Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Interesting take on ransomeware prevention


  • Please log in to reply
6 replies to this topic

#1 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 12 July 2016 - 02:15 PM

http://phys.org/news/2016-07-extortion-extinction-ransomware.html


The thing about people

is they change

when they walk away.--Mipso


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 12 July 2016 - 02:22 PM

Well, assuming that a user have shadow copies enabled, and the Ransomware only executes the vssadmin.exe command after the encryption is complete, this could be actually be a good method to counter Ransomware. The "error margin" lies within the few files that gets encrypted at the beginning. If these specific ones for instance are really important, and there's an issue with your backup solution, shadow copies, etc. you're pretty much SOL.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:49 AM

Posted 12 July 2016 - 07:48 PM

So im guessing that it detects file extensions being changed on a mass scale and then kills the process doing it?



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 12 July 2016 - 07:51 PM

So im guessing that it detects file extensions being changed on a mass scale


I doubt it does since some Ransomware that do not change the file extension exists at well. My guess would be rapid encryption of files launched via a suspicious process.

Edited by Aura, 12 July 2016 - 07:51 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:49 AM

Posted 12 July 2016 - 08:11 PM

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. http://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf

After reading the article, you can create your own version of CryptoLock using 'File and Folder Monitoring' apps.

I've used Folder Changes View in the past in my honeypot.

http://www.howtogeek.com/205144/how-to-monitor-file-and-folder-changes-in-windows/
http://www.nirsoft.net/utils/folder_changes_view.html

Also used, Watch 4 Folder and The FolderSpy. https://www.raymond.cc/blog/3-portable-tools-monitor-files-folders-changes/

How To.

(1) Create a folder on your C drive, named "file_monitor" without the " "

(2) Place an assorment of files in the folder, .doc, .jpg, .txt, .xls whatever.

(3) Configure Folder Changes View to monitor files in (1), triggering for file changes such as: create, delete, time-stamp, rename, etc.


Ransomware usually starts searching for files to encrypt from C root, therefore, any activity of files in the file_monitor folder, will be detected by 'File and Folder Monitoring' apps.

Edited by Crazy Cat, 12 July 2016 - 09:17 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:49 PM

Posted 13 July 2016 - 08:20 AM

That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted...

CryptoMonitor had a similar feature...it relied on behavioral detection and several protection methods which allowed it to detect encrypting ransomware before it had a chance to encrypt your data. Since it is now incorporated into Malwarebytes Anti-Ransomware, similar protection is also being developed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:49 PM

Posted 13 July 2016 - 08:24 AM

BTW...

Beware of False Positives

CryptoDrop can also cause false positives when any encryption happens for an extended period. “CryptoDrop is unable to determine the intent of the changes it inspects,” the researchers explained in the paper. “For example, it cannot distinguish whether the user or ransomware is encrypting a set of documents.” Consequently, certain legitimate programs may trigger CryptoDrop alerts when used.

CryptoDrop Stops Ransomware by Stopping Its Encryption

...it is important to clarify that the Crypto Drop is not a totally automated system, instead it requests user’s interaction to distinguish between legitimate activity (encrypting files with common compression tool) and a ransomware-based attack.

How to defeat every ransomware with Crypto Drop
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users