SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Common behaviors shared across all families of ransomware are helping security vendors better spot and isolate attacks.
This according to a report from British security shop Sophos, whose breakdown (PDF) of 11 different malware infections, including WannaCry, Ryuk, and GandCrab, found that because ransomware attacks all have the same purpose, to encrypt user files until a payment is made, they have to generally perform many of the same tasks.
"There are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious," explained Sophos director of engineering Mark Loman.
"Some traits – such as the successive encryption of documents – are hard for attackers to change, but others may be more malleable. Mixing it up, behaviorally speaking, can help ransomware to confuse some anti-ransomware protection."
Some of that behavior, says Loman, includes things like signing code with stolen or purchased certificates, to allow the ransomware to slip past some security checks. In other cases, ransomware installers will use elevation of privilege exploits (which often get overlooked for patching due to their low risk scores) or optimize code for multi-threaded CPUs in order to encrypt as many files as possible before getting spotted.
(Score: 1, Informative) by Anonymous Coward on Sunday November 17 2019, @07:18AM
No, Journaling file systems do nothing to prevent FILE corruption. They are designed to prevent FILE SYSTEM corruption. Specifically, they are designed to keep the different metadata structures of the disk in a consistent state. Ordered journals with barriers have the additional design benefit of keeping the metadata in a consistent state with the actual file content. Full journals have the additional design benefit of preventing some data writes from getting lost (which might incidentally cause corruption if interrupted) on replay of the journal. But do note that only full journaling prevents such incidental file corruption on overwrites.
None of these do anything to prevent your data from being changed in-place from raw writes, cosmic rays, or whatever. They also don't allow you to recover from any errors in the writes either. They definitely don't prevent damage from otherwise acceptable commands from your software, especially those that complete successfully.