University of Florida Researchers Develop A Method To Stop Ransomware

By   ISBuzz Team
Writer , Information Security Buzz | Jul 14, 2016 11:07 pm PST

Scientists at the University of Florida (UF) say they have developed software that can stop the growing problem of ransomware in its tracks. In the response of this news, security experts provides an insight on this research below.

Richard Cassidy, cyber security evangelist at Alert Logic:

richard-cassidy“Ransomware is indeed a global problem, reaching epidemic levels given many high-profile cases this past while, where ransom payments have been made. The industry is constantly striving to innovate in ransomware detection and prevention, with technologies across the stack (endpoint to point of entry into network) trying all in their power to come up with new and effective mechanisms to protect end-users and business data better.

Whilst the step taken by researchers at the University of Florida are indeed a novel way in which to detect and contain ransomware, it doesn’t serve as the “silver bullet” for ransomware as a whole. There are new variants being written all the time and ransomware writers will indeed take the time to dissect and understand how this new technology operates, creating versions that will attempt to either bypass detection, or at the very least search more effectively for likely sensitive files, before encrypting them, with the hope of having the biggest impact of securing a ransom payment. If the technology proposed allows the ransomware to start encryption of a few files, then it’s a game of averages on whether or not those files that are affected are of critical importance to the business.

Then there’s the challenge with ransomware evolving to operate below the OS, perhaps infecting host controllers, or running at lower levels than the software attempting to detect it is; here we are talking about the most targeted versions of ransomware, that simply can’t be detected by mass technology capabilities, until it’s infected the targeted assets and already set about its functions, either by communicating back to its command and control network, or by operating on a timed basis, threatening to delete all data if payment isn’t made. These represent emerging threats that the industry is working hard to identify, collaborating across multiple technologies, to be more effective together.

Overall however, is the age old principle that ransomware is mainly a social engineering threat, that enters the front gates of our network and devices, by way of phishing e-mails or malicious links embedded in documents, requiring the targeted user to interact with them. If users remained better educated on ransomware attack vectors and increased vigilance on not only the communication they are receiving, but the sites they visit; we’d go a far greater distance in preventing ransomware overall”

Simon Crosby, CTO and co-founder at Bromium:

simon_crosby“The idea of letting ransomware lock up a few useless files is not new, or worthy of a university to claim as innovation.   Many enterprise customers that seek to adopt a truly differentiated approach, that completely eliminates all forms of crypto malware – such as micro-virtualization – start out by having a disk partition or a file share with a name such as “AAAA” mounted on their PCs.  This file share contains a few big files with random data.  The idea is that ransomware will encrypt these first.  Of course attackers are smarter than that.  Already variants exist that randomly pick a starting point in the file system to bypass this rather obvious idea.   Only isolating malware as it executes on the endpoint can stop all crypto-malware in its tracks.”

Mark James, Security Specialist at ESET:

mark-james“Any deterrent or recovery from ransomware is a fantastic idea. It’s one of those prolific threats that can quite literally affect anyone and everyone and anything we can do to help or even stop it gets all the support from me. But as with anything like this, it relies on uptake and of course cost, this particular method will stop ransomware after it has encrypted a few files, what happens if those “few” files are your most important?

Don’t get me wrong, I wholeheartedly welcome anything that will help the victim but there are lots of things we can already do to protect against ransomware. It’s always mentioned time and again but backup and disaster recovery will protect you against ransomware every time. It can be low cost, it can be easy, it’s available now and anyone can get it and use it. Multi layered protection is the best way to combat modern day threats, those layers will include, internet security software, firewalls, backup software, updated hardware and operating systems, knowledge and of course common-sense. All these things are available to everyone reading this right now to protect your very valuable often priceless memories or data.”

Javvad Malik, Security Advocate at AlienVault:

javvad malik“Ransomware is a major issue that affects consumers and companies across all verticals and sizes. It’s a problem that many researchers across the globe are actively working to address.

“One of the biggest challenges is the variety of different ways ransomware operates. Written and executed in different ways. Currently, the best way to detect ransomware is by implementing a unified approach that looks for different behaviours across the network and host machine. This includes communication established with command and control centres or files are changed locally. In order to stay up to date with the methods and infrastructure that attackers are using, timely and reliable threat intelligence plays a crucial role.

“This is particularly important as attackers will often change their tactics in response to evolving defences, in the classic cat-and-mouse game we have witnessed in cyber security over the years.”

Jim Tyer, EMEA channel director at AppRiver:

jim tyer“This looks like it could offer an important additional step that businesses can take (in addition to malware protection and secure backup) to protect themselves against ransomware.  Of course the real issue, though, is adoption. Most companies currently aren’t taking all the steps they should to protect themselves.  The big question is whether this technology will be marketed and implemented widely before attacks happen – or after the fact, which is usually what happens.”

David Gibson, VP of strategy and market development at Varonis:

david_gibson_varonis“Watching user behaviour on workstations to detect and stop the spread of ransomware is a valuable layer of defence, but organisations have learned the hard way that relying on a single layer of defence is a mistake. Organisations have traditionally approached security from the “outside in” – deploying defences that try to keep the bad guys (and bad software) out.  Ransomware has made it glaringly obvious how vulnerable organisations are when a defensive layer fails. Once it’s in, ransomware encrypts hundreds or thousands of files on the infected workstation, and then (worse) starts encrypting tens or hundreds of thousands of files on file servers accessible over the network. Smart organisations are realising that they need to detect unusual activity more quickly – especially on their large data stores — and that they need to better restrict access so that a compromised workstation or account can’t do so much damage.  This is an “inside out” approach to security that also defends against insider threats that are far worse than ransomware, like rogue administrators and disgruntled employees.”

Michael Patterson, Founder and CEO at Plixer:

“This threat is real and growing.  If the teamike pattersonm behind CryptoDrop have a product that works as well as they say it does, their growth will be explosive.  It would be nice if their software could harvest initial infection information as well and store it in the cloud.  Perhaps if they can create a global database about each event, they can assist the FBI with tracking down the perpetrators.

“Many of our enterprise customers have shared stories regarding ransomware infections – the infected machines are a complete loss and must be reinstalled.  Seldom do they pay the ransom although many companies do. ”