Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Try As They Might, Ransomware Crooks Can't Hide Their Tells When Playing Hands

posted by Fnord666 on Saturday November 16 2019, @11:38PM   Printer-friendly
from the poker-analogies dept.

Arthur T Knackerbracket has found the following story:

Common behaviors shared across all families of ransomware are helping security vendors better spot and isolate attacks.

This according to a report from British security shop Sophos, whose breakdown (PDF) of 11 different malware infections, including WannaCry, Ryuk, and GandCrab, found that because ransomware attacks all have the same purpose, to encrypt user files until a payment is made, they have to generally perform many of the same tasks.

"There are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious," explained Sophos director of engineering Mark Loman.

"Some traits – such as the successive encryption of documents – are hard for attackers to change, but others may be more malleable. Mixing it up, behaviorally speaking, can help ransomware to confuse some anti-ransomware protection."

Some of that behavior, says Loman, includes things like signing code with stolen or purchased certificates, to allow the ransomware to slip past some security checks. In other cases, ransomware installers will use elevation of privilege exploits (which often get overlooked for patching due to their low risk scores) or optimize code for multi-threaded CPUs in order to encrypt as many files as possible before getting spotted.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Try As They Might, Ransomware Crooks Can't Hide Their Tells When Playing Hands | Log In/Create an Account | Top | 6 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Sunday November 17 2019, @06:43AM

    by Anonymous Coward on Sunday November 17 2019, @06:43AM (#921201)

    I think they are actually thinking of the more common Copy-on-Write file systems like ZFS or btrfs. CoW file systems work, essentially, by storing a new copy of each file on write and have many characteristics in common with incremental backups. In fact, many CoW systems explicitly allow you to save the past X writes to allow such rollbacks. (If they weren't thinking of CoW, then it would seem they have a misunderstanding of the nature of ransomeware attacks and/or how journaling systems work).

    It is also worth noting that in addition to CoW, log based, soft update, and journal file systems can also be used to restore old version, if you had enough space for the data and file structures. Now, with a journaling file system it is much trickier as it depends on whether you have full journaling (not just logical journaling) enabled and a large enough journal as to whether your journal would still have the data you need after that much writing. CoW systems would depend on having a high enough snapshot threshold. And, finally, log and the more common of the soft update file systems would depend on having enough free space on the drive to prevent the system from reclaiming the space, as most don't have a snapshot threshold.