- Sep 22, 2014
- 1,767
In the near future, there might be a simple way to stop ransomware infections from locking your files, if we are to believe a team of researchers from the University of Florida and Villanova University.
This team presented the CryptoDrop project to the world at the recently concluded IEEE International Conference on Distributed Computing Systems that took place on June 29 in Nara, Japan.
CryptoDrop is a computer application currently working only on Windows that keeps an eye on the user's filesystem for signs and operations specific to ransomware infections.
This includes a surge in encryption operations, a drop in available entropy (random data, used to power encryption operations), file type changes (ransomware changes file type extensions), and a few other more.
CryptoDrop can halt encryption-heavy OS processes
When CryptoDrop makes a detection, it will stop the process and alert the user that something suspicious is happening.
The application is not designed to work like an antivirus but alongside one. The researchers say that CryptoDrop will not be able to detect or stop ransomware before encrypting files, but after it already started, so using a powerful antivirus software is still recommended, in order to prevent and block common ransomware threats from taking root on a PC, to begin with.
The good news is that, during testing on a computer with 5,100 available files, CryptoDrop detected and stopped ransomware infections in its early stages.
They tested their system against 492 ransomware variants, got a 100 percent true positive rate, and ransomware families encrypted on average around ten files before being detected and stopped.
That's around 0.2 percent of the whole files available on the target computer, which is more than acceptable for any user who knows how crippling ransomware can really be.
CryptoDrop is similar to Cryptostalker, but for Windows
The project is similar to what Sean Williams had built this winter via his Cryptostalker project, which worked in a similar way, but for Linux systems. Just like Cryptostalker, CryptoDrop has issues with false positives at the process level, as the researchers explain.
"CryptoDrop is unable to determine the intent of the changes it inspects. For example, it cannot distinguish whether the user or ransomware is encrypting a set of document," the research team notes. "As a result, we expect that programs such as GPG and PGP, compression applications, and other applications which perform similar transformations will cause a CryptoDrop detection when applied to many user documents."
More details can be found in the research paper presented at the IEEE conference, calledCryptoLock (and Drop It): Stopping Ransomware Attacks on User Data.
The research team adds it's looking for partners to commercialize CryptoDrop and make publicly available.
This team presented the CryptoDrop project to the world at the recently concluded IEEE International Conference on Distributed Computing Systems that took place on June 29 in Nara, Japan.
CryptoDrop is a computer application currently working only on Windows that keeps an eye on the user's filesystem for signs and operations specific to ransomware infections.
This includes a surge in encryption operations, a drop in available entropy (random data, used to power encryption operations), file type changes (ransomware changes file type extensions), and a few other more.
CryptoDrop can halt encryption-heavy OS processes
When CryptoDrop makes a detection, it will stop the process and alert the user that something suspicious is happening.
The application is not designed to work like an antivirus but alongside one. The researchers say that CryptoDrop will not be able to detect or stop ransomware before encrypting files, but after it already started, so using a powerful antivirus software is still recommended, in order to prevent and block common ransomware threats from taking root on a PC, to begin with.
The good news is that, during testing on a computer with 5,100 available files, CryptoDrop detected and stopped ransomware infections in its early stages.
They tested their system against 492 ransomware variants, got a 100 percent true positive rate, and ransomware families encrypted on average around ten files before being detected and stopped.
That's around 0.2 percent of the whole files available on the target computer, which is more than acceptable for any user who knows how crippling ransomware can really be.
CryptoDrop is similar to Cryptostalker, but for Windows
The project is similar to what Sean Williams had built this winter via his Cryptostalker project, which worked in a similar way, but for Linux systems. Just like Cryptostalker, CryptoDrop has issues with false positives at the process level, as the researchers explain.
"CryptoDrop is unable to determine the intent of the changes it inspects. For example, it cannot distinguish whether the user or ransomware is encrypting a set of document," the research team notes. "As a result, we expect that programs such as GPG and PGP, compression applications, and other applications which perform similar transformations will cause a CryptoDrop detection when applied to many user documents."
More details can be found in the research paper presented at the IEEE conference, calledCryptoLock (and Drop It): Stopping Ransomware Attacks on User Data.
The research team adds it's looking for partners to commercialize CryptoDrop and make publicly available.
