A group of researchers from the University of Florida and Villanova University has devised a technique, dubbed Crypto Drop, to defeat all ransomware. The team published a paper on their study that demonstrate that it is possible to stop the threat by monitoring the activity on the targeted files.
Of course, it is a best effort approach, the countermeasures are triggered once the ransomware start encrypting files, the experts demonstrated that it is possible to block it when it had encrypted just 0.2 percent of files on the infected machine.
The technique relies on three primary indicators of the ransomware activity:
The researchers also identified so-called secondary indicators that support the primary ones, including deleting files in bulk and file type funnelling.
To analysis of the file modifications was conducted by the researchers using a tool called sdhash, which once executed provides a similarity score between the original file and the encrypted one.
The test confirmed that the technique is able to contain the action of the ransomware, for all malware samples only 10 files were lost out of a total of 5,099 (0.2 percent).
The table below includes the results for the test conducted using Crypto Drop against the principal ransomware families.
It is important to clarify that the Crypto Drop is not a totally automated system, instead it requests user’s interaction to distinguish between legitimate activity (encrypting files with common compression tool) and a ransomware-based attack.
(Security Affairs – Crypto Drop, ransomware)