Most blogs or papers about crypto-ransomware typically focus on the threat’s delivery, encryption algorithms and communication, with associated indicators of compromise (IOCs). This research paper takes a different approach: an analysis of the file system activity or behaviors of prominent crypto-ransomware families (hereafter, simply called ransomware).
Ransomware creators are acutely aware that network or endpoint security controls pose a fatal threat to any operation, so they’ve developed a fixation on detection logic. Modern ransomware spends an inordinate amount of time attempting to thwart security controls, tilling the field for a future harvest.
It’s a lot easier to change a malware’s appearance (obfuscate its code) than to change its purpose or behavior, and ransomware always shows its tell when it strikes. The increasing frequency with which we hear of large ransomware incidents indicates that the code obfuscation techniques ransomware now routinely employs, such as the use of runtime packers, must continue to be fairly effective against some security tools, otherwise the ransomware makers wouldn’t use them.
It’s important to recognize there’s hope in this fight, and a number of ways admins can resist: Windows 10 Controlled Folder Access (CFA) whitelisting is one such way, allowing only trusted applications to edit documents and files in a specified location. But whitelisting isn’t perfect – it requires active maintenance, and gaps or errors in coverage can result in failure when it’s most needed.