Study: Simple File-System Security Can Beat Ransomware

Ransomware Trojans and other intrusive malware can be effectively quelled and blocked through simple protection methods, concludes a multi-agency study, as reported in the ComputerWorld.

The research paper titled “Cutting the Gordian Knot” was penned in a joint-effort with researchers in multiple security firms and institutions such as:

  • Lastline Labs
  • Symantec
  • Northeastern University
  • Institut Eurecom, based in France.

The study specifically delves into the ways in which ransomware can be countered, rather than looking at the newest strides and means through which ransomware has evolved.

The findings

As it turns out, ransomware can easily be countered if a detailed account is taken by defenses to find out how such malware attacks are engineered before they can effectively counter.

An interesting finding came to light while putting in the hours of research. It was uncovered that 94% of the attacks cataloged after looking through more than 25,000 distinct and unique samples exhaustively – did not use file encryption. Instead, ransom threats and remote locking mechanisms which are fundamentally superficial were used to get victims to fork out for the ransom demands.

Additionally, the inner working of a 1,359 subset was analyzed, along with other popular Trojans such as:

  • CryptoLocker
  • CryptoWall
  • Reveton
  • Winlock
  • GPCode and more.

Out of all the attacks analyzed, only 5.3% of the mainstream ransom-malware actually embraced file encryption. The rest resorted to simply locking the user’s computer and deleting files in other cases. A growing tide of ransomware cybercriminals are also adopting ways to stealing files, a trend that’s steadily growing and offers insight into the future of ransomware malware.

NTFS to the rescue

The study also discovered that ransomware malware interacted with the NTFS (New Technology File System) in peculiar ways. NTFS is the default file system on Windows since Vista in 2007. It is determined that unusual behavior can be stopped in its tracks as soon as it is detected by monitoring the Master File Table (MFT).

The key here is to understand the file system’s normal behavior and then blocking any peculiar or odd deviations from routine patterns.

Quite simply, attackers trying to gain access by slowing the rate of encryption in order to avoid detection can be denied by simply creating ‘decoy’ files which can then be refreshed constantly. This effectively gets the malware to encrypt faux, meaningless files.

“Based on our analysis, we conclude that detecting and stopping a large number of destructive ransomware attacks is not as complex as it has been reported and deploying practical defense mechanisms against these attacks is possible due to the engineering of NTFS file system,” wrote the security professionals in the research paper.