Over the past 2 years, various companies have developed Anti-Ransomware technologies, designed to stop the vast amount of ransomware variants doing harm on a user’s computer. These programs usually work by classifying applications based on behavioural analysis, system activity, disk activity as well as calling specific functions that encrypt data.
Most ransomware variants found today use asymmetric encryption. This is where the data is encrypted with a private key kept by the attackers, and can only be decrypted by using a public key. The public key is usually stored on the cyber-criminal’s server until the user pays the ransom.
The most basic of Anti-Ransomware solutions work by detecting calls / references to specific encryption schemes and calls to certain system libraries such as “system.cryptography”. The problem with this is that non-malicious applications often use these libraries and functions in order to interact with various other things such as the world wide web or VPN connections. Because of this, simply detecting references to these encryption libraries will create lots of false-positive detections.
To avoid this, we can take heuristic signatures from various ransomware families and integrate them within the anti-ransomware applications. However, the main problem with this is that it will not detect new ransomware families. Thus making the tool useless.
What we need is something that determines whether or not an application is malicious based on its behaviour, heuristic detections, generic encryption detections and other factors. The program should also be able to identify unknown and known ransomware variants that infect a computer. It should also be able to detect any signs of infection by looking at web traffic and determining if an application is sending encryption keys used by the ransomware to a C&C server.
But wait! That’s just the detection 😛 Anti-Ransomware products should also be able to isolate and prevent any applications detected as ransomware from mass encrypting the system or killing anti-malware products. The product should also be able to reverse the malicious actions executed by the ransomware. They can do this by using shadow copies of files, keeping an external backup of system settings or simply lowering the access rights of the application so that it cant access system settings.
There are many anti-ransomware solutions out there that you can download. A few examples are Malwarebytes Anti-Ransomware, Kaspersky Anti-Ransomware and Emsisoft’s Behaviour Blocker. Keep in mind, it is impossible to detect 100% of all ransomware variants, but you can protect yourself from the vast majority of ransomware by using a good security product.
BACKUP BACKUP BACKUP… It is important to always have backups ready and up to date in-case you ever do get affected by ransomware. Backups should never be kept in the same environment as your normal hardware systems, and they should be physically separated on either different drives or put on magnetic tapes.