The Merkle

Ransomware detection and protection

One of the most prominent threats in the current world of cybersecurity is ransomware. Major ransomware attacks involving never before seen strains are constantly on the front pages of the news outlets.

One of the recent examples of such an attack is Bad Rabbit ransomware that hit Ukraine and Russia in late October of 2017. Based on the well-known EternalBlue exploit, it targeted old Windows systems that weren’t properly updated. While the exploit itself has already been patched on the latest versions of Windows, users still remain vulnerable if they have legacy systems and fail to apply updates.

Current state of ransomware

Ransomware has gained prominence not only on Windows, but also on macOS, Linux, and popular mobile systems.

It is estimated by Kaspersky Lab, that over the first quarter of 2017 240,799 mobile users have become victims of ransomware infection. US government also says that the average number of daily ransomware attacks has increased dramatically over the past couple of years – from 1000 attacks in 2015 to more than 4000 attacks in 2016.

This increase in the number of attacks corresponds to the increase in popularity of ransomware on the black market. According to Carbon Black, the number of ready-to-use ransomware, offered on the dark web saw a 2,502% increase.

These numbers only prove how easy it for anyone to conduct ransomware attacks even without the specific knowledge on how to write a virus like that.

All of this leads to a high demand for anti-ransomware software that would be capable of detecting and preventing such attacks. However, ransomware protection solutions like this are usually fairly complex and hard to develop, requiring considerable investment and experienced development team. They often employ behavior-based algorithms coupled with wide system access and system control in order to effectively monitor the state of the OS and block all attacks in real time. Thus, the number of solutions that fit the bill in terms of capability of detecting new ransomware strains is still fairly limited.

Types of ransomware

Generally, ransomware can be defined as a malware specifically designed to extract ransom from its victims. However, numerous different types of ransomware put their own unique spin on this basic idea. All ransomware can be divided into four major groups:

All modern different types of ransomware stem from the very successful 2013 malware named CryptoLocker. Despite the fact that the very concept of ransomware has appeared as early as late 80s, and that ransomware existed all throughout the 90s and 2000s, it wasn’t until CryptoLocker adopted Bitcoin as an innovative means to pay ransom that it became popular.

CryptoLocker spread through spam emails, encrypting files on Windows endpoints with the pair of public and private keys and demanding $400 in ransom, payed via Bitcoin. It was extremely successful, with the amount of paid ransom estimated to be in the vicinity of $3 million.

As a result, a huge number of malware tried to imitate the success of CryptoLocker, while at the same time expanding and improving upon its design.

Some of other the prominent ransomware examples include:

Ransomware detection via behavior-based algorithms

One of the main dangers of ransomware is the fact that it grows extremely quickly. As already mentioned, new strains appear almost daily and traditional signature-based detection methods cannot be used to detect them.

Of course, timely system updates can minimize risks when it comes to dealing with already known malware, while having fresh backup will allow you to minimize the damage in case of an attack. But how to prevent ransomware attack from happening in the first place?

A popular approach to ransomware detection is to combine deep system monitoring with machine learning, resulting in a system that can detect new strains of ransomware in real time by searching for certain behavioral patterns.

Despite the fact that multiple strains of ransomware use different approaches to obfuscation, encryption, and demand for ransom, majority of them displays similar behavioral patterns that can be detected. These patterns include:

All of the abovementioned behavior can be detected by the anti-malware system, and associated files can be put for quarantine or removal.

However, it is important to remember, that a single type of behavior does not guarantee that you’re dealing with ransomware, and relying on it can lead to false negatives or false positives. To avoid these issues, you need to correctly detect a pattern that consists of several behavioral indicators. This requires analyzing each individual event in the context of the whole even stream in order to establish its connection with other events.

Ransomware prevention via early blocking

Behavior analysis is not the only way to protect against ransomware. Another solution is to try and block a potential malicious software outright, without trying to identify it via behavioral indicators.

Malware will often use the same techniques to attack the system. These techniques, for example, involve DLL or process injections, that can be blocked outright. This allows to immediately prevent the damage and avoid using resource-intensive behavior analysis.

However, the main challenge of this approach is the fact the anti-malware solution needs to be able to distinguish between legitimate and malicious usage of hooks and injections. If this challenge is solved, such method can prove extremely successful at preventing damage from ransomware.


While the threat of ransomware is very significant, it doesn’t mean that we don’t have the necessary means to deal with it.

There are several solutions available, focusing on detecting zero-day ransomware attacks and preventing the damage. The most effective are hybrid solutions, that combine behavioral analytics, statistic, and proactive blocking of certain potentially harmful actions to both minimize the number of false positives and false negatives and provide you with reliable defenses.

Another way to deal with ransomware, is to use several solutions at once, granted they are compatible with each other.