system that can detect new strains of ransomware in real time by searching for certain behavioral patterns.
Despite the fact that multiple strains of ransomware use different approaches to obfuscation, encryption, and demand for ransom, majority of them displays similar behavioral patterns that can be detected. These patterns include:
- Assurance of attack continuation – ransomware needs to assure, that an attack, once initiated, can continue despite any measures that user may take to prevent it. This means that malicious payload needs to stay persistent between system reboots, and that any system restore or backup services should be disabled.
- Protection from detection – ransomware needs to protect itself from detection and subsequent analysis. This means that code obfuscation and other similar techniques are used to hide the payload. Apart from that, ransomware often employs environmental mapping in order to detect whether it is operating on a real or virtual system. In case of the latter, it may shut itself down to prevent security specialists from analyzing the payload. Another purpose of environmental mapping is to confirm that the ransomware is about to attack the correct target, for example, by checking system language and other identifiers.
- Network usage – ransomware uses existing network for various purposes, for example, to download parts of the payload or to download encryption keys from the server. They will often use domains with randomly generated names to stay anonymous.
- Privilege escalation – users often lack the level of privilege necessary to do real damage to the system. Thus, ransomware that wants to, for example, overwrite Master Boot Record, often tries to escalate its own level of privilege in order to do so.
- Large number of file operations – encrypting files involves a large number of specific operations, such as adding another extension to the name of each file, or copying and deleting large groups of files.
- Ransom notes within the malware – since ransomware needs to make its demand for ransom known, it will usually contain a ransom message within its files, either in the form of a text or an image. Detection of a message like this is a very strong indication that you’re dealing with ransomware.
All of the abovementioned behavior can be detected by the anti-malware system, and associated files can be put for quarantine or removal.
However, it is important to remember, that a single type of behavior does not guarantee that you’re dealing with ransomware, and relying on it can lead to false negatives or false positives. To avoid these issues, you need to correctly detect a pattern that consists of several behavioral indicators. This requires analyzing each individual event in the context of the whole even stream in order to establish its connection with other events.
Ransomware prevention via early blocking
Behavior analysis is not the only way to protect against ransomware. Another solution is to try and block a potential malicious software outright, without trying to identify it via behavioral indicators.
Malware will often use the same techniques to attack the system. These techniques, for example, involve DLL or process injections, that can be blocked outright. This allows to immediately prevent the damage and avoid using resource-intensive behavior analysis.
However, the main challenge of this approach is the fact the anti-malware solution needs to be able to distinguish between legitimate and malicious usage of hooks and injections. If this challenge is solved, such method can prove extremely successful at preventing damage from ransomware.
While the threat of ransomware is very significant, it doesn’t mean that we don’t have the necessary means to deal with it.
There are several solutions available, focusing on detecting zero-day ransomware attacks and preventing the damage. The most effective are hybrid solutions, that combine behavioral analytics, statistic, and proactive blocking of certain potentially harmful actions to both minimize the number of false positives and false negatives and provide you with reliable defenses.
Another way to deal with ransomware, is to use several solutions at once, granted they are compatible with each other.