Slashdot Mirror
Researchers Develop A Way To Stop Ransomware By Watching The Filesystem (phys.org)
An anonymous reader quotes a report from Phys.Org: Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop. "Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures from being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.
This is how the FBI will stop ppl. from installing Truecrypt-like software.
1. Your main computer (call it 'right brain') automatically takes a 'VM snapshot' of itself at a point in time.
2. Another computer ('left brain') inspects the VM to check if data files are still accessible
3. If not, left brain 'diffs' the VM with previous 'known-good' VMs to find the source of the problem
4. Swap VMs
5. profit!
"all of your pictures form being encrypted" Now *that's* what I call editing!
That's called "heuristics" and AV has been doing that for quite a while now. And attackers will work around this system the same way they work around heuristics... if your system is freely available, they can download and test their ransomware against it until they can escape notice.
You still lose and it's 100% useless against MBR ransomware.
The software detects the behavior of an application. The detection is probably like 'if a process accesses each image file (OpenFile/CreateFile) , read it, create a new file with "same_name+.encrypted", then delete the original image file.' x 10 times, then that process is likely guilty.
1. What happens if the malware instead use MapFileView and 10 others potential Win32/kernel32 APIs combination? This quickly become a arms race and is going to be terrible in terms of system overhead, not to mention the time gap between a new method appearing and the detection software catching it.
2. What about Windows' internal processes that, for example, shadow copy the file? Would the detection software catches it? What about false detection of, say, the disk defragmentation software?
3. Since the system is already compromised, what stops the malware from detecting the countermeasure and just delete all the files in the system straight out? If that's too obvious, then how about write a random byte per x bytes offset to all files? Even if you killed the malware process, you can't be sure that there no other malware running on the system that can go into revenge mode.
Check Point can stop it and keep your files in tact. It's called Sandblast
You don't need such a thing.
If your box gets hosed, just execute your disaster recovery plan.
If you don't have a disaster recovery plan, use the FL stuff. And
wonder whether or not DSC0123456789.jpg was the last pic of
healthy-grandma you can't seem to find.
Execute-your-DRP is the answer to ANY computastrophe.
Just have your files backed up on another computer at your house, on a NAS, or online. If you get ransomware then just nuke the computer and restore everything from your backup. Though if you were to combine both the backup and this then you probably wouldn't lose anything as the few modified files between backups aren't likely to be the ones to be encrypted.
I wouldn't suggest backing up to a hard drive connected directly to the computer because the ransomware will also encrypt those files too.
...is if a few of these ransomware authors/operators started turning up dead.
Seriously.
The real solution, of course, is a proper versioning filesystem with a regularly scheduled snapshot - say, once a week, or once a day if you're extra paranoid. You can even cycle the snapshots if you want to cut disk usage down.
Never underestimate the stupidity inherent in all human beings.
Tripwire (and tripwire-like software such as bit9/Carbon Black) has been a thing for years. What's different about this approach?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
See subject
The only issue I have ever had was in google chrome. There a modal dialog can block the ability of the to close tabs. This is typical of an application that values advertiser control over user experience.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
OK, definitely not taking my laptop to the University of Florida.
They're claiming a general program that can reliably determine the behaviour of another program. Nice try.
There will *always* be a trivial way the supervised program can do something the supervising program can't detect or characterize properly.
I like this idea, as it seems practical and fairly hard to fool.
Just cruising through this digital world at 33 1/3 rpm...
"The team ... is seeking a partner to commercialize it and make it available publicly".
That immediately devalues the value of anything these "researchers" put out.
I have considered keeping a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy on a regular basis, or on file change notification if available, to make sure file entropy has not grown huge.
The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver. That's a likely problem for some of these researchers' heuristics as well.
(Expanding on something I wrote a while ago)
CryptoStalker - http://news.softpedia.com/news...
with modern windows you dont need to lock the files! the sw makes a shadowcopy/snapshot branch. same way windows built in backup and file history can do. im surprised the researchers would have the balls to claim this works on all their samples when the already common method is different. the virtual shadow streams also make it possible to serve their sw different files or serve the encrypted files while waiting for the rest to be encrypted.
Intrusion prevention is a means of detecting by "behavioral analysis" how software should behave under normal use through monitoring normal use and updating rules to support occasional anomalies. It's a really crappy approach to security which is a "poor man's AI" and "poor man's machine learning" approach which kinda works but is a last resort because we're basically guessing things like "9 rewrites is ok, 10 is malicious".
Windows 8, early IOS, early Android and a few other introduced a pretty cool sand boxing approach to file permissions. The idea was that Application X has access to Application X's files and maybe limited access (generally with an approval process from the user) to a shared location.
This method is highly restrictive and makes me cringe as a developer since writing tools like compilers which read the name of an included file from another file is ok, but opening that included file is restricted and generally requires that I break the sandbox in order to grant myself permissions to those other files. This results in greatly weakened security.
Transactional file systems are a great approach to avoiding loss of data through random ware but there are extensive problems that arise when attempting to securely delete data. Therefore APIs generally must exist to provide the ability to write apps that can remove all traces of a file from the file system. Many modern randsomware attacks are deleting transaction logs via these APIs.
There is of course cloud storage and transaction logs, but these suffer the same problems.
There is object storage which isn't too bad, but again the secure deletion issue comes into play.
One method to manage the problem might be to secure the secure deletion APIs with mandatory "Are you sure?" and "Are you really really sure?" user prompts. The problem now becomes that legitimate tools to automate tasks such as builds would need an OS permission (thing group policy) that would allow secure deletion of object files that could and would consume terabytes of data unnecessarily each day. To provide a UI to that group policy, there would have to be an API and people (especially those who fall prey to randsomware) would simply click OK without reading any prompts providing randsomware the rights to bypass the secure deletion mechanism.
There are account permissions and other means of protecting the user, but as the "chatter" increases, the user grows more likely to simply grant permissions without reading. This is how you attack Macs. Mac users are so commonly annoyed by "enter your admin password" prompts that no one reads what the prompt says. So stealing the admin credentials is as simple as popping up a fake dialog asking for it.
Poor man's AI might be the only solution to the problem, but maybe it's better to design "document storage zones" which don't permit secure deletion of transaction logs. This would me "C:\Build\Obj" would be securely deletable, but "C:\Users" wouldn't.
This would probably work until the user moved a node from one place to the other.
In the end, I dislike the proposed approach to the problem. I would prefer to see deeper thinking to solving the problems. Of course, if Microsoft implements a good solution, it will be in Windows 10 and later which will have all the whiners babies crying.
"...and, counterintuitively, actually letting it lock up a few files before clamping down on it."
Well, this might be better than nothing, but unfortunately this assumes that those "few files" might not still cause a considerable amount of damage.
What this solution doesn't seem to take into account is the fact that ransomware has quickly moved on to commercial targets because the payoff is so much greater than targeting home users. Therefore, actually letting the proverbial dog bite you first may hurt worse than you think.
The best solution to ransomware is still the oldest one; make backups, and make them often. And make those backups very hard to access(read: offline) as soon as you can, because your VM snapshots, shadow copies, and to-disk protection methods are not going to remain safe or immune from this type of attack.
As I said on reddit: So any compression utility is a false positive. And as long as I understand all detection worked because no countermeasure was implemented in current ransomware. I thought of one simple contermeasure which simply reduce all this effort to nothing. I'm all but impressed
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
* See subject: Ask Cryptizard (as I stop the delivery source in malicious payload links)-> https://it.slashdot.org/commen...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed, security (malvertising), privacy (tracking) + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively. Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... )
This shit pisses me off to no end.
We're running goddam stupid computers and it's our own goddam fault.
Look: How about some predictive algorithms that do practice runs? How hard can that be?
Here's how it should have been done back when Moby Dick was a minnow:
The computer would actually do what I've been trained NOT to do, but do anyway.
When I click on an attachment, the computer examines the future consequences in a "play like," simulation and says to itself, "this mofo set of instructions encrypts files from "out there," and not from the keyboard."
DANGER WILL ROBINSON
So, in all cases, get the fucking computer to do, "look ahead," and ask permission to initiate the self-destruction sequence.
Those consequences should be presented in plain language.
Lookit: My mom, way back, got a computer with a modem on dialup.
