COMMSEC: A Passive Listing Ransomware Detector


We have built (a prototype of) a passive listing ransomware detector that is able to guard network data shares against ransomware in real world operation.

Ransomware is a variation of malware that takes partial or full control of the victim’s computer, often through encryption or locking the computer itself behind an alternative desktop. The end goal is to extort the owner of the computer into paying a ransom in order to undo or avoid further damage. In contrary to most malware-practices, ransomware reveals its presence to the users.

Once the ransomware announces itself, the damage usually is already done. Early and rapid detection are therefore essential. While ransomware as a concept has been around for decades, it has become a prominent problem only recently, with the number of attacks going up.

There have been numerous studies into the detection of ransomware, often using a sandbox and creating signatures based on those finding. These signatures can then be used to detect ransomware under real world conditions. The problem is that this way of detection is very intrusive on the computer itself, one has to install this software on every host and every small change in the ransomware has a chance of voiding the created signature.  Another problem is that the ransomware can possibly attack the detection software, causing an arms race between ransomware and vendors.

The challenge is thus to find a way to prevent the ransomware from ever infecting the hosts, detecting it on the network layer without disrupting normal user behaviour (i.e. low false positive rates) and creating generalizable detection rules that can detect classes and/or families of ransomware, rather than a specific instance or version.

Trying to defend against ransomware, by trying to undo the encryption of the affected resources, is a very costly effort, if not near impossible. Thus we propose a light weight network method, based on the SMB protocol, to monitor resources outside of a host to detect ransomware while it is encrypting and halt the operation before too much damage is done.

We have shown that in a controlled environment several statistical metrics such as entropy and data length and several operation metrics such as comparing the difference between the read and write operations are effective in the rapid detection of ransomware activity. Our study argues that for ransomware data length changes only by a small degree (~1%), while (normalized absolute) entropy can increase over 30%, which make our methods useful in real world (enterprise) detectors. So far we were able to detect several different families of ransomware, including (but not limited to): CryptXXX, CryptoWall and JigSaw.

Our strategy for network based defense against ransomware, using normalized absolute entropy and data length metrics, can be an effective measure in ransomware defense under real world usage conditions.

Location: Track 4 / CommSec Date: April 13, 2017 Time: 11:15 am - 11:45 am Paulus Meessen Don Mulders