Ransomware Always Tips Its Hand

Ransomware Always Tips its Hand.jpg

By Engin Kirda

Almost as Old as the Internet Itself

With the large number of ransomware attacks that have surfaced in recent years, many people have mistakenly believed that it’s a new threat, and one that is impossible, or at least very difficult to prevent.

Yes, ransomware is a significant problem, and one that has grown rapidly during recent years. But it is not new, nor is it unstoppable. Ransomware has been around since at least 1989, and has been thoroughly studied since that time.

As part of this research, my colleagues and I conducted a study (note: link opens a PDF in a new window) where we analyzed 1,359 ransomware samples from 15 different families. These samples came from multiple sources, including manual and automatic crawling of public malware repositories, and from Lastline’s Global Threat Intelligence Network. All in all, the dataset included the majority of all ransomware observed in the wild at the time.

The Achilles’ Heel of Ransomware – It Must Identify Itself

The analysis of the data set revealed that although a majority of the ransomware samples used some sort of evasion and stealth technologies to evade detection, many were not very sophisticated in nature. A large percentage of the samples used only rudimentary methods to lock the computer or its files, and a surprising number didn’t encrypt the victim’s files at all. But even among those samples that contained sophisticated evasion and locking techniques, weaknesses were found. In fact, they all contained traits that were discoverable by a good detection engine.

Perhaps the biggest shortcoming we found is that all ransomware is very predictable in that it must contain a number of very specific characteristics. In particular, all ransomware has, and will always have, a ransom note—and therein lies its Achilles’ heel. Unlike other forms of malware, ransomware always contains this one very distinguishable and easily detectable component. It must inform the victim of the attack, and provide instructions for paying the ransom.

Typical Behaviors of All Ransomware

Ransomware’s need for a payoff note is significant for malware protection systems. It provides a constant, and narrow set of activities to look for. Conveniently, the ever-present ransom note isn’t the only predictable behavior. To orchestrate the ransom, we found a number of additional behaviors that were consistently found in the malware, including activities to handle payment, anonymize all communications, and perform the actual encryption and decryption functions.

Security controls benefit from all of these predictable behaviors. Leading malware protection tools can readily and accurately detect these activities as malicious and part of a ransom plot. The following is a partial list of ransomware behaviors that an advanced malware protection tool can detect:

  • The presence of a ransom note
  • Replacing the machine’s wallpaper
  • Blocking access to the victim’s desktop
  • Searching network drives or directories to discover targets
  • Encryption / decryption capabilities
  • Internet activities to orchestrate payment and file decryption
  • Removing capabilities to perform a system restore
  • Disabling windows update features
  • Terminating task manager and similar controls
  • Turning off error reporting

Although the amount of ransomware has greatly increased in recent years and we must take it seriously, it should not create unwarranted fear or concern. With comprehensive and reliable backup procedures, organizations can recover from a ransomware incident with relative ease. Even better, by using advanced malware detection solutions that are designed to analyze files for behavior indicative of ransomware, companies can defeat the attacks before they’re even launched.

About Engin Kirda

Dr. Engin Kirda is chief architect at Lastline which he co-founded in 2011, and a full professor of computer science at Northeastern University in Boston. Dr. Kirda has co-authored more than 100 published research papers.

More About Engin