Ransomware is hot security topic for the last few years. While only few of them were successful, they have several distinct advantages over other scareware ( and aggressive malware in general):

1. They force to use irreversible payment systems like Bitcoin (and prepaid cards were working OK in the past). This is one of main reasons ransomware is popular today as scareware makers had some problems processing credit cards in the past. While these issues could be solved, this reduced profitability and downtime when some payment gateway got stopped.

2. The do a very high damage potentially, much larger than the money they are asking for. Loosing medical records or even work and study documents might be costly.

3. The development costs for ransomware itself is not that big. The encryption algorithms used are not new and lots of code samples are available. For example, lots of minor ransomwares are based on Hidden Tear project ( https://github.com/goliate/hidden-tear ) which itself does not encrypt properly and is educational sample only. Other types of scareware depend on locking system which is much harder to do properly and requires better system knowledge.

Thus ransomware will not go away as long as there are payment options, they are easy to do and people are ready to pay.

However, we have 2 powerful ways to protect oneself from ransomware attacks:

1. Antiviruses and other software – based approaches to prevent ransomware from running or stop it early on. There is lots of promise in canary file -based approaches, early warning systems like Hitman Pro Alert and so on.

2. Backups to reduce or remove possible harm.

The problem with backups is that they are implemented badly usually. Typical backup try to help in cases of accidental deletion of data or hardware failure at most. While this is ok, ransomware requires quite different approach. There should be a possibility to restore older versions of the file and a way to prevent older file deletion in case of infection.

There are some interesting development in versioned file systems that keep several iterations of the same file. However, the malware could delete all copies of the files if it would be aware of their existance like they do with shadow volume copies.

Remote backups (either in NAS or in remote web services) are somewhat better, as long as files are versioned there and it is impossible to delete all versions at once from the original systems. As long as file servers are not comprimissed at the same time as the PC, you will have a working backup.

I see another possiblity for backups : Flash-based storage with versioning capabilities and hardware controls for accessing to older copies of the files. This would ensure that files  can be restored even if encrypted files are backed up on top or deleted. Sadly, I could not find an existing version of such hardware.

Categories: General

Giedrius Majauskas

I am a internet company owner and project manager living at Lithuania. I am interested in computer security, health and technology topics.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *