Better Ransomware Detection: Follow the ShoutingUnique Behavior Holds Key to Better Defenses, Researchers Say
It's too soon to predict the decline of ransomware, the file-encrypting malware that poses a large and increasing risk to businesses and organizations. But it's the current obsession for the security industry. And while some computer security vendors claim their products can stop it, far too much ransomware is still bypassing defenses. As with any cybercriminal scam, though, the more attention it draws, the faster attackers' window of opportunity closes as defenses improve.
At the 25th Usenix Security Symposium in Austin, Texas, this week, a team of researchers from Northeastern University in Boston presented a new method to detect ransomware, called Unveil, and they report that it's proved highly effective in testing.
"Ransomware actually shouts at you. It says, 'Hey, I just infected you.' These are behaviors ... that you can specifically look for."
Ransomware "is very simple attack that's simple to prevent if you have good backups," says Engin Kirda, a professor in the computer and information science department at Northeastern. "The reality is: People are bad at it. They don't have backups. They lose their data. Ransomware is exposing this big issue that we've always seen and known about, but now it's becoming more mainstream."
To help, the research team's idea was to build a system that could be layered on top of technologies known as "sandboxing," which isolate executable code for analysis before passing clean code into an environment, Kirda says.
By design, Unveil appears to be a legitimate user environment, full of attractive files that ransomware code would target. That's a decoy technique being increasingly embraced by the security industry to lure hackers and study their movements in a system, without tipping them off that it's actually fake.
To try and block security researchers and law enforcement agencies, many ransomware developers code their malicious applications to detect when they've has been trapped in a sandbox, and if so to stop working. Kirda notes that many security firms continue to build new sandbox techniques that are designed to analyze malicious code, and attackers continue to bolster their defenses against these more advanced sandboxing environments.
But the Unveil researchers took a different approach, opting for a relatively unsophisticated sandbox, and found that they could find ransomware samples that more advanced sandboxing environments failed to detect.
Unveil's detection capabilities are centered on the unique ways that ransomware functions: it makes large-scale changes to file systems unlike other types of code. That same broad technique is similar to another academic project I wrote about called CryptoDrop (see Researchers Unleash Ransomware Annihilation).
If a process starts to make changes to a file's entropy - or randomness - it's a good clue that ransomware is at work. Accordingly, Unveil has direct access to data buffers that are involved in input and output requests, which allows it to monitor file system changes.
"I think the good thing about ransomware - people usually talk about the bad things - is that it has very distinct behaviors," Kirda says. "Ransomware actually shouts at you. It says, 'Hey, I just infected you.' These are behaviors that are in a way actually good for a defender because these are things that you can specifically look for."
A key difference between ransomware and other malware is it usually displays a prominent notification asking for payment. Unveil monitors the desktop, taking automatic screenshots of what it displays before and after a suspect executable is detected. It uses optical character recognition for changes, looking for keywords such as FBI, bitcoin and ransom.
"These are very suspicious words that a typical user will not always see," Kirda says.
No False Positives
Unveil was tested against 148,223 malware samples and correctly picked out 13,637 ransomware samples without any false positives, according to the group's research paper. It even picked out what was an unknown ransomware family, called SilentCrypt, that was able to bypass the sandboxing technology of a "well-known anti-malware company," the paper reads. Papers accepted for the Usenix go through a blind review by a program committee of vetted academics and experts.
Ransomware is able to fool many security products because attackers use compression and packing techniques to make what are essentially the same executable files appear different. Many anti-virus products rely on files that describe patterns of known malicious code - referred to as signatures - but repacked code can often evade those checks.
Unveil was developed by one of Kirda's students, Amin Kharraz, along with Sajjad Arshad, Collin Mulliner and William Robertson, all of Northeastern. Kirda is the founder of the computer security firm Lastline, but the research on Unveil is in the public domain. What the team developed is just a prototype, and other companies or organizations are free to take the ideas and develop it further. Kirda expects that Lastline also will implement some of the techniques in its products.
"The information is going to be out there," Kirda says. "It's online for everybody."