Ransomware creates turmoil every day - for individuals and for enterprises. But there is encouraging news. Ransomware, by its very nature, tips its hand with characteristics that make it predictable and recognisable. These distinct features enable advanced security tools to detect and defeat ransomware before files are frozen and ransoms demanded.
Almost as old as the internet Itself
With the large number of ransomware attacks that have surfaced in recent years, many people have mistakenly believed that it's a new threat, and one that is impossible, or at least very difficult to prevent.
Yes, ransomware is a significant problem, and one that has grown rapidly during recent years. But it is not new, nor is it unstoppable. Ransomware has been around since at least 1989, and has been thoroughly studied since that time.
As part of this research, my colleagues and I conducted a study where we analysed 1359 ransomware samples from 15 different families. These samples came from multiple sources, including manual and automatic crawling of public malware repositories, and from Lastline's Global Threat Intelligence Network. All in all, the dataset included the majority of all ransomware observed in the wild at the time.
The Achilles' Heel of ransomware – it must identify itself
The analysis of the data set revealed that although a majority of the ransomware samples used some sort of evasion and stealth technologies to evade detection, many were not very sophisticated in nature. A large percentage of the samples used only rudimentary methods to lock the computer or its files, and a surprising number didn't encrypt the victim's files at all. But even among those samples that contained sophisticated evasion and locking techniques, weaknesses were found. In fact, they all contained traits that were discoverable by a good detection engine.
Perhaps the biggest shortcoming we found is that all ransomware is very predictable in that it must contain a number of very specific characteristics. In particular, all ransomware has, and will always have, a ransom note—and therein lies its Achilles' heel. Unlike other forms of malware, ransomware always contains this one very distinguishable and easily detectable component. It must inform the victim of the attack, and provide instructions for paying the ransom.
Typical behaviours of all ransomware
Ransomware's need for a payoff note is significant for malware protection systems. It provides a constant, and narrow set of activities to look for. Conveniently, the ever-present ransom note isn't the only predictable behaviour. To orchestrate the ransom, we found several additional behaviours that were consistently found in the malware, including activities to handle payment, anonymise all communications, and perform the actual encryption and decryption functions.
Security controls benefit from all of these predictable behaviours. Leading malware protection tools can readily and accurately detect these activities as malicious and part of a ransom plot. The following is a partial list of ransomware behaviours that an advanced malware protection tool can detect:
- The presence of a ransom note
- Replacing the machine's wallpaper
- Blocking access to the victim's desktop
- Searching network drives or directories to discover targets
- Encryption / decryption capabilities
- Internet activities to orchestrate payment and file decryption
- Removing capabilities to perform a system restore
- Disabling windows update features
- Terminating task manager and similar controls
- Turning off error reporting
Although the amount of ransomware has greatly increased in recent years and we must take it seriously, it should not create unwarranted fear or concern. With comprehensive and reliable backup procedures, organisations can recover from a ransomware incident with relative ease. Even better, by using advanced malware detection solutions that are designed to analyse files for behaviour indicative of ransomware, companies can defeat the attacks before they're even launched.
Contributed by Dr Engin Kirda, co-founder and chief architect, Lastline
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.
 Full results of the study can be found in “Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks” by Dr Engin Kirda, Amin Kharraz, William Robertson, Davide Balzarotti, and Leyla Bilge.