Ransonware

Consider this situation: you get to work one morning and attempt to open your computer.  A pop-up message tells you that your hard drive is encrypted and demands that you make a payment, in Bitcoin, to get access to your files.  Your coworkers have the same experience.  Your company’s servers are frozen.  You and your company are the victims of a ransomware attack.

In a typical ransomware attack, malware enters a target computer attached to an e-mail.  When the user clicks on the attachment, the malware opens.  Some ransomware attacks are entirely automatic and do not require the user to click on an e-mail attachment or to take any other action.

Ransomware has been around for ten years, but is now big business.  Why do criminal gangs (and criminal countries) resort to ransomware?  Because it works.  According to Malwarebytes, ransomware victims paid some $209 million in ransom in the first three months of 2016.

There have been several efforts to defeat ransomware.  In 2016 Cryptostalker launched to detect a ransomware attack on Linux systems.  Cryptostalker looked for random data, indicating encryption, being written at a high rate of speed.

In 2016, Cyberreason created bait files designed to attract malware encryption before other files and watched for encryption activity of those bait files.  RansomFree is no longer available.

In 2017, Microsoft included anti-ransomware software in Windows 10.  The Windows 10 feature prevents unauthorized apps from modifying files.

Now PayPal has jumped into the fray, with a new patent for anti-ransomware software.  The PayPal approach is based on the behavior of the ransomware within the target computer; namely, the ransomware will load files from the computer into the computer’s memory cache, will duplicate the files, will encrypt the duplicates, and will delete the original files.  The ransomware then saves the encrypted copy to computer memory.

The PayPal product monitors the computer’s memory cache, looking for this pattern.  If it detects the pattern, it consults a list of applications that are allowed to perform these actions.  If the PayPal product concludes that the encryption, duplication and deletion actions are being taken by software not on the allowed list, then the PayPal product can stop the process and can send unencrypted copies of the files to cloud backup.

Here’s wishing the PayPal developers great success in stopping ransomware.  As a first step, it’s time for all of us to check our computer safety practices and to disconnect our backup drives from the Internet.

— Robert Yarbrough, Esq.

Leave a Reply