Developed by University of Florida researchers, CryptoDrop can halt a process that appears to be tampering with a large amount of the user’s data.
Anti-malware companies, like antivirus companies, are chasing constantly moving targets. When a new piece of nasty code appears, these firms analyze it and as quickly as possible update their software to protect against the new threat. Unfortunately, by the time firms learn about a new piece of ransomware, all the data on your computer -- or your organization’s servers -- may be encrypted and held hostage.
Researchers at the Florida Institute for Cybersecurity Research at the University of Florida, however, have come up with a new strategy that promises to make ransomware harmless before it can encrypt more than a few files.
“We’ve seen a huge number of regular users, companies, hospitals, public institutions suffer from malware and ransomware attacks,” said Patrick Traynor, associate professor in UF's department of computer and information science. When Nolen Scaife, a graduate student who had worked for years in corporate computer security, arrived at the department, Scaife suggested they do something about the problem.
“We started this well over a year and half ago,” Traynor said. The team soon discovered that writing ransomware was a lot easier than countering it. “It turns out that writing ransomware is not all that difficult,” Traynor explained. “Anyone who can essentially traverse the file system and who can use cryptographic libraries -- even badly -- can write ransomware.”
So Traynor and Scaife studied the behavior of a variety of ransomware to learn how to detect the point at which it starts its nefarious activities. “That's the genesis of CryptoDrop,” Traynor said.
“All ransomware really has to do is read your data, encrypt it, write it back to the disk and get rid of the original data,” Scaife said. “If it doesn't do one of these three things, it is going to be very hard for [the criminals] to get you to pay the ransom.”
Like detectives profiling suspects, the team realized that different strains of ransomware conducted these operations in various ways. The researchers couldn’t, for example, count on using calls to the computer’s encryption library as a sure-fire sign of ransomware because some ransomware programs come equipped with their own encryption libraries.
So the team flipped their strategy and started to monitor the user’s data -- rather than the activity of programs.
“What we're not trying to do is to stop ransomware from being downloaded and run on your computer,” Scaife said. “What we're trying to do is say, ‘OK, if it gets past the other defenses on your system and it starts encrypting your files, how fast can we detect this and stop it before it encrypts all of your files or a substantial number of your files?’"
Once CryptoDrop detects changes in the first several data files, the program prompts the user and asks if the encryption operation is intentional. “CryptoDrop puts the user’s data on lockdown while it awaits the user’s response,” Scaife said. “We sit in between everything that is running on your computer and the file system.”
If it is ransomware at work, Scaife said CryptoDrop can prevent it from accessing data files. “At that point the ransomware has likely encrypted a small number of your files, so hopefully you can recover those via some mechanism like a backup, but the rest of your data should be intact and untampered with,” he said.
At least for now, CryptoDrop doesn’t take the extra step of removing the ransomware, leaving that for an antimalware program.
Traynor says CryptoDrop has already attracted the attention of software companies interested in marketing the program, as well as from some firms interested in deploying it in their enterprises. “We’re working hard to find the right partner,” Traynor said. “Hopefully, we can bring it to market in the next couple of months.”
NEXT STORY: Ransomware moves to the big time