CybersecurityIt’s easier to defend against ransomware than you might think

By Amin Kharraz

Published 27 May 2016

Ransomware – malicious software that sneaks onto your computer, encrypts your data so you can’t access it and demands payment for unlocking the information – has become an emerging cyberthreat. Several reports in the past few years document the diversity of ransomware attacks and their increasingly sophisticated methods. Unfortunately, the use of advanced cryptosystems in modern ransomware families has made recovering victims’ files almost impossible without paying the ransom. However, it is easier to defend against ransomware than to fight off other types of cyberthreats, such as hackers gaining unauthorized entry to company data and stealing secret information.

Amin Kharraz // Source: northeastern.edu

Ransomware – malicious software that sneaks onto your computer, encrypts your data so you can’t access it and demands payment for unlocking the information – has become an emerging cyberthreat. Several reports in the past few years document the diversity of ransomware attacks and their increasingly sophisticated methods. Recently, high-profile ransomware attacks on large enterprises such as hospitals and police departments have demonstrated that large organizations of all types are at risk of significant real-world consequences if they don’t protect themselves properly against this type of cyberthreat.

The development of strong encryption technology has made it easier to encode data so that it cannot be read without the decryption key. The emergence of anonymity services such as the Tor network and bitcoin and other cryptocurrencies has eased worries about whether people who receive payments might be identified through financial tracking. These trends are likely driving factors in the recent surge of ransomware development and attacks.

Like other classes of malicious software – often called “malware” – ransomware uses a fairly wide range of techniques to sneak into people’s computers. These include attachments or links in unsolicited email messages, or phony advertisements on websites. However, when it comes to the core part of the attack – encrypting victims’ files to make them inaccessible – most ransomware attacks use very similar methods. This commonality provides an opportunity for ransomware attacks to be detected before they are carried out.

My recent research discovered that ransomware programs’ attempts to request access and encrypt files on hard drives are very different from benign operating system processes. We also found that diverse types of ransomware, even ones that vary widely in terms of sophistication, interact with computer file systems similarly.

Moving fast and hitting hard
One reason for this similarity amid apparent diversity is the commonality of attackers’ mindsets: the most successful attack is one that encrypts a user’s data very quickly, makes the computer files inaccessible and requests money from the victim. The more slowly that sequence happens, the more likely the ransomware is to be detected and shut down by antivirus software.