You would have heard of royal families, dynasties, political and business families of the day, but you would have never heard of ransomware families. Presuming that ransomware has made a name for itself as the front runner malware of Cyber Crime, it needs no further introduction. As Pegasus decides the fate of interception and privacy in the world, ransomware decides the existential health and comfort levels of individuals, businesses and governments, across the globe. As we are too shy to even know the capabilities of Pegasus to keep ourselves safe, we also behave like ostriches when it comes to ransomware. Same as Artificial Intelligence and Industrial Revolution 4.0 will take a few decades to catch our imagination, ransomware and interception technologies might also take the same time on the digital devastation side. By that time, it happens, we would have lost it all.
Ransomware is known today by the family it belongs to, each of these families have different characteristics and also have a specific brand of file system activity. SOPHOS has done a commendable job in researching eleven of these families and published a research paper to that effect. The aim of the paper is to give ”security operators a guideline to understand the core behaviors that underlie the ransomware attacks.” The Sophos’ behavioral engine, Intercept X also uses this knowledge to convict ransomware. The knowledge of the defenders about the most prevalent and persistent malware families will help in tackling ransomware. As a simple analogy, it is like the professional knowledge of a police officer of organized crime gangs.
”Ransomware behavior is its Achilles’ heel.” How far can you go in handling ransomware investigation without knowledge, tools and not keeping pace with the highest level industry research globally. Blogs and papers on this topic have generally focused on threat’s delivery, encryption algorithms etc. with the connected indicators of compromise. That approach has not been yielding results as have been seen in a spate of attacks the world over, in the last three / four years. Sophos takes a different and a fresh approach to this problem and in a way might open an effective way of preventing and investigating this digital malaise. The new approach is ”analysis of the file system activity or behaviors of prominent crypto-ransomware families.”
Modern ransomware has learnt the art of changing its appearance, by what we call as ”obfuscate its code,” The purpose and behavior remains intact mostly. The ransomware also shows its tell when it strikes. Sophos is of the opinion that there is a fighting chance. It says that there are many ways in which the system administrators can resist and one such clear example suggested is; ”Windows 10 Controlled Folder Access (CFA) whitelisting.” The ransomware families researched are; WanaCry, Matrix, GandCrab, SamSam, Dharma, BitPaymer, Ryuk, LockerGoga, MegaCortex, RobbinHood and Sodinokibi. Where do we go from here? These are the crimes of today and tomorrow, how equipped are we?
UNDERSTNDING RANSOMWARE IS THE BIGGEST INVESTIGATIVE CHALLENGE TODAY.