As ransomware rises, cybersecurity researchers fight back
Security researchers are developing new tools for consumers to protect themselves against the scourge of malware designed to encrypt files until victims pay fees.
Illustration by Erick Montes
Patrick Wardle admits he's not an authority on ransomware, but听the听former National Security Agency computer expert is rarely听fazed by even the most cunning computer attacks.
So when he spotted a new variety of the dangerous program designed to encrypt victims' files until they pay ransoms, he set out to build a better tool to thwart听the rising technical听scourge. 听
"Hackers are kind of like burglars trying to break into people鈥檚 houses," says Mr. Wardle,听who lives in Hawaii 鈥 separated from his employers at the Silicon Valley-based bug bounty firm Synack by more than 2,000 miles of Pacific Ocean.听鈥淚f you have an alarm system, they鈥檙e just going to break into your neighbor鈥檚 house and steal all of their stuff. It鈥檚 just a numbers game.鈥
While ransomware attacks have been growing over the past several years, making headlines for hitting hospitals, police stations, and universities, many of the technical defenses are designed for large business systems. Until recently, the most that consumers could do was follow basic security practices: backup files and always avoid clicking on suspicious links.听
And, according to Wardle, most antivirus software has failed to defend against new strains of ransomware. But it听wasn't until they hit the Mac operating system that Wardle 鈥 whose research mainly focuses on Apple's computer security 鈥 became engaged in the fight. Until March, when attackers hacked the Mac-friendly BitTorrent program Transmission,听ransomware attacks mostly took aim at Windows systems.
The听variety of ransomware known as听KeRanger proved troubling to Wardle since it appeared like a legitimate Apple application 鈥 allowing the process of encrypting files听to occur without the computer ever detecting it. Even for people who had the digital equivalent of alarm systems 鈥 such as sophisticated antivirus programs 鈥 the KeRanger attack had a way around them.
鈥淭he download was also signed with a developer ID," he said. "The user wasn鈥檛 to blame at all. That鈥檚 what spurred me to do something.鈥
Yet when he examined the KeRanger software, Wardle detected a glaring flaw.听When it locked up files, KeRanger left behind a data trail.听It was just the听opening Wardle needed to build his own听antiransomware tool.听
His free program 听acts as something of a ransomware alert system. It听scours log files to provide a desktop warning to Mac users, notifying them when their files are being infected and encrypted听by ransomware 鈥撎齛nd gives them the opportunity to stop it.
So far,听RansomWhere? has been downloaded about 20,000 times, but it's hardly foolproof. The program also can't听recover files that have already been encrypted.
But as Wardle听continues to refine his side project 鈥 his day job is director of research for Synack 鈥 a growing number of other cybersecurity firms are coming out with programs designed to aid consumers outwit malicious hackers armed with ransomware.听
鈥淲e can鈥檛 stop this in a traditional method, so lots of new technologies are being developed to counter the threat,鈥 says Adam Kujawa, head researcher at the antivirus company Malwarebytes. 鈥淲ith ransomware, when you find out you鈥檙e infected with it, it鈥檚 game over.鈥
Ransomware is spreading so fast that it now represents 70 percent of malware downloaded from webpages on the internet, says听Mr. Kujawa.听The company offers free antiransomware software to听听that aims to听stop ransomware from encrypting even a single computer file.
But most antiransomware products are designed for large business systems such as the cybersecurity firm听SentinelOne's updated malware protection system that includes a feature called "rollback," which will听restore clean copies of all files infected with ransomware.听
Another firm,听Vectra Networks, has also developed a ransomware detection听scheme that can quickly听recognize the virus by a series of malicious behaviors, such as unauthorized file encryption 鈥撎齝ombined with a so-called 鈥渇ile canary鈥 system 鈥撎齛 phony file system used to bait hackers.
But just because there are a handful of solutions available to consumers and businesses, ransomware criminals aren鈥檛 giving up just yet.
Last month, in fact,听after the developers behind the ransomware听TeslaCrypt听 and released a master decryption key to security researchers 鈥撎齮hey cropped up again quickly. According to the Slovakian cybersecurity firm ESET, groups distributing the virus to another ransomware trojan called CryptProjectXXX.
But researchers such as Malwarebytes鈥 Kujawa can only do so much to stop the spread of ransomware 鈥 especially as low-level hackers can get access to the malicious software on internet forums. For now, consumers must remain alert to the threat by installing software updates, keeping software backups, and staying on the lookout for malicious websites and emails.
"People need to get things installed and protected before they get infected," he says. "It still comes down to the user saying 'look, I need to protect myself before this happens.'"
听