Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Develop A Way To Stop Ransomware By Watching The Filesystem (phys.org)

Posted by BeauHD on from the always-watching dept.

An anonymous reader quotes a report from Phys.Org: Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop. "Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures from being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.

5 of 102 comments (clear)

  1. Hey, you can do this too by sonamchauhan · · Score: 4, Interesting

    1. Your main computer (call it 'right brain') automatically takes a 'VM snapshot' of itself at a point in time.
    2. Another computer ('left brain') inspects the VM to check if data files are still accessible
    3. If not, left brain 'diffs' the VM with previous 'known-good' VMs to find the source of the problem
    4. Swap VMs
    5. profit!

  2. Heuristics by The+MAZZTer · · Score: 4, Interesting

    Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data.

    That's called "heuristics" and AV has been doing that for quite a while now. And attackers will work around this system the same way they work around heuristics... if your system is freely available, they can download and test their ransomware against it until they can escape notice.

  3. What would really help by Anonymous Coward · · Score: 2, Interesting

    ...is if a few of these ransomware authors/operators started turning up dead.

    Seriously.

  4. Tripwire by Scutter · · Score: 3, Interesting

    Tripwire (and tripwire-like software such as bit9/Carbon Black) has been a thing for years. What's different about this approach?

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  5. Re:Better yet by vux984 · · Score: 3, Interesting

    Just have your files backed up on another computer at your house, on a NAS, or online.

    Bingo.

    If you get ransomware then just nuke the computer and restore everything from your backup.

    double bingo.

    I wouldn't suggest backing up to a hard drive connected directly to the computer because the ransomware will also encrypt those files too.

    Yes... but that's not nearly going far enough. The vast majority of 'simple' backup systems fail hard on ransomware; especially the roll-your-own sort often advocated here.

    cloud sync, torrent sync, etc. Fail. So you've got 3 redundant storage sites; The encrypted files get synchronized and overwrite the backups; and you've got nothing.

    rsync, or any thing to an offsite or local nas/server/whatever = fail. same reason. double fail if the local system mounts the drives on the remote system as part of the procedure giving the ransomware direct access to the remote filesystem.

    Essentially any backup solution that cannot easily and reliably restore to a given point in time, including deleted files is a hard fail vs ransomware.

    You need continuous ongoing incremental backups via an agent/daemon/service on a remote system. Its certainly possible to set something like this up and manage it yourself, but its not simple.

    Honestly for personal / home / small businesses stuff like carbonite and crashplan and spideroak are probably your best line of defense vs ransomware.

    That's not to say having torrent sync setup with 3 offsite systems is a bad idea. Its a fine idea for all sorts of disaster scenarios; and is probably quicker to recover from in the event of a system failure. Its just not much defense against ransomware.

    For that you really need continual incremental backups.