7

After the recent spread of the WannaCry ransomware - which proved one more time that this kind of attack is capable of causing serius damage and dangerous disruptions to critical services - I asked myself why there is no easy protection against this kind of malware using a heuristic approach.

My reasoning is the following: While the attack vectors of ransomware may be of various kind, ranging from careless user action to zero day exploints, the action is always roughly the same: Lots and lots of files are opened, encrypted and then the encrypted file is stored in place of the orignal one.

I don't have deeper knowledge on the working principles of antivirus protection, but I am led to believe that this kind of action should be detectable relatively easy with a heuristic approach. One could for example watch for processes that perform mass reading and writing operations, with the output files typically having much higher entropy than the input files. Also, one could watch the currently running processes for sending instructions to the CPU, which appear to contain encryption steps. Although the latter is probably harder to achieve, I think it should be feasable given the rather small number of widely-spread encryption algorithms.

Without doubt, this would not provide perfect protection against ransomware. When the ransomware has started encrypting, it will take some time until the antivirus kicks in and there may already be some lost files. But of course, it will be better to lose some files instead of losing them all. Also there will be quite a number of false positives, which can be annoying for the user. Then again, some antivirus suites ask for any connected keyboard, whether it is really a keyboard and not some manipulated USB device, which I would consider as similarily annoying.

When searching online, the only similar approach I was able to find, is the software CryptoMonitor, which apparently has been aqcuired by Malware Bytes. But judging from the little info I was able to collect about it, however, it seems not to have hit the mass market. Also, I am not aware of any similar approaches from the known antivirus software vendors, or at least I could not find it.

This leads me to the conclusion that my idea for protection against ransomware is just not working. But why wouldn't a heuristic approach work in this case?

ranguwud
  • 171
  • 2
  • 1
    My understanding is WannaCry used a flaw that was fixed 2 months ago. Do you expect people who don't install Windows updates for 2 months to run state of the art anti virus solutions? – Peter May 14 '17 at 22:20
  • 3
    Yes, I do think that this can happen. For instance, I work at a university, where old systems (XP or much older) are still in use to keep old but expensive equipment alive and where many computers are restarted very rarely, preventing updates from being installed properly. Yet, almost all computers have a modern antivirus software, which, however, to my best knowledge has no specific protection against ransomware. If a solution like the one in my question was shipped automatically with the antivirus, it would increase protection a lot in my opinion. – ranguwud May 15 '17 at 08:09

4 Answers4

3

There is. Programs like Cybereason Ransomfree claim to do exactly that. From their FAQ:

Cybereason RansomFree watches the way applications interact with files, and when it detects ransomware behavior, it stops it immediately before the files are encrypted. Cybereason RansomFree uses pure behavioral detection techniques and does not rely on malware signatures.

Cybereason RansomFree deploys bait files strategically placed where ransomware often begins its encryption. The solution watches the way applications interact with files, and when it detects ransomware behavior, it stops it immediately before the files are encrypted. Cybereason RansomFree uses pure behavioral detection techniques and does not rely on malware signatures.

I have installed it on my machine. It creates hidden directories with files that it monitors on the desktop and on every partition.

I have not tested its effectiveness yet (e.g. by quickly modifying all the files in one of those directories).

Note that this kind of protection may not be a guarantee against all effects of the ransomware, because you have no control over the order in which ransomware processes files (some files will already be encrypted before the attack is detected). Also, if the prevention is based on the rate of the file modifications, the malware may slip through when it throttles its own execution (some variants are known to do that).

  • I believe that there is an even more important problem than the unknown order of files being encrypted: If files are not encrypted in place, but hidden copies are created (until running out of disk space) and after the encryption is done **all** files are overwritten with the copies at once, then the approach will fail. This is why I proposed to watch for processes, which produce more entropy in their output than in files they consume, because this should also be detectable for processes producing encrypted copies and leaving the original files intact for the moment. – ranguwud May 15 '17 at 08:23
  • 2
    The *all files are overwritten with the copies at once* would be detected. –  May 15 '17 at 08:25
  • To be sure, it would. But I doubt that the detection would be quick enough. Encryption takes time. Overwriting files just needs an update of the file table, which may be so quick that you have already lost your data, when the ransomware is detected. Of course, can then try to recover files that are not in the file table anymore, but this will be unreliable. – ranguwud May 15 '17 at 08:29
  • I want to try Cybereason Ranomfree but i already have an antivirus installed. Will it work together with the anti-virus? I hope it doesn't take too much RAM. – defalt May 15 '17 at 20:33
  • I think so, yes. I have Windows Defender running. No, it hardly takes RAM. –  May 15 '17 at 20:41
3

I do not think will work because will generate too many false alarm.

