Beat Ransomware With The Right Tools — It’s Predictable

Beat Ransomware With The Right Tools — It’s Predictable

beat ransomware is predictable
There’s been a lot of freighting ransomware reports and statistics lately. But there is good news. At this year’s RSA security conference, Dr. Engin Kirda, Co-Founder and Chief Architect of Lastline, discussed the Achilles heel of ransomware, and how this dangerous malware can be detected and stopped—before it spreads throughout your enterprise.

As one of three Lastline founders who presented at the conference, Dr. Kirda elaborated on the sophisticated, yet very predictable aspects of ransomware and how Lastline’s advanced technologies detect it.

Beat Ransomware With The Right Tools

With the plethora of ransomware news that’s hit the media in recent years, the public has the impression that this is a new threat—and one that is impossible or at least very difficult to prevent. In Dr. Kirda’s presentation, he acknowledged that ransomware is a very significant problem, but demonstrated using the right tools you can beat ransomware because it can be easier to detect and prevent than other forms of malware.

The Achilles’ Heel of Ransomware

Ransomware is not new. The concept actually dates back to 1989 and although there has been a dramatic increase in ransomware activity in recent years, security professionals have been monitoring its methodology and evolution for decades. There are new evasion techniques emerging all the time, but the core idea has remained the same. More importantly, its biggest weakness has remained, and will always remain the same—the ransom note.

ransomware landscape

Unlike other forms of malware, ransomware always contains this one distinguishable and easily detectable trait—it must inform the victim of the attack. The fact that ransomware has to inform the victim that the attack has taken place is, at the same time, a weakness that is inherent in its nature. The user is always presented with a ransom note, including instructions on how to pay the fee.

anatomy of a ransomware attack

This necessary step that all ransomware must perform is significant for advanced malware protection systems. To orchestrate a ransom, several detectable behaviors are always inherent in the malware. While some actions are directly related to the delivery of the ransom note, other tasks support the need to handle payment, anonymize all communication, and perform the actual encryption and decryption functions.

Here are some examples of ransomware activities that Lastline detects:

  • The presence of a ransom note
  • Replacing the machine’s wallpaper
  • Blocking access to the victim’s desktop
  • Encryption / decryption capabilities
  • Network activities to orchestrate payment and file decryption
  • Removing capabilities to perform a system restore
  • Disabling windows update
  • Terminating task manager
  • Turning off error reporting

From Dr. Kirda’s presentation, over the course of many years Lastline has established behaviors that are present in all ransomware, and how to efficiently detect those behaviors. Lastline’s technology is razor-sharp at discovering emerging ransomware methods and quickly developing techniques to detect them.

Learn more about Lastline’s innovative features and how it can help protect your organization.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin