For hackers and cybercriminals, ransomware is literally money in the bank.
If a target clicks on a link in an email, designed to appear as though it is from a familiar source, the malware is unleashed on the victim's computer, encrypting every file.
The only way for the victim to regain access to these files – photos, documents, or multimedia files – is to pay the hacker a ransom in Bitcoin. The threat has grown exponentially, ensnaring individual consumers as well as businesses and organizations.
Researchers at the University of Florida (UF) now say they have developed a solution, a software tool that will stop ransomware in its tracks. They call it CryptoDrop. The researchers say it works in a very different way than antivirus software.
Limiting the damage
Instead of identifying the ransomware before it can download to a target computer, CryptoDrop springs into action a nanosecond after the process begins. As a result, only a tiny fraction of files get encrypted.
“Our system is more of an early-warning system,” said Nolen Scaife, a UF doctoral student and founding member of UF’s Florida Institute for Cybersecurity Research.
Scaife says CryptoDrop steps in to prevent the ransomware from completing its task. A victim might lose a few photographs, but that is the limit of the damage. There is no reason to pay a ransom.
The UF researchers say antivirus software has a hard time stopping ransomware because it needs to have seen the malware before in order to be effective. But hackers are constantly tweaking their ransomware bugs, making them unrecognizable.
CrytoDrop is like a security guard, always looking for signs of a ransomeware attack. When it sees the malware encrypt a file, it springs into action to stop the process from going further.
Instead of looking for a particular software profile, it is instead looking at what the software does. If hackers come up with a new malware every week, it won't matter.
In the last few years ransomware attacks have targeted hospitals and even police departments. In 2015 police in Tewksbury, Massachusetts, admitted that they'd had to pay an untraceable $500 Bitcoin ransom to the hackers who'd encrypted the department's computer files.
Also last year, a new form of ransomware emerged, in which hackers planted child pornography images on victims' phones until a ransom was paid.
It's gotten so bad that some companies now build ransoms into their operating budgets, expecting that sooner or later they'll have to pay up. The UF researchers, however, say that might not be necessary.
“We ran our detector against several hundred ransomware samples that were live and in those case it detected 100% of those malware samples and it did so after only a median of 10 files were encrypted,” Scaife said.
The research team says its prototype works with Windows-based systems and the researchers are now seeking a partner to put it on the market.