Ransomware made a huge splash in 2016. There’s no denying the motivation here: Money—as in virtually untraceable, digital cryptocurrency—has made this segment of the security realm nearly unstoppable. And if it continues to grow as projected, its reach will extend to more and more users, bringing in tens of millions of dollars for threat actors wishing to cash in on the epidemic.
So what does this mean for your data if it’s something that can’t be stopped? Well, many of the best practices still apply. For instance, making sure you’re up to date on system and application patches, rolling out modern antivirus with malware protection that is both updated and that actively runs in the background, and performing multiple scheduled backups are good computing habits. Of course, staying clear of questionable websites and not clicking on links or attachments sent to you via email, social media, or just about anywhere are excellent safety guidelines to practice too.
But even with all that, you’re still susceptible to data compromise. So what’s next? Well, next might be RansomFree. This proactive ransomware detection application watches your computer for files being accessed and monitors their interaction closely to determine whether encryption is taking place. Using behavioral detection techniques, if RansomFree determines the behavior being displayed to be ransomware, it immediately halts the process and flags it, creating an alert onscreen. At that point, the user must authorize the process before it will proceed, according to RansomFree’s developer.
But should we just take their word for it? I didn’t! I set out to test it first-hand to determine whether the application works as advertised. I purposely infected my Windows-based computer with a strain of ransomware to assess RansomFree’s real-life capabilities… and the results documented are nothing less than impressive.
First, a warning. DO NOT INFECT YOUR COMPUTER WITH RANSOMWARE! For the purposes of this test, I created a virtual machine (VM) sandbox environment with a clean copy of Windows and Office. This VM was isolated from other computers on the network, as well. Furthermore, no patches or updates were made to the VM nor was it running any type of malware protection whatsoever.
Seeing how the ransomware operates
Since I have experience cleaning up the devastation left behind by malware—but not with infecting a machine on purpose—I decided to run this test twice after taking a snapshot of the VM as a point-in-time prior to the introduction of malicious code. The first time through, I would do so without RansomFree to see how the ransomware would operate on the system. Once it was confirmed to have worked, I would rerun the test with RansomFree installed to gauge how effective it was against this strain of ransomware, since now I’d have a good idea of what to look for.
I manually created a few files on the computer using Microsoft Word, PowerPoint, and Notepad, because ransomware is known to target file extensions for the most commonly used files to inflict the maximum amount of damage, while convincing their victims to pay up for the right to get their data back.
Next, I extracted the innocuous document with malicious code to the desktop and opened the file in Word.
With macros enabled, no warnings or prompts were provided while the script ran in the background, hidden from view. However, as you can tell from the photo above, it immediately made contact with a command and control (C&C) server and downloaded the payload application generated at random and executed it to begin the encryption process.
With so few files on the test bed VM, the rogue process encrypted my dummy files in no time flat. Had this been a production computer or file server, the process would have taken longer, but not by much. It is estimated that ransomware can copy your files, create the new encrypted versions, and delete the originals permanently in the span of about 100-200 files per minute. Once the files were encrypted, I renamed the extensions on them so that they appeared with their original extensions and were recognized by their corresponding applications.
Yet in trying to open each of the affected files, there was nothing but gobbledygook—or access was prevented altogether, as the file’s contents were effectively scrambled by the malware’s encryption
This marks the end of the first run to test the ransomware itself and make sure that it operated according to design and to make note of how it operates. The next phase marked what happens after I rolled back to the previous snapshot before infection—but this time I installed RansomFree before running the malware once again.
With RansomFree installed and working in the background, I once again executed the malicious document to reinfect the system. This time, the results were vastly different.
Three minutes. That’s all the time it took for RansomFree to detect the strange file manipulations occurring on the computer before it kicked in and not only halted the process thread but prompted me to approve or deny the process from taking any further action.
When I clicked Yes, the process (and its dependencies) were stopped permanently and removed from memory, effectively preventing any files from becoming encrypted. The application provided a confirmation message indicating that the threat was prevented and eliminated from the computer.
RansomFree saved the day! Well, the data was spared and the system kept humming right along without skipping a beat or requiring any reboots or service interruptions. True to its word, RansomFree worked like a charm.
How does it do it?
The secret to RansomFree’s success is not in signature files similar to antivirus applications, but rather in how it detects ransomware-like behavior (e.g., the local encryption of user data). This makes the application good at doing its job, since all ransomware thus far has displayed the same characteristics regardless of its payload. Whether the attack is a Trojan, vulnerability exploit, or malicious code (aka file-less ransomware), RansomFree is designed to deal with the interaction of the file(s) with the system and bring it to an immediate halt once the behavior is classified as a threat and until the user intervenes.
While testing this application myself, I did find evidence of false-positives being detected when using some 3rd-party software. However, it would stand to reason that this is a real possibility, given that some applications offer the ability to encrypt single files they use, or in the case of 3rd-party encryption applications, as was my specific case. Either way, that would appear to me to be a small price to pay to avoid going through the removal and data recovery process in cleaning up a ransomware infection—or having to pay to get your data back and waste all the time that takes to complete.
RansomFree worked as advertised. It’s also small and runs largely in the background, checking processes for malicious activity. And did I mention that it’s free? Not for a trial period or pending an ongoing subscription, but as in free for personal and commercial use on both client and server versions of Windows operating systems. There’s really no excuse not give it a shot and let it work to stop a possible ransomware infection from occurring like it did in my tests. If you’re not targeted, you’d never know it was there—but isn’t it great peace of mind to have it on your side in the event of a breach? I think so. That’s why I’ve added it to my repertoire of go-to software apps and installed it on all my personal and commercial computers and servers.
Source: SANS ISC SecNewsFeed @ February 21, 2017 at 12:21PM