Researchers from University of Florida in association with Villanova University have developed a kind of anti-ransomware program called CryptoDrop which detects ransomware in early stages i.e. as soon as it starts the process of encrypting significant number of files.
In tests of 492 distinct ransomware samples, researchers report that CryptoDrop detected and stopped all those test ransomware from encrypting the entire contents of a hard drive. Results suggest that in some cases the malware was detected and stopped even before it started to encrypt files. But on an average, it detected the malware after just 10 files had been lost and in worst case scenarios, 33 files were encrypted before CryptoDrop identified the ransomware process.
How Ransomware spreads?
Data Security concerns have increased on a stupendous note in recent times and Ransomware tops the chart. Technically speaking, the said malware is notoriously difficult to stop. The industry is constantly striving to innovate in ransomware detection and prevention, with technologies across the stack- mostly endpoint to point of entry into network.
The researchers Nolen Scaife, Patrick Traynor and Kevin RB Butler from the University of Florida and Henry Carter at Villanova University have now found a solution which looks promising if developed more.
CryptoDrop takes the detection process in a fundamentally different way. It monitors the data rather than attempting to analyze the function of new processes. It then starts to monitor the files on the system which are being modified, targeting the core behavior of the malware, which enables it to detect ransomware regardless of the delivery mechanism or file signature.
The researchers emphasize that it won’t stop all files from being encrypted and is intended to act as a backdrop for when the anti virus system has failed to detect the ransomware package.
The researchers have worked on three primary parameters which are related to malicious files changes and which they claim result in a very low number of false positives. This enables CryptoDrop to remain robust despite significant variations in the functionality of different families of ransomware.
The parameters are –
- File Type Changes- By using “magic numbers” its possible to detect significant changes in the data type of a file. As files generally retain their data types over their lifetime, bulk changes in file types can be taken as an indicator of compromise. The best example for files retaining their data types is text docs do not change in graphical files and emails don’t change into movie files…….hope you got it!
- Similarity measurement- This is too technical- but can be explained in simple words. Strong encryption produces content that is completely dissimilar to the original content which can be measured using sdhash. A low score indicates a high probability that a file has been encrypted.
- Entropy- Based on the previous research on entropy to classify ransomware, the researchers have extended this concept to track down encrypted files as an indicator of ransomware activity.
These three indicators can easily make CryptoDrop identify a process running on a PC as ransomware.
More details are available on University of Florida website
You may also follow the link on how to deal with Ransomware