In many information security publications, ransomware is mentioned with the same kind of horrified reverence as terrors such as climate change, Ebola, or the Death Star – a terrifying enigma with devastating implications.
However, often the ransomware that’s coming out nowadays isn’t that much more sophisticated than the garden-variety malware that came before it. And it can be stopped.
What Does Ransomware Have In Common With Ordinary Malware?
The basic need of all malware is detection-avoidance- if you are discovered, your chances of success are low. Here are some common strategies that malware use to hide:
Encryption: Most malware uses encryption to confuse signature detection. Instead of showing as malicious executables, they appear as random strings of alphanumeric text. Most antivirus programs now know how to look for these strings of text, or hashes, but it is very easy for malware programmers to alter the underlying substructure of their files, to make that hash appear differently.
Timing: If an endpoint detection system doesn’t have continuous monitoring capabilities, malware with timing-based obfuscation can run circles around it. This kind of malware is designed to run only when absolutely necessary, such as after users reboot their computers, in order to avoid operating during a malware scan.
Communication: Malware is basically built to steal data—which means that it usually needs to “phone home” to its makers. Antivirus programs will look for programs that communicate with certain servers, domains, and IP addresses that are known to host command and control servers for given types of malware. By rotating these addresses, malware can evade antivirus programs, which are programmed to look only for a small range of C&C servers at a given time.
Virtualization Awareness: Many malware tools have specific sensors that allow them to detect whether they’re in a virtualized environment, to either evade honeypots or thwart security researchers from unpacking their components.
So What Makes Ransomware Different?
The real difference, of course, is payload. Ransomware is designed to do novel things, like encrypt large amounts of files, delete the Shadow Copies that allow users to restore from backup, and use C&C servers to store the encryption keys that allow users to unlock their files after they’ve paid up.
All of those actions, however, are behavioral mechanisms. Signature-based antivirus doesn’t look for behavior—rather, it seeks out identifiable characteristics of malware, such as the names of running processes, the hashes of encrypted files, or the servers that the malware phones home to. These characteristics are easy to mask, as we’ve just described, and once ransomware begins to take action, there’s no way for signature-based malware to know that bad things are happening.
Make sure that your endpoint security provider uses behavioral detection, to prevent ransomware attacks, and make sure you are not an easy target.