Interested in Contributing? Read this
What is Ransomware?
“Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not publish it” — Wikipedia
Malicious code can be detected either by observing its action (Dynamic Analysis) or by studying its structure (Static Analysis). The later uses the code’s static properties like its binary hash, contained binary sequences and strings, or imported functions. A ransomware generates completely new code with the same functionality, making its detection only possible by identifying its behavior. This is why signature-based defenses can’t identify and protect an organization from the ransomware, causing traditional antivirus software to stumble. A ransomware has several key differences from a standard malicious code:
- Ransomware does not persist in or survey a network silently, masking its presence. As soon as it starts encrypting files, it reveals itself to the user and demands hefty ransoms to decrypt these files.
- Ransomware neither requires full control over the system nor has a specific target. It encrypts as many files as possible hoping to have hit something important. This lack of specificity requires continuous monitoring for detection of ransomware.
- Ransomware spreads alarmingly quick. Depending on the speed of the machine and number of files, it takes about 5 to 20 minutes to encrypt every relevant file on an average hard drive. Behavioral analysis, hence, should be fast enough to combat it.
Every ransomware encrypts a random file and destroys the original. This behavior is also exhibited by compression software, legitimate encryption applications, and cloud sync solutions. This adds the problem of distinguishing a ransomware from a legitimate activity.