Over the last years, the number of malicious files increased exponentially. Most of the AV vendors are targeted by malware creators in the sense that they generate new versions of the malicious files until these files are not detected by any product. Under these circumstances, keeping the detection rate to 100% becomes a difficult task.
The situation became even worse in the recent years with the appearance of new types of ransomware, which become more and more sophisticated. Classical disinfection solutions become useless in the case of those ransomware families that encrypt files with asymmetric keys. If one of these malicious files passes undetected, data is encrypted and can’t be recovered without paying a ransom fee. Many companies were victims of such infections, important documents were compromised and the fee had to be paid. Ransomware writers managed to extort millions of dollars in one single campaign.
There is a clear need for new types of defense mechanisms, a form of a vaccine that could prevent destruction of data. In this paper we try to present some ideas that could help in these cases.
Since these malware mainly target file documents, our primary concern was to find a solution to prevent their alteration. The first idea is based on a whitelisting method, which consists in allowing different operations on the most common types of documents only through legitimate, known processes. In this way, unknown processes don’t have the permission to make read/write operations on such documents.
Since ransomware became more and more sophisticated, a more specific way was needed to protect the users. For this reasons we have started to look for certain restriction in the user environment that will determine the ransomware to stop working. Finding this would help us in creating a vaccine. Many of ransowmare families have different markers that ensure a single run on the system. If the malware is already present on a computer (the marker exists), it will not infect the computer again. Although the geometry of the files changes a lot, in order to avoid detection, (using different packers, different encryption methods), these markers are related to malware behavior so they don’t change that often. One idea was to reproduce the presence of these markers on our clients’ computers so that, if a file passes undetected, it will find its marker and exit. In this paper some of the examples, like Cryptowall and Torlocker vaccine, are related to this method.
Of course, this method only applies to known malware versions. We are trying to develop a more heuristic method that combines the most common markers used by these types of malware families and a database of whitelisted markers. Following this idea, if a malicious file creates such a marker on a client’s computer, a marker that is not present in the database, it will be automatically created on the computers of the other customers.
Since ransomware appeared in the wild, many databases, source code, different kind of documents were destroyed, so we should continue helping the clients by researching these threats and providing vaccine solutions.