CryptoLocker returns after Operation Tovar
CryptoLocker returns after Operation Tovar

A long-term study of ransomware found that most of the threats spreading in the wild are not as scary or sophisticated as many of us may have feared according to researchers from Northeastern University and Lastline Labs, both in the US, and Institut Eurecom and Symantec Research Labs, both in France.

There were 1359 samples taken from 15 different 'families' of ransomware collected from 2006 to 2014 and analysed.  The study stated: “Our results show that, despite a continuous improvement in the encryption, deletion and communications techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small.”

Researchers Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge and Engin Kirda presented the paper, “Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks” at the 12th Conference on Detection of Intrusions and Malware & Vulnerability Assessment last week in Milan.

In the vast majority of cases, ransomware only attempts to lock the victim's computer or encrypt or delete files using superficial techniques. Only 5.3 percent of the samples studied used file encryption as part of their attack – the balance took the easier route of locking the victim's computer and deleting key files.

As a consequence, stopping ransomware attacks is not as complex as has been reported and by monitoring abnormal file system activity, it would be possible to stop a large number of ransomware attacks, “even those using sophisticated encryption capabilities”.

Even zero-day attacks can be detected and prevented by looking at I/O requests and protecting the Master File Table (MFT) in the NTFS file system, the researchers claimed.

For instance, one mitigation strategy would be to monitor Windows API calls. This is based on the observation that many ransomware samples use Windows API calls. “Those API calls can be used to model the application behaviour and train a classifier to detect suspicious sequences of Windows API calls. This approach is not necessarily novel, but it would allow us to stop a large number of ransomware attacks that are produced with little technical effort,” the paper said.

Another mitigation strategy takes advantage of the fact that ransomware causes significant changes in file system activities such as a large number of similar encryption and deletion requests. “By closely monitor[ing] the MFT table, one can detect the creation, encryption or deletion of files. For example, when the system is under a ransomware attack, a significant number of status changes occur in a very short period of time in MFT entries of the deleted files,” they said.

“Encrypted files create a large number of MFT entries with encrypted content in the $DATA attribute of files that do not share the same path,” they added, making it possible to train a classifier to recognise this activity.

“Unlike recent discussions in security community about ransomware attacks, our analysis suggests that implementing practical defence mechanisms is still possible, if we effectively monitor the file system activity for example the changes in Master File Table (MFT) or the types of I/O Request Packets (IRP) generated on behalf of processes to access the file system. We propose a general methodology that allow us to detect a significant number of ransomware attacks without making any assumptions on how samples attack users' files,” the researchers concluded.

Many experts within the security community were not surprised to hear that many ransomware packages were simple in action but questioned how easy it would be to implement the researchers' proposals.