The increasing use by attackers of ransomware has security researchers thinking of new defences to mount. For organizations who have Mac users, Patrick Wardle, director of researcher at Synack, a California security solutions provider, has come up with what he calls a generic ransomware threat protector for the OS X platform.
Unlike solutions sold by commercial vendors that detect particular strains of ransomware, Wardle’s solution — called RansomWhere? — identifies a factor common in all ransomware; the creation of encrypted files.
RansomWhere? attempts to prevent this by detecting untrusted processes that are encrypting personal files. When that process is detected the software stop it and sends an alert to the user, who can decide whether it is malicious or a false positive.
Threatpost notes that there are a few generic defense mechanisms for Windows, such as Easy Sync Solutions’ CryptoMonitor, now owned by Malwarebytes.
“It is important to understand how RansomWhere? determines what (it thinks) is ransomware -as this can also help understand its alerts and how to effectively respond to them,” Wardle says on his site. The solution must decide that the answer is ‘yes’ to two questions:
–Is the the process trusted? RansomWhere? trusts processes that are signed by Apple proper, or, where already present when the tool was installed, or have be explicitly approved by the user (i.e. you clicked ‘allow’ in a previous alert);
–Is the process quickly creating encrypted files? The software uses mathematical calculations to determine if a created/modified file is encrypted. If an untrusted process creates several of these quickly, RansomWhere? will generate an alert.
RansomWhere? will trust most binaries that were already present when it was installed, or have be explicitly approved by the user. However, it can be reset to clear its memory of these trusted applications.
Wardle admits the solution has some limitations: Malware could be designed to evade RansomWhere?, for example. If ransomware abuses an signed Apple binary (or process, perhaps via injection), RansomWhere? won’t detect it. The tool inherently trusts applications that are already present on the system when it is installed, so if ransomware is already present on the system it may not be detected. Finally, it is reactive, so malware will likely encrypt a few files (ideally only two or three), before being detected and blocked, the site says.
All this may cause CISOs to pause before allowing its use by staff. Still, it may be useful in some environments so may be useful for consideration after a risk analysis.
It will be interesting to see if commercial security vendors incorporate this approach as part of their solutions.