Russel McDonald | Principal Software Engineer, Thales
Our last blog Ransomware Attacks: The Constant and Evolving Cybersecurity Threat described the ever dangerous and evolving cybersecurity threat of ransomware. It’s no longer a matter of IF you get attacked, it’s a matter of WHEN you get attacked.
Articles on BleepingComputer.com cover recent ransomware attacks over the last few months, from January to March 2024.This blog will demonstrate that if Thales CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) had been installed at those attacked companies and government organizations, their data would have been protected and safe.
First, let us review some of the common ransomware detection approaches employed by cybersecurity professionals today: behavioral vs. signature vs. binary inspection.
Signature-Based
Many ransomware prevention products are signature-based. They recognize a given ransomware by computing a hash on that process’s machine code and comparing that to a database of known ransomware signatures. As such, that ransomware must have been seen before and added to that database. However, any tweak of that original ransomware source code and rebuild will then circumvent such signature-based solutions. Case in point is the ransomware known as Sugar which has around 200 versions, so 200 different signatures.
Binary Inspection Based
Other ransomware protection products detect ransomware by scouring the binary executable for trademarks of a ransomware process, such as text that appears to be a ransom note, or links to cryptographic libraries. Some ransomware processes circumvent such detections by obfuscating the ransom note, and even the executable machine code, decrypting its own binary code just before it executes. As such, it would not be detected at process load time.
Behavior-Based
Now enter behavior-based solutions. A behavior-based ransomware protection product relies on the behavior of that ransomware, either at the time of the attack, or at startup time as it prepares for the attack. CTE-RWP is behavior-based. Not only does CTE-RWP watch for typical behaviors, but in addition to other ransomware protection behavior-based products, CTE-RWP underscores such techniques with abstract principles.
One key point is that CTE-RWP takes advantage of what can be called unsynchronized destruction. Consider the analogy of baking and eating a cake. It takes one person to bake a cake, the sequence of the steps having to be done in a synchronized order, but many people can eat or destroy that cake all at the same time.
Likewise, ransomware behavior leans towards the unsynchronized type of behavior. You will see many files deleted by many different threads in a process, toggling back and forth randomly amongst them with no order. Why? Because ransomware does not care about your data. They just want to quickly encrypt your data and destroy any original copy, with no synchronization involved. Unsynchronized destruction is just one such character trait of ransomware-like behavior that CTE-RWP watches for.
Underlying these principles is the basic technique of watching for clear reads with encrypted writes, either within files or across files. CTE-RWP can detect such abnormal clear-read-encrypted-write behavior, and quickly block that process often before the paging IOs can write the encrypted pages to disk. Mathematical variance, byte value frequencies, compressibility of sections and other measurements help CTE-RWP determine if a file overall is changing across reads and writes from clear to encrypted data, be it in-place in that file or to another file.
CTE-RWP has a very low false hit rate, using patentable techniques to distinguish good behavior from bad. And finally, if a process still exhibits ransomware-like behavior briefly, then CTE-RWP provides an exempted process list. Antivirus fall into this category, since they scan clear files, but then write their encrypted log entries to their logs. This can model ransomware behavior for brief moments.
The Results
In the Thales lab we tested 10 recent ransomware attacks in the news, and CipherTrust Transparent Encryption Ransomware Protection alerted and blocked all 10.
In our lab, we selected the top 10 recent attacks for which we could find the corresponding ransomware on the vx-underground research site, and we attacked ourselves with that ransomware to see how CTE-RWP behaved. The 10 recent ransomwares tested were:
1 Lockbit
2 BlackBasta
3 Rhysida
4 Hive
5 Akira
6 Trigona
7 Play
8 BianLian
9 MedusaLocker
10 Phobos
Watch the video demonstrating how each attack was blocked
No code changes, threshold changes, or any other changes were made before, during or after any of the attacks. This was an out-of-the-box test for the already released CTE-RWP product, using a build created prior to any of these attacks in the news.
In 9 of the cases, we detected and blocked each of those ransomware attacks immediately before any encrypted data made it to disk. In the 10th case, up to 5 small files became encrypted on disk before it was blocked.
In each case, CTE-RWP was able to detect each ransomware’s behavior by observing the clear-read-encrypted-write IO patterns, using the previously mentioned measurements of mathematical variance, byte value frequencies, and section compressibility to determine if data read/written is encrypted or clear. Clear-reads but encrypted-writes are key indicators of ransomware activity.
Ongoing tests with live ransomwares
We have now tested 55 of the ransomwares kept for research on the vx-underground.org malware research site and CTE-RWP detects and blocks all. We continue to monitor the vx-underground site for further submissions of new ransomware.
As stated earlier, if CTE-RWP had been installed at the companies, government entities or otherwise that were attacked by those ransomwares, they would have been fine—confirming the power of the behavior-based ransomware protection approach.
Learn more:
- Join our May 2nd live webinar Fighting Ransomware - Using the Power of Encryption
- Watch the video of the 10 most recent ransomware attacks VS. CipherTrust Transparent Encryption Ransomware Protection
- Check out CipherTrust Transparent Encryption Ransomware Protection resource page
- Contact us to speak to an expert
- Visit our Thales booth at the RSA Conference 2024 in San Francisco