Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Try as they might, ransomware crooks can't hide their tells when playing hands

Sophos sees common behavior across various infections

Common behaviors shared across all families of ransomware are helping security vendors better spot and isolate attacks.

This according to a report from British security shop Sophos, whose breakdown (PDF) of 11 different malware infections, including WannaCry, Ryuk, and GandCrab, found that because ransomware attacks all have the same purpose, to encrypt user files until a payment is made, they have to generally perform many of the same tasks.

"There are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious," explained Sophos director of engineering Mark Loman.

"Some traits – such as the successive encryption of documents – are hard for attackers to change, but others may be more malleable. Mixing it up, behaviorally speaking, can help ransomware to confuse some anti-ransomware protection."

Some of that behavior, says Loman, includes things like signing code with stolen or purchased certificates, to allow the ransomware to slip past some security checks. In other cases, ransomware installers will use elevation of privilege exploits (which often get overlooked for patching due to their low risk scores) or optimize code for multi-threaded CPUs in order to encrypt as many files as possible before getting spotted.

"Ransomware creators are acutely aware that network or endpoint security controls pose a fatal threat to any operation, so they've developed a fixation on detection logic," Loman explained.

"Modern ransomware spends an inordinate amount of time attempting to thwart security controls, tilling the field for a future harvest."

Uh oh, someone just got some bad news

If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware

READ MORE

Even with these countermeasures, however, Loman notes that Sophos and other anti-malware vendors have an advantage as they know that, sooner or later, the malware has to access the file system and begin to encrypt the data. This is the point where the attacks have to expose themselves and the spot where security tools can stop them.

"It's important to recognize there's hope in this fight, and a number of ways admins can resist: Windows 10 Controlled Folder Access (CFA) whitelisting is one such way, allowing only trusted applications to edit documents and files in a specified location," says Loman.

"But whitelisting isn't perfect – it requires active maintenance, and gaps or errors in coverage can result in failure when it's most needed."

The report is the latest indication that the good guys are making some headway in the battle against ransomware infections. The Sophos attack comes as other vendors have noted that many state and local governments that had previously been prime targets for ransomware are better protecting themselves, forcing criminals to look to more remote areas in search of low-hanging fruit. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like