Software developed by SMU stops ransomware attacks:
Engineers from SMU's Darwin Deason Institute for Cybersecurity have developed software that detects ransomware attacks before attackers can inflict catastrophic damage.
[...] Unlike existing methods, such as antivirus software or other intrusion detection systems, SMU's new software works even if the ransomware is new and has not been used before.
SMU's detection method is known as sensor-based ransomware detection because the software doesn't rely on information from past ransomware infections to spot new ones on a computer. In contrast, existing technology needs signatures of past infections to do its job.
"With this software we are capable of detecting what's called zero-day ransomware because it's never been seen by the computer before," said Mitch Thornton, executive director of the Deason Institute and professor of electrical and computer engineering in SMU's Lyle School of Engineering. "Right now, there's little protection for zero-day ransomware, but this new software spots zero-day ransomware more than 95 percent of the time."
[...] "The results of testing this technique indicate that rogue encryption processes can be detected within a very small fraction of the time required to completely lock down all of a user's sensitive data files," Taylor noted. "So the technique detects instances of ransomware very quickly and well before extensive damage occurs to the victim's computer files."
[...] SMU's software functions by searching for small, yet distinguishable changes in certain sensors that are found inside computers to detect when unauthorized encryptions are taking place.
[...] Use of the computer's own devices to spot ransomware "is completely different than anything else that's out there," Taylor said.
(Score: 0) by Anonymous Coward on Monday May 18 2020, @12:43PM (1 child)
If you want to slow them down you could add honeypot folders with virtual files and folders inside that go on "forever". Then the ransomware might spend lots of time encrypting those files instead of encrypting files you care about. There are lots of clever things you can do for the virtual files - like use "dictionaries" to generate their content and filenames (based on "random" seeds and the path), and cache a few GBs of the writes - so it works even if the ransomware checks to see if stuff is actually written/changed.
No need for unicorn farts.
I did email the anti-ransomware honeypot ideas to a few AV vendors coz I'm too lazy to implement them. Most ideas are easy, good implementation and getting market adoption is hard.
(Score: 2) by vux984 on Tuesday May 19 2020, @10:34AM
The trouble with such honeypot folders is that everything from desktop indexing software to backup software needs to know about them and be avoid them or they'll fall into them. And Even the naive user doing a simple backup of some folders or something can trip over them, or right clicking on a folder and selecting properties to see how big it is, or how many files in it when doing some manual clean up can trip into them.
Worse good ransomware, may be written to look at where the backups and search indexers and MRU lists are pointing, so as to target the valuable data first.
Bottomless pits aren't really a good idea on most systems.