Researchers from the Florida Institute for Cybersecurity Research (FICS) have developed a solution to prevent ransomware by stopping encryption early, giving victims less incentive to pay off their attackers. Instead of using continuous file monitoring, which can generate a lot of false positives, or signature detection, which only protects users from known ransomware variants, CryptoDrop neutralizes the encryption process in its earliest stages.
According to the team's paper, prepared for the 2016 IEEE 36th International Conference on Distributed Computing Systems, CryptoDrop stops crypto ransomware from executing after a median loss of only 10 files. "This project started with the realization that most of what makes up a modern computer is completely replaceable," says Nolen Scaife, a Ph.D. student at the University of Florida and a member of the FICS CryptoDrop team. "Your data — the data you've generated and stored — isn't."
How CryptoDrop Detects Changes in Progress
Crypto ransomware, in any iteration, executes certain malicious file changes. According to the FICS team, when these three specific changes occur together, it's a surefire indicator that ransomware is at work:
- File Type Changes
Files generally maintain the same type and formatting signatures throughout their life spans. Although changes to a file type signature can happen during a software update, ransomware tends to cause bulk changes to multiple file type signatures.
- Creation of Dissimilar Content
When a user updates a file, the new content rarely differs significantly from the file's original content. Major changes that make the two pieces of content highly dissimilar can be indicators of encryption in progress.
- High Shannon Entropy
Entropy measures the degree of randomness present in any data set. Mathematician Claude Shannon developed an equation that, among other functions, measures the degree of entropy present in a file. Encrypted files have a high degree of randomness, which results in higher Shannon entropy scores.
Other Warning Signs
Two added secondary indicators, which are often but not always present with ransomware, bolster CryptoDrop's confidence that mass encryption is happening:
- File Deletion
Certain types of ransomware read an original file, create a new encrypted file and then delete the original file. When many files are deleted from user documents, it's a strong indicator that a certain type of ransomware is at work.
- File-Type Funneling
When creating output, applications may read multiple types of files, but they usually only execute a single output file. Ransomware reads an unusually high number of disparate file types while generating few output file types.
Policing Files Instead of Malware
Crypto ransomware is easy to obtain and create, providing a simple way for attackers to make a quick buck. The variants are proliferating too quickly for signature detection to keep up, and current file monitoring processes often generate too many false positives to effectively identify ransomware attacks early on. Furthermore, the high number of canary files needed to detect ransomware makes early detection difficult.
The FICS team focused on creating a superior early warning system, with high accuracy and minimal false positives. In a test of 30 common Windows applications on a single VM configuration, using 492 known ransomware variants, CryptoDrop generated only one false positive.
"CryptoDrop's indicators identify the changes that ransomware makes while excluding benign operations instead of flagging any change," Scaife explains. "Watching the data lets CryptoDrop protect it whether or not [ransomware] has been seen before."
CryptoDrop's Future in the Fight to Prevent Ransomware
Recent Kaspersky statistics on crypto ransomware, reported by Security Week, show a five-fold increase in crypto ransomware over the past year. Although home users remain the primary targets, the proportion of corporate targets has more than doubled over the past year from 6.8 percent to 13.13 percent. Corporate targets can usually afford higher ransoms, especially when downtime is so costly.
Stopping file encryption early would slash the number of files lost and minimize the likelihood that attackers would get their money. The ideal solution, however, would be to eliminate all data loss and prevent ransomware scripts from running at all.
Scaife adds that they plan to launch CryptoDrop as a company. "Coupled with other security solutions, in the instances where ransomware has evaded all other controls, CryptoDrop can prevent total loss."