Ransom malware could be beaten with simple file-system security, study concludes

Encryption and file deletion programmes not as unstoppable or frightening as some claim


Apparently terrifying ransom Trojans might not be as potent as first thought and could even be countered using relatively simple protection mechanisms, a multi-agency study has concluded.

Amidst a rising tide of reported attacks and warnings from security firms, the paper titled ‘Cutting the Gordian Knot’ by researchers at Lastline Labs, Symantec, Northeastern University, and France-based Institut Eurecom strikes a far more hopeful note.

Instead of looking at the latest and usually intimidating innovations deployed by ransomware, the study considers how this class of threat could be countered. It turns out to be surprisngly easy as long as defences take detailed account of how these malware attacks are engineered.

The first interesting finding is that 94 percent of the attacks uncovered after a thorough trawl of more than 25,000 distinct samples did not used file encryption, relying instead of superficial locking mechanisms and inconvenience to persuade users to pay up. 

The researchers then analysed the inner working of a 1,359 subset, including well-known names such as CryptoLocker, its successor CryptoWall, plus Reveton, Winlock, Kovter and GPcode, almost all developed after 2012.

Surprisingly, only 5.3 percent of this ‘who’s who’ of ransom malware actually encrypted files, with the rest either simply locking the user’s desktop or, in a number of cases, deleting files. A small but growing percentage also stole files, an approach that could offer a glimpse of how this form of malware threat might evolve in the near future.

As to the encryption routines used by the nastiest samples - CryptoLocker for instance - all used a mixture of Windows programming functions to detect where targeted files were located, separating data files from those used by the operating system.

The interesting aspect of this is that these techniques interact with the file system in predictable but unusual ways on Windows NTFS (default since Vista in 2007) and that a program monitoring the Master File Table (MFT) would be able to spot unusual behaviour as it was unfolding and block it.

The key was understanding what was normal behaviour for a filesystem and blocking deviations from those patterns.

Attackers that adjusted by slowing the rate of encryption to avoid detection could even be thwarted by creating and constantly refreshing ‘decoy’ files, effectively tying up the malware encrypting meaningless files.

“Based on our analysis, we conclude that detecting and stopping a large number of destructive ransomware attacks is not as complex as it has been reported and deploying practical defense mechanisms against these attacks is possible due to the engineering of NTFS file system,” wrote the researchers documenting the research.

Although detecting ransomware using filesystem monitoring is not a new idea, the paper goes into a lot of detail as to how ransom malware actually interacts with Windows systems. Although it is possible that some anti-virus programs have tried the technique, none has documented this.

Today, the best advice from almost every anti-virus vendor is to create secure backups that can be used to restore lost or encrypted data plus file encryption to defend against theft.

The analysis laid out in Cutting the Gordian Knot suggests that security vendors could and should be doing a lot more to protect against this sort of threat at a technical level.

One of the authors, Lastline co-founder and Northeastern University. professor Dr Engin Kirda, will present a more detailed view of the findings at the US Black Hat security conference in August.

Find your next job with computerworld UK jobs