While most of the discussion around ransomware is rightly so about the unabated stampede of new strains and variations on existing samples, relatively little discourse focuses on detection beyond antivirus and intrusion prevention systems.
Some generic ransomware detection systems for Windows and OS X exist, but many of those are signature-based or have other limitations that make them fairly trivial to bypass.
A team of researchers from the University of Florida and the Villanova University believe they have a built a better mousetrap, one that focuses on how ransomware transforms data rather than the execution of malicious code. Their utility is called CryptoDrop, and in a test against nearly 500 real-world ransomware samples from 14 distinct families, it detected 100 percent of attacks with relatively little file loss (a median loss of 10 files).
The tool is described in a paper called “CryptoLock (and Drop it): Stopping Ransomware Attacks on User Data,” written by Nolen Scaife, Patrick Traynor, Kevin R. B. Butler of the University of Florida, and Henry Carter of Villanova University.
“Our system (built only for Windows) is the first ransomware detection system that monitors user data for changes that may indicate transformation rather than attempting to identify ransomware by inspecting its execution (e.g., API call monitoring) or contents,” the researchers wrote. “This allows CryptoDrop to detect suspicious activity regardless of the delivery mechanism or previous benign activity.”
CryptoDrop was unveiled at the recent IEEE 36th International Conference on Distributed Computing Systems in Columbus, Ohio. The researchers wrote that CryptoDrop works alongside antimalware systems, detecting ransomware in ways that antivirus or intrusion prevention systems are not designed to do.
In the paper, the researchers describe three classes of ransomware, differentiated by their activities against files that are ultimately encrypted. Class A, for example, overwrites file contents and has certain behaviors such as encrypting contents in place, while Class B ransomware may move the file before encrypting it and dropping back in its original spot; it may also rename files. Class C is the most damaging in that it creates new files with the encrypted contents and deletes or overwrites the original files.
With that as a backdrop, CryptoDrop uses three primary and two secondary indicators to identify malicious file changes, the researchers wrote. Primary indicators are: file type changes that look for modifications to file byte values, which is deemed to be suspicious since files retain their type and formatting; a similarity measurement where, in this case, the sdhash function measures similarities in before and after versions of the same files to learn about any dissimilarities; and the third is Shannon Entropy, which measures an encrypted file’s entropy as another indicator as to whether a file has been modified. Deletion—cases where many files are deleted—and file type funneling—which occurs when an application reads a disparate number of files as it writes—are secondary indicators used by CryptoDrop.
The researchers wrote that no benign program they tested triggered all three primary indicators, but the majority of ransomware samples examined did trigger all three. Unifying all three of these indicators in a single utility, the researchers said, is crucial for early and faster ransomware detection.
CryptoDrop uses all of these factors to develop a reputation score, and fires off an alert to the user and suspends an offending process if it hits a certain threshold, the researchers said.
The paper also provides data on specific ransomware families, with most showing a relative lack of diversity aside from CryptoLocker and Filcoder families. CTB-Locker and CryptoLocker samples tested had the highest median file loss.
“With few files lost, the burden to pay for victims of ransomware is reduced or removed, protecting users and dismantling the economy of attackers,” the researchers wrote.