Beat Ransomware With The Right Tools — It’s Predictable
There’s been a lot of freighting ransomware reports and statistics lately. But there is good news. At this year’s RSA security conference, Dr. Engin Kirda, Co-Founder and Chief Architect of Lastline, discussed the Achilles heel of ransomware, and how this dangerous malware can be detected and stopped—before it spreads throughout your enterprise.
As one of three Lastline founders who presented at the conference, Dr. Kirda elaborated on the sophisticated, yet very predictable aspects of ransomware and how Lastline’s advanced technologies detect it.
Beat Ransomware With The Right Tools
With the plethora of ransomware news that’s hit the media in recent years, the public has the impression that this is a new threat—and one that is impossible or at least very difficult to prevent. In Dr. Kirda’s presentation, he acknowledged that ransomware is a very significant problem, but demonstrated using the right tools you can beat ransomware because it can be easier to detect and prevent than other forms of malware.
The Achilles’ Heel of Ransomware
Ransomware is not new. The concept actually dates back to 1989 and although there has been a dramatic increase in ransomware activity in recent years, security professionals have been monitoring its methodology and evolution for decades. There are new evasion techniques emerging all the time, but the core idea has remained the same. More importantly, its biggest weakness has remained, and will always remain the same—the ransom note.
Unlike other forms of malware, ransomware always contains this one distinguishable and easily detectable trait—it must inform the victim of the attack. The fact that ransomware has to inform the victim that the attack has taken place is, at the same time, a weakness that is inherent in its nature. The user is always presented with a ransom note, including instructions on how to pay the fee.
This necessary step that all ransomware must perform is significant for advanced malware protection systems. To orchestrate a ransom, several detectable behaviors are always inherent in the malware. While some actions are directly related to the delivery of the ransom note, other tasks support the need to handle payment, anonymize all communication, and perform the actual encryption and decryption functions.
Here are some examples of ransomware activities that Lastline detects:
- The presence of a ransom note
- Replacing the machine’s wallpaper
- Blocking access to the victim’s desktop
- Encryption / decryption capabilities
- Network activities to orchestrate payment and file decryption
- Removing capabilities to perform a system restore
- Disabling windows update
- Terminating task manager
- Turning off error reporting
From Dr. Kirda’s presentation, over the course of many years Lastline has established behaviors that are present in all ransomware, and how to efficiently detect those behaviors. Lastline’s technology is razor-sharp at discovering emerging ransomware methods and quickly developing techniques to detect them.