The behavior to be monitored is the behavior of many legit applications:

  1. a compression/archiving tools
  2. a web browser which save locally a lot of cached data(compressed, in generally)
  3. any software which cache data
  4. any software which can do batch operations (eg. image/sound alterations)
  5. database software (io intensive operations)
  6. even manually moving folders with many files can rise the alarm

Plus, a ransomware to be effective it does not need to crypt the entire file, it is sufficient to encrypt only a few hundred or thousands of bytes at the beginning of the file

valentin
  • 131
  • 3
1

The technology has existed for decades now. It's called file integrity monitoring, usually part of some HIDS/HIPS offering.

The implementations vary, but long story short you have a daemon running in the background that watches for changes to files you specify, then generates an alert when the hash of the file differs from that previously recorded.

In the case of ransomware you'd create "canary" files ('readme.txt', etc.) amongst your valuable data and watch for changes to them. If they change in any way, whether from user tampering or a batch ransomware sweep, you'd get an alert (hopefully) early on in the process and could intervene and mitigate further damage. It doesn't matter if it encrypts the entire file or just the header-- the file changed either way, thus the hash changes and it becomes worthy of an alert.

Very few employers I've worked for bothered with it though. Maybe it will make a comeback in light of recent events.

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • A FIM solution is used as an auditing tool to alert humans about any changes made to a file so that the can review the changes. It cannot prevent a change from taking effect and can be seldom useful in a ransomware situation. By the time a human receives the alert, the ransomware would've encrypted all of the files. – Sreeraj Oct 22 '20 at 12:52
0

I think your approach would work, especially the following part:

with the output files typically having much higher entropy than the input files

This must be true for all ransomware.

Your other ideas, such as looking at processes that open lots of files, or consume a lot of IO bandwith, depend on the ransomware. I'd doubt that clever ransomware would run full throttle - it wants to keep itself hidden until it has encrypted a large percentage of the files on the system, in order to make the extortion work. So it can't just start encrypting files as fast as it can - that will make the system noticeably slower. So it might take it's time and might not behave noticeably different from other processes that read and write a lot of data.

Watching CPU instructions for encryption steps is probably not feasible. The most glaring problem with it is that this would considerably slow down all operations your system carried out (not just slightly - I'd assume by maybe a factor of 100 or more). Also, identifying encryption algorithms based on the CPU instructions that are running is most likely a hard problem - and if it worked, you'd need to somehow make an exception for processes that are allowed to encrypt and decrypt data.

But if I wanted to write a ransomware detector, I'd probably use a heuristic approach just like you imagine, only simpler: I'd define a set of files to watch, and then periodically measure their entropy. If several of them suddenly had increased entropy (e.g: turned into basically random data), I'd immediately alert the user and, if possible, shut the system down.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • " I'd define a set of files to watch, and then periodically measure their entropy. If several of them suddenly had increased entropy" - MD5 sig should suffice. – John Dvorak May 15 '17 at 07:35
  • @Pascal I agree with your opinion about the performance of different checks. But there is one flaw with the bait files you propose: If files are not encrypted in place, but hidden copies are created (until running out of disk space) and after the encryption is done **all** files are overwritten with the copies at once, then your approach will fail. This is why I proposed to watch for processes, which produce more entropy in their output than in files they consume. – ranguwud May 15 '17 at 08:17
  • You're right, that's a really good point. In fact, that's probably how ransomware *should* be written in order to ensure that it also works on copy-on-write file systems such as btrfs. So... add a heuristic that measures the rate of free disk space consumption? If it approaches zero without any hickups, start warning the user. This would actually have the advantage that it would be detectable BEFORE any files get overwritten. – Out of Band May 15 '17 at 18:27