New software stops ransomware attacks

Credit: CC0 Public Domain

Engineers from SMU's Darwin Deason Institute for Cybersecurity have developed software that detects ransomware attacks before attackers can inflict catastrophic damage.

Ransomware—a type of malware infection that causes important data files to be locked and prevents users from accessing their important data until the hacker is paid—is crippling cities and businesses all over the world, and the number of have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release if ransom isn't paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last six-and-a-half years.

Unlike existing methods, such as or other intrusion detection systems, SMU's new software works even if the ransomware is new and has not been used before.

SMU's detection method is known as sensor-based ransomware detection because the software doesn't rely on information from past ransomware infections to spot new ones on a . In contrast, existing technology needs signatures of past infections to do its job.

"With this software we are capable of detecting what's called zero-day ransomware because it's never been seen by the computer before," said Mitch Thornton, executive director of the Deason Institute and professor of electrical and in SMU's Lyle School of Engineering. "Right now, there's little protection for zero-day ransomware, but this new software spots zero-day ransomware more than 95 percent of the time."

The new software also can scan a computer for ransomware much faster than existing software, said Mike Taylor, lead creator of the software and a Ph.D. student at SMU.

"The results of testing this technique indicate that rogue encryption processes can be detected within a very small fraction of the time required to completely lock down all of a user's sensitive data files," Taylor noted. "So the techniquedetects instances of ransomware very quickly and well before extensive damage occurs to the victim's computer files."

Southern Methodist University (SMU) has filed a for this technique with the U.S. Patent and Trademark Office.

Lyle Engineering students Taylor, a cybersecurity Ph.D. student, and Kaitlin N. Smith, a recent electrical engineering Ph.D. graduate, created the software, along with Thornton.

"Ransomware is malware that enters a victim's computer system and silently encrypts its stored files. It then alerts the user that they must pay a ransom, typically in a non-traceable currency such as bitcoin, in order to receive the key to decrypt their files," Thornton explained. "It also tells the victim that if they do not pay the ransom within a certain time period, the key for decryption will be destroyed and thus, they will lose their data."

SMU's software functions by searching for small, yet distinguishable changes in certain sensors that are found inside computers to detect when unauthorized encryptions are taking place.

When attackers encrypt files, certain circuits inside the computer have specific types of power surges as files are scrambled. Computer sensors that measure temperature, power consumption, voltage levels, and other characteristics can detect these specific types of surges, SMU researchers found.

The SMU software monitors the sensors to look for the characteristic surges. And when a suspicious surge is detected, the immediately alerts the computer to suspend or terminate the ransomware infection from completing the encryption process.

Use of the computer's own devices to spot "is completely different than anything else that's out there," Taylor said.

Citation: New software stops ransomware attacks (2020, May 13) retrieved 24 February 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Some hackers take the ransom and run: researchers


Feedback to editors