Interesting Slashdot post on stopping Ransomware from trashing your computer
There are various ways of stopping malware. Antivirus works by watching for strange behavior or if a program matches a known signature. The problem with signature matches is that it's very easy for a program to change its signature so that it won't hit in the protection program's database. This is known as a polymorphic virus (self-changing). Some malware encrypts itself.
The worst is ransomware. This is malware THAT ENCRYPTS YOUR HARD DISK. In doing so, all of your files get encrpyted, then a message pops up that says you will have to pay X number of bitcoins to get the decrypt key, and it will frequently have a deadline -- if you don't pay by the date, the decrypt key will be deleted and your files will be forever lost.
Some ransomware is written poorly, and some have been decrypted. Some security researchers have created web sites where you can upload an encrypted file and they can analyze the file and give you a key. But you can't count on that.
Backups are a form of protection, but some ransomware versions have sat silently and watched for a backup drive and encrypted it first. So your main recovery method might already have been compromised.
In other words, randomware is a bitch.
But some security researchers have come up with a very interesting approach to fighting it. They don't try to match a signature because that's a losing game. What they do is watch file system activity. If they see files being encrypted, the program identifies the activity and stops the process cold. So you may lose a handful of files, but you won't lose everything.
Here's what I just saw on Slashdot:
Researchers Develop A Way To Stop Ransomware By Watching The Filesystem (phys.org)
Posted by BeauHD on Friday July 08, 2016 @06:50PM from the always-watching dept.
An anonymous reader quotes a report from Phys.Org:
Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop.
"Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.
Let's look at that second to last line again: it detected 100 percent of malware samples and did so after a median of 10 files were encrypted. So on average, you'll lose fewer than that, but you will guaranteed lose one or two files. And you may or may not have other copies of those files.
Still, QUITE impressive. It's not a released product and will need the security community at large to pound it and try to break it, but still, pretty cool.
Personally, if I were relying on Windows computers and concerned about this, I think I'd install Deep Freeze. It's a program we used at a university that creates a frozen copy of your operating system. You install the OS, update it, install the programs that you need, update them, then you freeze it. In order to update the OS or the programs, you have to unlock the system, do the updates, then freeze it again. It's not perfect, but it's darn good. It's VERY hard for a virus to infiltrate a system protected by Deep Freeze. Not impossible, but VERY difficult. Your user data files (word processing documents, spreadsheets, photos, music, etc.) are stored in a different area on the hard drive as they change regularly.
In Linux and some other systems you can install a program such as Tripwire that watches the operating system to see if any files change. It theoretically could detect the system becoming infected and could halt everything and not let it run until it's cleaned up.
But a lot of virus makers these days are pretty darn brilliant and tricky. The best thing you can do is to keep your computer updated, only install programs from trusted sources and web sites, and NEVER open attachments that you were not expecting or specifically requested. That means when your Aunt Ethel sends you that cute kitty video that you don't open it. It just ain't worth it.
The worst is ransomware. This is malware THAT ENCRYPTS YOUR HARD DISK. In doing so, all of your files get encrpyted, then a message pops up that says you will have to pay X number of bitcoins to get the decrypt key, and it will frequently have a deadline -- if you don't pay by the date, the decrypt key will be deleted and your files will be forever lost.
Some ransomware is written poorly, and some have been decrypted. Some security researchers have created web sites where you can upload an encrypted file and they can analyze the file and give you a key. But you can't count on that.
Backups are a form of protection, but some ransomware versions have sat silently and watched for a backup drive and encrypted it first. So your main recovery method might already have been compromised.
In other words, randomware is a bitch.
But some security researchers have come up with a very interesting approach to fighting it. They don't try to match a signature because that's a losing game. What they do is watch file system activity. If they see files being encrypted, the program identifies the activity and stops the process cold. So you may lose a handful of files, but you won't lose everything.
Here's what I just saw on Slashdot:
Researchers Develop A Way To Stop Ransomware By Watching The Filesystem (phys.org)
Posted by BeauHD on Friday July 08, 2016 @06:50PM from the always-watching dept.
An anonymous reader quotes a report from Phys.Org:
Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it. "Our system is more of an early-warning system. It doesn't prevent the ransomware from starting [...] it prevents the ransomware from completing its task [...] so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research. Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop.
"Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem," reports Phys.Org. "'These attacks are tailored and unique every time they get installed on someone's system,' Scaife said. 'Antivirus is really good at stopping things it's seen before [...] That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted.' The results, they said, were impressive. 'We ran our detector against several hundred ransomware samples that were live,' Scaife said, 'and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.'" The University of Florida uploaded a video briefly explaining its software.
Let's look at that second to last line again: it detected 100 percent of malware samples and did so after a median of 10 files were encrypted. So on average, you'll lose fewer than that, but you will guaranteed lose one or two files. And you may or may not have other copies of those files.
Still, QUITE impressive. It's not a released product and will need the security community at large to pound it and try to break it, but still, pretty cool.
Personally, if I were relying on Windows computers and concerned about this, I think I'd install Deep Freeze. It's a program we used at a university that creates a frozen copy of your operating system. You install the OS, update it, install the programs that you need, update them, then you freeze it. In order to update the OS or the programs, you have to unlock the system, do the updates, then freeze it again. It's not perfect, but it's darn good. It's VERY hard for a virus to infiltrate a system protected by Deep Freeze. Not impossible, but VERY difficult. Your user data files (word processing documents, spreadsheets, photos, music, etc.) are stored in a different area on the hard drive as they change regularly.
In Linux and some other systems you can install a program such as Tripwire that watches the operating system to see if any files change. It theoretically could detect the system becoming infected and could halt everything and not let it run until it's cleaned up.
But a lot of virus makers these days are pretty darn brilliant and tricky. The best thing you can do is to keep your computer updated, only install programs from trusted sources and web sites, and NEVER open attachments that you were not expecting or specifically requested. That means when your Aunt Ethel sends you that cute kitty video that you don't open it. It just ain't worth it.