Extortion extinction: Researchers develop a way to stop ransomware

July 8, 2016 by Steve Orlando, University of Florida
Credit: University of Florida

Ransomware - what hackers use to encrypt your computer files and demand money in exchange for freeing those contents - is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks.

The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it.

"Our system is more of an early-warning system. It doesn't prevent the from starting ... it prevents the ransomware from completing its task ... so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research.

Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop.

Ransomware attacks have become one of the most urgent problems in the digital world. The FBI issued a warning in May saying the number of attacks has doubled in the past year and is expected to grow even more rapidly this year.

It said it received more than 2,400 complaints last year and estimated losses from such attacks at $24 million last year for individuals and businesses.

Attackers are typically shadowy figures from other countries lurking on the Dark Web and difficult, if not impossible, to find. Victims include not only individuals but also governments, industry, , educational institutions and financials entities.

Attacks most often show up in the form of an email that appears to be from someone familiar. The recipient clicks on a link in the email and unknowingly unleashes malware that encrypts his or her data. The next thing to appear is a message demanding the ransom, typically anywhere from a few hundred to a few thousand dollars.

"It's an incredibly easy way to monetize a bad use of software," said Patrick Traynor, an associate professor in UF's department of computer and information science and engineering at UF and also a member of the Florida Institute for Cybersecurity Research. He and Scaife worked together on developing CryptoDrop.

Some companies have simply resigned themselves to that inevitability and budgeted money to cover ransoms, which usually must be paid in Bitcoin, a digital currency that defies tracing.

Ransomware attacks are effective because, quite simply, they work.

Antivirus software is successful at stopping them when it recognizes ransomware malware, but therein lies the problem.

"These attacks are tailored and unique every time they get installed on someone's system," Scaife said. "Antivirus is really good at stopping things it's seen before ... That's where our solution is better than traditional anti-viruses. If something that's benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So we can stop, for example, all of your pictures form being encrypted."

Scaife, Traynor and colleagues Kevin Butler at UF and Henry Carter at Villanova University lay out the solution in a paper accepted for publication at the IEEE International Conference on Distributed Computing Systems and scheduled to be presented June 29 in Nara, Japan.

The results, they said, were impressive.

"We ran our detector against several hundred ransomware samples that were live," Scaife said, "and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted."

And CryptoDrop works seamlessly with .

"About one-tenth of 1 percent of the files were lost," Traynor said, "but the advantage is that it's flexible. We don't have to wait for that anti-virus update. If you have a new version of your ransomware, our system can detect that."

The team currently has a functioning prototype that works with Windows-based systems and is seeking a partner to commercialize it and make it available publicly.

Explore further: Why ransomware is on the rise

Related Stories

Why ransomware is on the rise

February 25, 2016

A California hospital recently had its patients' records held hostage. But the perpetrators did not commandeer a room full of paper files. They were in fact hackers who restricted access to the electronic records and demanded ...

Five ways to become a smaller target for ransomware hackers

April 5, 2016

Hacking for ransom is on the rise—on pace to beat out last year's figures—and hits people where it hurts, locking them out of files, photos and critical records until they pay hackers a bounty to restore their access. ...

Researchers say new generation of ransomware emerging

April 11, 2016

An unusual strain of virus-like hacker software that exploits computer server vulnerabilities without requiring human interaction is a leading example of a new generation of "ransomware," according to a new report by Cisco ...

A Q&A about the malicious software known as ransomware

April 8, 2015

Ransomware is a growing threat to computer users, who can suddenly find they're unable to open or use their files when their machines are infected. The malicious software can attack any user—an individual, small business, ...

Can we stay safe against the threat of ransomware?

August 10, 2015

The possibility of losing all of your files and photos on your computer is a frightening prospect for most people. So much so, that large numbers of users are choosing to pay the criminals holding them to ransom rather than ...

Recommended for you

Technology near for real-time TV political fact checks

January 18, 2019

A Duke University team expects to have a product available for election year that will allow television networks to offer real-time fact checks onscreen when a politician makes a questionable claim during a speech or debate.

Privacy becomes a selling point at tech show

January 7, 2019

Apple is not among the exhibitors at the 2019 Consumer Electronics Show, but that didn't prevent the iPhone maker from sending a message to attendees on a large billboard.

China's Huawei unveils chip for global big data market

January 7, 2019

Huawei Technologies Ltd. showed off a new processor chip for data centers and cloud computing Monday, expanding into new and growing markets despite Western warnings the company might be a security risk.

8 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

BrettC
3 / 5 (2) Jul 08, 2016
"Seeking a partner" or selling to the highest bidder? Sounds like another form of extortion.
How hard is it to develop software and sell it, really. Loads of small companies do it every day.
Besides, Trend Micro already has a built in Utility, in their OfficeScan product, that detects encryption of files and halts the process doing it.
finnjacob
1 / 5 (1) Jul 09, 2016
Seems like paying with bitcoin is a key to the extortion. Would it be possible to make the use of bitcoin trackable?
epoxy
Jul 09, 2016
This comment has been removed by a moderator.
koitsu
1 / 5 (1) Jul 09, 2016
"Seeking a partner" or selling to the highest bidder? Sounds like another form of extortion.
How hard is it to develop software and sell it, really. Loads of small companies do it every day.
Besides, Trend Micro already has a built in Utility, in their OfficeScan product, that detects encryption of files and halts the process doing it.


And perish the thought that these already gainfully employed individuals would release their software for free, in the public interest.
nwarden
1 / 5 (1) Jul 09, 2016
nobody wants to have to run another security product. what tehy should be doing is licensing this to established companies like Kaspersky and Norton, etc. I think this will benefit them the most, while providing protection to the majority of users. Considering the growth of ransomware, this needs to happen soon.
24volts
3 / 5 (2) Jul 10, 2016
Seems like paying with bitcoin is a key to the extortion. Would it be possible to make the use of bitcoin trackable?


Not very easy at all. That was one of the main reasons for it's creation.
joequincy
1 / 5 (1) Jul 11, 2016
"Seeking a partner" or selling to the highest bidder? Sounds like another form of extortion.
How hard is it to develop software and sell it, really. Loads of small companies do it every day.
Besides, Trend Micro already has a built in Utility, in their OfficeScan product, that detects encryption of files and halts the process doing it.


And perish the thought that these already gainfully employed individuals would release their software for free, in the public interest.


Nolen Scaife, a UF doctoral student - not gainfully employed.
Patrick Traynor, an associate professor ... at UF - living off a professor's salary
And Kevin Butler at UF and Henry Carter at Villanova University whose employment statuses are not listed, but who at most are working for universities.

Don't ask why these people who have done hard work are not giving it away for free. Welcome to capitalism.
rgw
1 / 5 (1) Jul 14, 2016
Better yet, round up a few of these extortionists; and, though I would prefer targeting them with extreme prejudice, hit them with about 5 years hard time.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.