To understand how to prevent ransomware encryption, we should first have a look at how ransomware encrypts files and which are the major types of ransomware encryption.
Such variants limit the entire process to reading and writing to a file. They do not perform file delete or file create / rename operations. The ransom notes are within the compromised files themselves, appended to the encrypted content.
The basic encryption process consists of the following:
The files attacked by such ransomware have their extension preserved and when analyzing the contents of a compromised folder, it looks the same as a healthy folder. It is just the file contents that are encrypted. This means in lack of tools to prevent ransomware encryption, one only realizes that there is an attack when opening a corrupt file. This means it takes more time to detect such attacks and, consequently, more files are lost.
Spora is a ransomware variant that follows the “replacer” pattern. You can read more about it in our dedicated material.
To prevent ransomware encryption performed by replacers, you need dedicated anti-ransomware technology that detects the simple flow of operations and is able to identify it as malicious. Technologies that only look at file dynamics and are content unaware have a lower chance of detecting such attacks. Hence, a good solution takes into consideration what happens with file contents in the memory, and how that correlates with the basic file operations occurring at the time. Such variants are more difficult to detect than generic ransomware that uses other files to store the encrypted content.
Such variants use the most widely spread encryption technique: they create new files containing the encrypted content and delete (or safe-delete) the original files. They perform more file operations and less in-memory operations. Content is transferred to memory, encrypted and placed in a new file, while the original file is removed.
The basic encryption process consists of the following:
As can be seen, such variants have a larger signature on the target machine. They perform more operations in a more complex pattern, involving security-sensitive operations such as file deletion. Although difficult to detect, such variants have a bigger chance of triggering alerts by the user operating the target machine, or by security software. When looking at a folder containing compromised files, the user may realize the fact that there are anomalies, files with weird extensions, ransom notes with relevant titles, etc.
The Crysis ransomware family exhibits the above behavior when it comes to encrypting user files. Read more about it in our dedicated article.
To prevent ransomware encryption for normal ransomware you need anti-ransomware technology capable of identifying the associated pattern described above. This involves watching for new files being created, files being deleted, and interpreting the rest of the file operations, to filter out false positives and only point out ransomware activity.
Another important variation of ransomware is the one that encrypts the entire HDD volume. To do so, it first boots up its own code instead of the operating system, then applies a full volume encryption of the partitions. Such ransomware is impossible to detect during the encryption process simply because, at that point, the operating system does not run. Nor do any security applications. Hence, such ransomware must be stopped before it is able to boot up its own boot code.
Typically such ransomware performs the following operations:
Obviously, the computer operating system does not boot up again until the ransomware is removed. Typically such ransomware does not successfully carry out the recovery process. There are various combinations of such behavior, with wiper-like behavior or with normal ransomware. An example of ransomware attacking the MBR and applying full disk encryption is HDDCryptor.
A combination between a wiper and a full volume encryptor would alter the partition table along with performing the full disk encryption. An example is the RedBoot ransomware.
Double encryption: a combination between normal ransomware and full disk encryptor. Such variants would apply both file level encryption and disk level encryption to the target machine. A good example in this respect is Petya ransomware.
To prevent ransomware encryption by full disk encryptors, you need anti-ransomware technology able to detect and block malicious attempts to modify the Master Boot Record. At the same time, this technology needs to be able to identify legitimate attempts to modify the MBR and allow the changes to take place. If such ransomware is not stopped before the MBR is compromised, it is highly unlikely that anything can be done to recover at a later stage.
In general, ransomware use two types of encryption: symmetric and asymmetric, with various key strengths and algorithms. Let’s have a look at both types and then see how they are being used by ransomware:
Symmetric-key algorithms use the same key to encrypt the plain-text content, and to decrypt the ciphertext (encrypted content). The advantage of these algorithms is their speed. The are much faster than the asymmetric-key algorithms. However, speed comes at the cost of strength, and usually symmetric encryption algorithms may be easier to decipher.
Well-known examples of symmetric-key algorithms are Blowfish and AES. Both use the same key for both the encryption and the decryption processes. Also they are commonly used by ransomware, such as Gobe ransomware, that uses Blowfish to encrypt file contents. Security vendors attempt to reverse engineer such ransomware and in many cases, they successfully build decryption tools.
Asymmetric-key algorithms use a pair of keys to perform the encryption and decryption processes. First content is encrypted using the public keys, which may be disseminated as they cannot be used for decryption, and then the content is decrypted using the private key known only to the owner of the process. Such algorithms are very difficult to break, and hence safer than symmetric-key algorithms, but they are slower and might not be a feasible option for ransomware, where speed of encryption is crucial for the success of the infection.
A well known examples of asymmetric-key algorithm is RSA, used by ransomware like Cerber. Cerber uses three layers of encryption, two of them based on RSA. So far no decryption tools are available for properly written ransomware based on asymmetric encryption.
The strongest ransomware out there uses multiple layers of encryption and combinations of symmetric and asymmetric algorithms. Such an example is CryptoLocker, that uses symmetric encryption for the content (256 bit AES), but then adds another layer of asymmetric encryption to encrypt the symmetric keys (RSA). Similarly, Cerber uses symmetric encryption for the contents of files (RC4) and then adds another two layers of encryption to protect the symmetric keys (RSA).
By combining the symmetric and asymmetric encryption technologies, ransomware have the benefit of speed when encrypting file contents by the thousands, and also have the benefit of strength by protecting the symmetric keys with asymmetric encryption, a one time operation. It is a smart way to counter the minuses of both encryption methods by combining them in complex encryption functionality.
There are ransomware victims who believe it is easier to pay a ransom and get the files back. It is an appealing way to manage the crisis of a ransomware incident. In theory, you get the files back in hours, and you may be up and running again within the same day.
However, the reality is different. Successful recovery by paying the ransom is statistically rare. In many cases, something happens and the files are not entirely recovered. In those cases where files are recovered, there is still much more downtime than anticipated. Here are some types of ransomware that prove attackers do not always intend to give you the files back:
Ransomware that encrypts files, but does not allow recovery either from technical reasons – there are bugs in the code that make recovery impossible – or because of IT infrastructure issues on the side of the attackers.
Ransomware that simply destroys data without any intent to ever recover it. Such ransomware may use encryption without implementing any decryption functionality, or simply deletes files (case in which they are called “wipers”). An example of such ransomware is ExPetr/Petya/NotPetya.
Hence, relying on cybercriminals to restore data is obviously not the best way to go. This is the first reason why you should prevent ransomware encryption. The best way to minimize the impact of ransomware attacks is to prevent them in the first place. For good prevention, a combination of software solutions and security processes must be adopted in a multi-layered security strategy. For best results in preventing ransomware encryption, such strategies should contain:
TEMASOFT offers anti-ransomware technology able to identify all types of ransomware encryption and can also allow file restore in the unlikely case when the ransomware attack is not stopped.
In case ransomware prevention fails, you may find recovery tools online or recover from a backup.
For more information, follow us on social media and subscribe to our newsletter.
This post was last modified on August 21, 2023 7:26 am
In the digital world, information is often stored and transferred through files. From the most…
Introduction Data security is more important than ever in today's fast-paced digital world. One critical…
Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…
Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…
File tracking is an important aspect of server administration, and it can help administrators detect…
File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…