Researchers Develop A Way To Stop Ransomware By Watching The Filesystem

An anonymous reader quotes a report from Phys.Org: Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop. "Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures from being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.

Nice try, but with 3 potential problems

[guardiangod]

The software detects the behavior of an application. The detection is probably like 'if a process accesses each image file (OpenFile/CreateFile) , read it, create a new file with "same_name+.encrypted", then delete the original image file.' x 10 times, then that process is likely guilty.

1. What happens if the malware instead use MapFileView and 10 others potential Win32/kernel32 APIs combination? This quickly become a arms race and is going to be terrible in terms of system overhead, not to mention the time gap between a new method appearing and the detection software catching it.

2. What about Windows' internal processes that, for example, shadow copy the file? Would the detection software catches it? What about false detection of, say, the disk defragmentation software?

3. Since the system is already compromised, what stops the malware from detecting the countermeasure and just delete all the files in the system straight out? If that's too obvious, then how about write a random byte per x bytes offset to all files? Even if you killed the malware process, you can't be sure that there no other malware running on the system that can go into revenge mode.