Who can automatically detect the file activity inherent in the ransomware virus?

@binariti2016-05-27 11:06:47

Malware

@binariti, 2016-05-27 11:06:47

Many are now faced with the problem of ransomware. Briefly, the essence of the problem:
1. The ransomware uses social engineering to infect, which is very difficult for an ordinary user to distinguish from real daily activity. For example, if a person works with accounts, he receives a letter saying, please pay the bill in attachment
2. The encryptor is not detected by the antivirus. The antivirus simply does not have a virus signature at the time of receipt. Almost a separate assembly of the virus is made for each distribution.
3. The ransomware encrypts all files on the user's machine and extorts money for their decryption.
In short... We were faced with the fact that we could not rule out infection by the ransomware, but on reflection we realized that the very behavior of the ransomware should be templated by definition. Those. it behaves much like a search scanner, accessing a large number of files in different folders, deleting files, creating new files, only works with files of a certain type and with files that have a certain modification date (for example, only the most recent files first).
In a word, all this activity can be analyzed using a heuristic method and it can be concluded that the application is behaving suspiciously. And then take action. Not every application will behave in this way, this is a very rare form of activity. You can block a whole class of applications with unwanted file behavior, and corporate users will be fine with that.
In general, the question arises: if the idea of heuristics outlined above is actually quite obvious, then surely someone has already implemented this mechanism in their antivirus software. Have you heard anything about antiviruses or utilities of this type?

Answer the question

In order to leave comments, you need to log in

11 answer(s)

Armenian Radio, 2016-05-27
@gbg

The most reliable remedy against ransomware is versioned backup.
The easiest way to do this is to deploy ownCloud (done in 1 hour with a smoke break, lunch, and chat with colleagues) and set up synchronization with the cloud on the right clients.
At the same time get rid of:
-oh, my file is lost!
-when?
- Yes, about two months ago I erased it from the trash!

Andrey Ermachenok, 2016-05-27
@eapeap

I agree with Armenian Radio :
Business information lives on the server, not on the user's computer.
The User has the right to write only to a limited range of files, he can only read the rest, he does not see the libre at all.
Files are synchronized with a backup disk (cloud, ...) with the preservation of versions.
Users do not have access to the backup storage.
How to implement it - there are a SEA of ways.

xmoonlight, 2016-05-28
@xmoonlight

www.sandboxie.com
Completely emulates the file system and registry without risking the main working system (without affecting the files and registry of the latter).
The application does not "see" that it is in a sandbox, so it behaves as usual.
You can install something, use it and just click "clear" without any uninstall)
Rich settings for each sandbox separately.
The best option for quiet work.
Install and configure to have:
1. and/or launch in a "sandbox" for specific folders/processes, etc.,
2. and/or normal launch only from selected folders, etc.

Vladimir Kuts, 2016-05-27
@fox_12

Systems like Tripwire , Samhain , OSSEC
Track file changes by comparing file hashes specified by program settings with data in their own private database.
If the files were changed without authorization, then no heuristics is needed.

morgan, 2016-05-27
@morgane

Да запретите к чертям получение исполняемых файлов пользователям на почтаре, а все что такого рода приходит шлите себе на выделенный ящик для разбора, и при сомнениях пользуйтесь сервисом проверки.

Román Mirilaczvili, 2016-05-27
@2ord

Возможно, для шифровальщиков характерно следующее:

нацеливание на определённые типы документов
одновременное изменение хешей у большинства файлов в директории
повышение потребления ресурсов машины

�

Равиль Шаймарданов, 2016-05-28
@ravil666

и еще можно , через политики , разрешить запуск определенных исполняемых файлов (ехе) , типа ворд,ексель и тд и тп , нужное прописать в политиках , должно помочь.

lovecraft, 2016-05-29
@lovecraft

>Никто. Шифровальщик не имеет каких-то явных отличий в активности, по которым его можно четко отличить от полезных программ.
Это, конечно, не так. Эвристика, надёжно детектирущая шифровальщики, есть - это измерение изменения степени упорядоченности файла в процессе записи. Во время шифрования упорядоченность файла существенно снижается, что позволяет детектировать шифровальщики. Так работает 11-й касперский и некоторое другие корпоративные антивирусы

Amigo-A, 2017-02-10
@Amigo-A

кто-то уже реализовал этот механизм в своем антивирусном ПО. Слышали ли вы что-либо об антивирусах или утилитах подобного типа?

There are solutions:
AppCheck Anti-Ransomware Solution
RansomFree by Cybereason For
descriptions in Russian, see the links:
https://anti-ransomware.blogspot.ru/2017/01/appche...
https://anti-ransomware.blogspot.ru /2017/01/ransom...

Nikita K., 2015-08-26
@bonilka

Here is something similar try playing around with the values jsfiddle.net/bonilka/2ymtaoap

Sergey Zelensky, 2015-08-26
@SergeyZelensky-Rostov

images background - set to increase the imput in height according to the size of background images make a left indent