Caspar Herzberg |
According to recent statistics from Kaspersky Lab, 218,265 types of ransomware targeting mobile devices were detected in the first quarter of 2017. Over that same quarter, the share of Trojan ransomware among all mobile threats increased 3.5 times compared to the previous quarter. Also over the same period, 240,799 mobile users were affected by Trojan ransomware. Every major system is susceptible to an attack.
According to an interagency publication released by the US government, the average number of daily ransomware attacks increased by 300% between 2015 and 2016 (1,000 attacks daily in 2015 vs. 4,000 attacks daily in 2016). Cybersecurity Ventures reports that the yearly global cost of ransomware is projected to reach US$5 billion by the end of 2017, a 15-fold increase compared to 2015.
The financial effectiveness of ransomware had led to a booming black market for ready-to-use products. Research on the dark web economy conducted by Carbon Black shows a staggering 2,502% increase in ransomware sales on the black market in 2017 as compared to 2016. This goes to show that ransomware that can easily be used without any special technical knowledge. It is available for purchase to anyone willing to pay.
Developing a ransomware protection solution
In the current environment, the demand for systems that are able to protect against ransomware has also increased. However, actually developing solutions that are capable of effectively dealing with never-before-seen threats is extremely challenging. Regular signature-based antivirus software is ill-fitted to tackle zero-day attacks.
Next-generation threat hunting solutions are required. A new approach that can detect both known and new types of ransomware combines in-depth system monitoring and machine learning for behaviour-based detection.
This type of system can be monitored for the typical ransomware behaviour described above. When such behaviour is detected, the associated file can be immediately quarantined.
It’s worth noting that detecting a single behavioural indicator does not allow you to reliably identify malware. In order to avoid false positives and false negatives, you need to identify several behavioural indicators and establish a connection among them. This means that events need to be analysed not separately, but rather in streams in order to get the proper context for each event.
You may think that the more enhanced a behaviour analysis algorithm is, the better solution works, but it’s not quite that simple. A behaviour-based approach to ransomware detection for detecting unknown variants still isn’t perfect. There are certain issues that can arise and need to be tackled individually at the early stages of planning and developing anti-ransomware software:
• Critical performance requirements – A behaviour-based approach requires real-time system monitoring and analysis, which often proves quite resource-intensive. For a quick removal and to limit the potential damage from ransomware as much as possible, it needs to be detected in real time, with critical time typically equalling 1-3 minutes. Complex analysis and event correlation algorithms can simply be late with delivering an alert notification. Behaviour analytics system engineers are always balancing between a substantial amount of optimization at all stages of the pipeline and designing smart combinations of simpler analysis algorithms.
• Establishing an effective baseline – Behaviour-based systems work by analysing the current stream of events and comparing it to an established baseline for normal system behaviour. If this baseline is chosen incorrectly, it can lead to a high number of false positives or false negatives. The biggest challenge in this regard is gathering the initial dataset. Beyond that, the system needs to study the behaviour of certain malware types in order to reliably detect them. Collecting a variety of existing ransomware examples can also prove quite a challenge.
• Susceptibility to behavioural obfuscation – Behavioural obfuscation, similar to code obfuscation, is designed to conceal the behaviour of malware by creating a certain amount of behavioural noise, making the malware undetectable by behaviour-based detection solutions. Very few types of ransomware currently use behaviour obfuscation, but as it becomes more popular it may prove to be a serious challenge in the future.
Alternative approach: early blocking
An alternative strategy focuses on the moment ransomware and other malware penetrate a working system. The solution monitors and blocks malicious in-memory injections such as reflective DLLs or process injections without full attack pattern inspection, whatever simple or complex it is. Thus, it naturally avoids issues with time-consuming event correlation, ‘behaviour noise’, or system-wide baselining.
This approach also has its challenges, such as stable low-level system monitoring, reliable discerning of legitimate and malicious resource usage, comprehensive coverage of all possible injection landscape, staying non-intrusive for the legitimate activity. But with all the questions answered, this threat prevention software proves to be effective cutting both known and unknown attacks at their starting point.
Conclusion
Despite all the challenges, the IT industry can deal with modern threats providing next-generation endpoint security software.
Vendors develop several alternative solutions perfecting their strategies and building comprehensive zero-day attack detection and prevention products. It is worth mentioning that one of the key requirements to security strategy is integral approach. And thus, while delivering a universal solution is always tempting, the ability to complement and join forces with other security systems can be an important benefit for a next-generation threat hunter.
Whatever approach is chosen, developing such a solution requires creating a whole set of technologies for in-depth system monitoring as well as developing optimised algorithms to allow real-time analysis and detection of malicious software. Developing this type of system requires commitment as well as a skilled system programming team.
If you’re looking for a team to develop your own ransomware detection software, look no further! At Apriorit, we have the talent, knowledge, and experience to deliver the solution you need.
Vitaly Plitchenko is market research specialist at Apriorit.
To read the full blog post, click here.