Spotting zero-day ransomware
- By Susan Miller
- May 18, 2020
To stop ransomware before it locks up files, researchers at Southern Methodist University (SMU) have developed software that uses sensors to detect ransomware – even variants that have not been previously identified.
Government computer systems have been targeted by ransomware because they house the kind of personally identifiable information that hackers can leverage for identity theft. Underfunded agencies are also often running older, unsupported software that attackers can readily exploit.
Unlike current methods of detecting ransomware that rely on signatures from past ransomware infections to spot new ones, SMU’s detection method uses a computer’s own sensors to discover the presence of active ransomware.
As ransomware begins to encrypt files, certain circuits experience power surges as files are scrambled. Sensors that monitor temperature, voltage levels and power consumption can identify those surges, SMU researchers found. When a suspicious surge is detected, the software instructs the computer to suspend or terminate the ransomware so it is unable to complete the encryption process.
“With this software we are capable of detecting what’s called zero-day ransomware because it’s never been seen by the computer before,” Mitch Thornton, executive director of the Deason Institute and professor of electrical and computer engineering in SMU’s Lyle School of Engineering, said in a statement. “Right now, there’s little protection for zero-day ransomware, but this new software spots zero-day ransomware more than 95 percent of the time.”
The tool also can scan for ransomware much faster than existing software, said Mike Taylor, lead creator of the software and a Ph.D. student at SMU.
“The results of testing this technique indicate that rogue encryption processes can be detected within a very small fraction of the time required to completely lock down all of a user’s sensitive data files,” Taylor said. Use of the computer’s own devices to spot ransomware “is completely different than anything else that’s out there,” he said.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.