A Brief Explanation of Anti-Ransomware Applications

Over the past 2 years, various companies have developed Anti-Ransomware technologies, designed to stop the vast amount of ransomware variants doing harm on a user’s computer. These programs usually work by classifying applications based on behavioural analysis, system activity, disk activity as well as calling specific functions that encrypt data.

Most ransomware variants found today use asymmetric encryption. This is where the data is encrypted with a private key kept by the attackers, and can only be decrypted by using a public key. The public key is usually stored on the cyber-criminal’s server until the user pays the ransom.

The most basic of Anti-Ransomware solutions work by detecting calls / references to specific encryption schemes and calls to certain system libraries such as “system.cryptography”. The problem with this is that non-malicious applications often use these libraries and functions in order to interact with various other things such as the world wide web or VPN connections. Because of this, simply detecting references to these encryption libraries will create lots of false-positive detections.

To avoid this, we can take heuristic signatures from various ransomware families and integrate them within the anti-ransomware applications. However, the main problem with this is that it will not detect new ransomware families. Thus making the tool useless.

What we need is something that determines whether or not an application is malicious based on its behaviour, heuristic detections, generic encryption detections and other factors. The program should also be able to identify unknown and known ransomware variants that infect a computer. It should also be able to detect any signs of infection by looking at web traffic and determining if an application is sending encryption keys used by the ransomware to a C&C server.

But wait! That’s just the detection 😛 Anti-Ransomware products should also be able to isolate and prevent any applications detected as ransomware from mass encrypting the system or killing anti-malware products. The product should also be able to reverse the malicious actions executed by the ransomware. They can do this by using shadow copies of files, keeping an external backup of system settings or simply lowering the access rights of the application so that it cant access system settings.


There are many anti-ransomware solutions out there that you can download. A few examples are Malwarebytes Anti-Ransomware, Kaspersky Anti-Ransomware and Emsisoft’s Behaviour Blocker. Keep in mind, it is impossible to detect 100% of all ransomware variants, but you can protect yourself from the vast majority of ransomware by using a good security product.


BACKUP BACKUP BACKUP… It is important to always have backups ready and up to date in-case you ever do get affected by ransomware. Backups should never be kept in the same environment as your normal hardware systems, and they should be physically separated on either different drives or put on magnetic tapes.



How I dealt with the Ztorg Android Malware

On Sunday 10th July 2016 at 03:00 GMT, Kaspersky Internet Security for Android detected 2 pieces of malware on my device within a pirated version of Minecraft Pocket Edition. (Yes I pirate games if I have to)

10 minutes later, the scan finished and KIS stated that it had found one malicious app running in memory and 1 malicious apk file in the downloads directory. KIS then identified the 2 threats as Trojan.AndroidOS.Ztorg, which I googled and later discovered that it was a Remote Access Trojan connected to the Triada Malware Family. The online article written by Kaspersky Lab said that the only way to remove the Trojan was to either “root” the device or jailbreak the device and remove it manually. I wasn’t willing to jailbreak my device, so I decided to wipe all data off the device and wipe everything in memory.

Later that day, I connected my Android device to my computer (Making sure the malware wouldn’t spread of course) and started transferring important files over to my PC before I wiped everything from the device. At the time, I was also watching a livestream at twitch.tv/the8bitmonkey.

After I had transferred all important files, I held the power button and the volume up button for about 30 seconds. This rebooted the device into the Android boot menu, similar to the F8 screen on Windows PCs. I then selected Factory Reset, which only took about 10 seconds, so I did it again to make sure everything had been deleted. I also cleared everything from the system cache and memory so that the Trojan did not re-infect the device, once I restarted it.

How did I actually get infected with the Ztorg Malware?

I had downloaded a pirated copy of Minecraft Pocket Edition a few months earlier, I never knew that it was infected and KIS didn’t find any threat when I installed it, so I assumed that it was safe. Never download any pirated / cracked / modified version of a game, because you risk being infected.

Also, there’s no point reporting this to Mojang, because Mojang have stated that as long as you don’t distribute / share pirated copies of their games, they don’t care if you use a pirated copy or not.


Triada Malware Article by Kaspersky

Triada Man-In-The-Middle Attacks