She called me up, all frustrated because the damn thing quit working and I determined that, in a manner reminiscent of the "drunk walk," had unintentionally uninstalled the goddam modem driver.
Why the hell didn't the computer say, "Ma'am, if you keep doing this shit, we will never be able to connect to the Internet and that's just about all this crappy-ass machine is good for and stuff. You obviously don't want to do this, so, get some help, OK?"
It little behooves the best of us to comment on the rest of us.
As a total noob i have question . Recently there was article about Apple fix ransomeware vulnerability on Mac OS . This file watching approach is it specifically meant for Windows ? What about mainstream Ubuntu/Linux for us Windows refugees ? Is there ransomware for Ubuntu/Linux out there now ? Just noob asking .... ;)
Here's a 100% effective ransomeware solution. When you fork out hundreds or thousands of dollars for your computer, fork out a $100 more and get an identical hard drive to what it has inside and a one-button disk cloner off of Ali Express or eBay for a few dollars. Weekly disk cloning kills ranssomeware dead. In the worst case scenario, you clone the drive with the malware on it but before it activates. In that scenario, you can still restore from backup and even if the OS is hopelessly compromised with malware beyond anyone's skill to remove, you still can access all your files.
Of course, the best solution is still not to run stupid software.
So Ransomware would have to gain Admin rights to disable this system?
I downloaded apk as what you've advertised here.
But it had built-in spyware which connects to a UK server for some strange reasons.
The best solution I think is app whitelisting in Windows, it is called AppLocker or Parental Control. Learn how to configure this feature properly and ransomware won't affect you.
Well, never mind those Linux users they are geeks and can take care of themselves against this ransomware.
WHOIS Source: RIPE NCC
IP Address: 86.9.60.226
Country: United Kingdom
Network Name: VMCBBUK
Owner Name: ALDERSHOT
From IP: 86.9.60.0
To IP: 86.9.63.255
Allocated: Yes
Contact Name: Virgin Media Network Management Centre
Address: Virgin Media, Heron Drive, Langley, SL3 8XP
Email: hostmaster@virginmedia.net
Why not just use the built-in protection of windows called AppLocker or Parental Control.
Just lock down your system to fixed read-only directories where it can run applications. Usually Windows, System32 and Program Files directory.
That's it. Problem Solved.
Windows itself is ransomware. It is spyware in totality. No Windows, no ransomware.
There is a simpler way to watch for file changes. They just made it more obscure so you can't, and have to buy more shit.
Fuck Microsoft and everything about Microsoft and Microsoft employees for not actually contributing to the planet.
See subject: Sources of custom hosts file data as YOU choose (see config tab & APKIniFile.ini, alter them as you wish - however I can't guarantee the filters will work as well on other sites you may substitute is all (most are customized but there is a generic function that does a good job after them too)).
* That's all...
PLUS:
The code's verified safe/clean by 1 of those sources who have made a BIG & GOOD NAME for themselves in Malwarebytes who also have an employee of theirs host & recommend my ware as good/clean/safe too.
APK
P.S.=> I'm NOT against whitelisting & yes, AppLocker tech's been in Windows since XP iirc, & only got EASIER + BETTER TO USE Server 2003 onwards - layered-security/defense-in-depth IS the way to go & the best thing we have going vs. bogus machinations out there - I've always espoused it, ala the security guides I've written DECADES ago http://www.bing.com/search?q=%... of which those are the 'latest models', originals are from 1996 onwards (which I never did list using AppLocker tech in, so, kudos to you on that note)... apk
--Setup a ZFS+Linux+Samba server as a RAID10 network share drive, copy data to it, take a known-good snapshot. Do a zpool scrub afterward to make sure.
--Then implement a cron script that takes a rolling snapshot Mon-Sun. If you're feeling ambitious you can install the zfs-auto-snapshot package but you should really disable the "frequent" snapshots (every 15 minutes? who really needs that?) and possibly "hourly" snapshots since they will prevent your disks from going to sleep.
--As a bonus, you could also take rolling day-of-month (1-31) snapshots in the same script. Just destroy the existing snapshot name before taking another one.
(Disclaimer: I have done this and the concept appears fairly bulletproof, since ZFS snapshot directories are read-only.) Feel free to ask me for details or provide feedback...
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??