In this presentation, hear the findings of new academic research into ransomware in which we analyzed more than 1,300 samples captured in the wild from 2006 and 2014 from 15 malware families - including Calelk, Cryptolocker, CryptoWall, Gpcode, Filecoder, Kevtor, Reveton, Seftad, Urausy and Winlock. Our results indicate that (while ransomware authors have made some advancements in encryption, deletion and communication techniques over those eight years) the real impact on victims who don't pay is typically still both nondestructive and preventable. Even the very small set of truly destructive zero-day ransomware samples with sophisticated encryption capabilities we identified can be detected and stopped.
First, learn how ransomware appears to have changed - and stayed the same - from 2006 and 2014, including constants, commonalities and advancements across 15 ransomware families in that timeframe. For example, we verified the widely held belief that ransomware attacks have been increasing in volume in recent years. In fact, they grew by more than 500% from 2012-13. However, the majority have not been sufficiently increasing in sophistication in that timeframe to truly take victims data or hardware hostage. Discover previously undocumented aspects of ransomware attacks with a focus on distinctive and common behaviors among different families.
Second, see a comparison of the threatened impacts vs. the real impacts of the studied ransomware, demonstrating that the vast majority is essentially bluffing its own destructive capabilities in order to extract funds from the victim who is afraid of losing personal and/or valuable data or equipment. More than 94% of ransomware in our multi-year study simply attempted to lock the victims desktop and demand ransom, or used very similar and superficial approaches to encrypt or delete the victims files.
Third, delve into the inner workings of rare destructive ransomware to ascertain key attributes in the code and execution of its instructions that make it both effective and detectible. Hear about the API calls, file system activity and decoy files that consistently surface from different malware families in the wild. Take a look at the various charging methods adopted by different ransomware families including Bitcoin, Moneypak, Paysafecar and Ukash cards. More than 88% of ransomware samples used prepaid online payment systems.
Finally, understand why detecting and stopping advanced ransomware attacks is not as difficult as others have reported. In fact, by scanning for unusual behavior in file system activities, such as I/O requests you can detect even relatively sophisticated ransomware. By protecting the Master File Table (MFT) in the New Technology File System (NTFS) file system on Windows machines, you can prevent most zero-day ransomware attacks. These findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.