In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example.
Let’s say you’re a farmer taking care of a flock of sheep and you’re worried about wolves. You’ve installed a fence: that’s prevention. You have an air horn to scare away the wolf in the event of an attack: that's response. Great! But what if you had an alarm system and could take action as soon as the wolf got through your fence, before it started attacking at all? That’s what detection is all about.
Detection sits right between both prevention and response, and it’s a critical first defense against ransomware. You see, ransomware will get through your systems one way or another. And when it does, we want to detect it right away so we can stop it from moving through your network and encrypting any valuable or sensitive files.
But detecting ransomware can be tricky. Attackers use obfuscation and evasion techniques to avoid detection, and new ransomware variants are being produced every day. As a result, businesses should be using multiple different ransomware detection techniques, fully aware of the pros and cons of each.
In this post, we’ll look at 5 ransomware detection techniques and their pros and cons.
-
Static file analysis
-
Common file extensions blacklist
-
Honeypot files / deception techniques
-
Dynamic monitoring of mass file operations
-
Measure changes of files’ data (Entropy)
1. Static file analysis
Let’s say you’re on an IT or security team and an alert has triggered on a key server within the organization. The alert is rather vague but is reporting that the file is potentially malware.
Making matters worse, the hash of the file isn’t on VirusTotal and you can’t find any information on the Internet to determine if the file is malicious or not.
To see if this file is potentially ransomware (or any malware for that matter), one option is to do static file analysis. Static file analysis is a type of malware analysis that looks at whether an executable file is suspicious without actually running the code.
In the context of ransomware, static file analysis looks for known malicious code sequences or suspicious strings, such as commonly targeted file extensions and common words used in ransom notes.
Static malware analysis examines a malware sample without executing it. Source.
One of the free tools that you may find useful for this purpose is PeStudio. This free tool flags suspicious artifacts within executable files and can be used to examine the embedded strings, libraries, imports, and other indicators of compromise (IOCs) in a file.
Pros:
-
Low false positive rate
-
Effective against known ransomware
-
Can stop attacks before execution so no files are encrypted
Cons:
-
Time consuming if conducted manually
-
Can be bypassed easily using Packers / Crypters or by simply replacing characters with digits or special characters
2. Common file extensions blacklist
With file access monitoring tools, you can blacklist file rename operations for well-known ransomware extensions, or be alerted as soon as a new file is created with such an extension.
For example, a file-access monitoring tool by Netapp allows you to block certain types of extensions from being saved on the storage system and shares, such as the WannaCry ransomware (.wncry). Other ransomware blacklist solutions include ownCloud or Netwrix.
There are a variety of lists on the Internet with lists of common ransomware extensions. One example is https://fsrm.experiant.ca/ (scroll down to "Raw List").
Pros:
-
Low false positive rate
-
Effective against common ransomware
-
No damage is done
Cons:
-
Trivial to bypass; ransomware with a new extension will manage to encrypt
-
It can be difficult to find a file-monitoring solution that has a extension blacklist feature
3. Honeypot files / deception techniques
A honey file is a fake file intentionally put into a shared folder/location in order to detect the existence of an attacker, and when the file is opened, an alarm is set off. For example, a file named passwords.txt could be used as a honeyfile on a workstation.
One popular way to create quick and easy honeyfiles is by using Canarytokens. Canarytokens is a free tool by Canary that embeds a token (unique identifier) into a document, such as Microsoft Word, Microsoft Excel, Adobe Acrobat, images, directory folders, and more.
Any time a Canarytoken is accessed, Canary sends you a notification email to the address tied to the token. You can rename the Canary files to names that ransomware actors search for when looking for files on the victim network, such as “statement,” “policy,” or “insurance.”
Placing the Canarytoken in a folder where it will be seen by ransomware actors. Source.
Pros:
-
Can detect ransomware that static engines do not catch.
Cons:
-
Some false positives, as programs and users may touch the bait files
-
Files will be encrypted until ransomware touches the decoy files
-
Bypass by skipping hidden files/folders, or by targeting specific folders
4. Dynamic monitoring of mass file operations
By monitoring the file system for mass file operations such as rename, write, or delete within a certain period of time, you can catch a ransomware attack happening in-real time and potentially even automatically block it (depending on your solution).
A File Integrity Monitoring (FIM) tool can help you detect ransomware in this way. A FIM verifies and validates files by comparing the latest versions of them to a known, trusted “baseline,” and alerts you when files have been altered, updated, or compromised.
There are free open source FIM tools available, such as OSSEC and Samhain File Integrity, and others solutions feature real-time remediation capabilities so you can instantly block detected ransomware with an automated threat response.
Pros:
-
Can detect ransomware that static engines do not catch
Cons:
-
Files will be encrypted until the defined limit is exceeded
-
Bypass easily by adding delay between encryptions or by spawning multiple processes to encrypt batches/groups of files
5. Measure changes of files’ data (Entropy)
In cybersecurity, a file's entropy refers to a specific measure of randomness called "Shannon Entropy," where typical text files will have a lower entropy and encrypted or compressed files will have a higher entropy. In other words, by tracking files’ data change rate, we can determine whether the file was encrypted or not.
Patrick Wardle's free RansomWhere? tool uses file entropy to detect (and block!) untrusted processes that are encrypting your personal files. Tools that measure file entropy can also block processes after multiple flagged modifications with significant changes.
Histogram of entropy of legitimate versus malicious files. Source.
Pros:
-
Can detect ransomware that static engines do not catch
-
Fewer false positives than previously mentioned dynamic techniques
Cons:
-
High CPU utilization on the endpoint
-
Files will be encrypted until a level of confidence is reached, so not all damage is blocked
-
Bypass by encrypting only part of the file, or by encrypting in chunks. Using multiple processes to encrypt
Getting creative with ransomware detection techniques
Having several methods for detecting ransomware is integral to incorporate in your organizations anti-ransomware strategy. Catching the ransomware early offers great insurance against lateral movement and further damage. But remember: always assume an attack will be successful.
No matter what, make sure you have a ransomware prevention and recovery strategy in place. You can read our Defenders Guide to Ransomware Resilience for more on ransomware response. In terms of prevention, our Ransomware Prevention Checklist is a great place to start.
Malwarebytes EDR’s anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn't require updates. Our EDR also has multiple combined modes of endpoint isolation and gives you up to 72 hours of ransomware rollback.
Check out a few case studies below to see how organizations used Malwarebytes EDR to fight against ransomware.