Computer sensors that monitor temperature, voltage levels and power consumption can quickly detect the power surges that indicate ransomware has started encrypting files.
To stop ransomware before it locks up files, researchers at Southern Methodist University (SMU) have developed software that uses sensors to detect ransomware – even variants that have not been previously identified.
Government computer systems have been targeted by ransomware because they house the kind of personally identifiable information that hackers can leverage for identity theft. Underfunded agencies are also often running older, unsupported software that attackers can readily exploit.
Unlike current methods of detecting ransomware that rely on signatures from past ransomware infections to spot new ones, SMU’s detection method uses a computer’s own sensors to discover the presence of active ransomware.
As ransomware begins to encrypt files, certain circuits experience power surges as files are scrambled. Sensors that monitor temperature, voltage levels and power consumption can identify those surges, SMU researchers found. When a suspicious surge is detected, the software instructs the computer to suspend or terminate the ransomware so it is unable to complete the encryption process.
“With this software we are capable of detecting what’s called zero-day ransomware because it’s never been seen by the computer before,” Mitch Thornton, executive director of the Deason Institute and professor of electrical and computer engineering in SMU’s Lyle School of Engineering, said in a statement. “Right now, there’s little protection for zero-day ransomware, but this new software spots zero-day ransomware more than 95 percent of the time.”
The tool also can scan for ransomware much faster than existing software, said Mike Taylor, lead creator of the software and a Ph.D. student at SMU.
“The results of testing this technique indicate that rogue encryption processes can be detected within a very small fraction of the time required to completely lock down all of a user’s sensitive data files,” Taylor said. Use of the computer’s own devices to spot ransomware “is completely different than anything else that’s out there,” he said.