A battle of MILLISECONDS
Ongoing tech challenge of fighting ransomware is countered by improved hacking techniques
Just 115 milliseconds. As quick as a blink, that's the amount of time a new technology, developed by researchers from Australia's national science agency and a university in South Korea, takes to detect that ransomware has detonated on a computer and block it from causing further damage.
The finding seeks to address a vexing challenge that has stymied international efforts to stop such attacks. As hackers execute bolder attacks with bigger potential payouts, computer scientists are pushing the limits of software to make near-instantaneous decisions and save victims from ruin.
Several recent ransomware attacks have focused attention on the issue and spurred booming growth for part of the cybersecurity industry.
Since 2016, spending on “end point protection” software has more than doubled to US$9.11 billion last year, according to data from Gartner Inc. Those are cybersecurity tools that protect “end user” devices such as laptops and desktop computers, which are vulnerable to being hacked through their users clicking on malicious links or phishing emails.
Last month, U.S. President Joe Biden issued an executive order that will require civilian federal agencies to deploy a specific type of that technology, called end point detection-and-response software, on their networks.
The innovation of that software is that it blocks files deemed to be malicious — what traditional antivirus does — and goes a step farther, automating the hunt for suspicious behaviour on users' machines, aiming to identify poisoned code before it causes damage, says Oliver Spence, co-founder of U.k.based North Star Cyber Security. Still, Spence said the technical challenge remains daunting.
“Solving ransomware is magnitudes harder than solving spam and that isn't solved yet,” he said. “How do you tell which email is legitimate or not? How do I tell if a process is legitimate or not? Solve either problem completely, and you are well on your way to being rich enough to retire.”
Ransomware is a type of cyberattack that encrypts files on victims' computers, rendering them useless until a ransom is paid. It can take just minutes to cripple an entire network. The recent hacks of Colonial Pipeline Co., which shut the biggest gasoline pipeline in the U.S. for nearly a week, and of JBS SA, which temporarily shut all U.S. beef plants for the largest meat producer globally, have exposed gaps in protection for critical industries. One of the few ways to get ahead of the problem is to have security software running deep inside a computer's operating system. There, it can see each program — or process — running on the machine and have the best shot at distinguishing between legitimate and nefarious ones.
“The technology exists to identify authorized processes versus unauthorized processes — that's actually not that terribly hard,” said Lawrence Pingree, a managing vice-president at Gartner. “The hard part is that ransomware, as a category, can use many hundreds of techniques including modifying or injecting authorized processes.”
Hackers often trigger alarms as they move around victim networks, performing reconnaissance and manipulating accounts while staging ransomware attacks, said Jared Phipps, senior vice-president of sales engineering for Sentinelone. End point detection-and-response software automates the analysis of those behaviours to try to stop the hackers before they escalate.
“Executing the ransomware is the last thing they do,” Phipps said. “There are weeks and weeks or even months of lead time in the attack. There are going to be many different systems touched and in most cases there are a lot of security alerts. There is absolutely time to stop those attacks.”
One challenge is that skilled hackers routinely test their code and techniques against the latest security software, adapting when needed to evade detection, said Andrew Howard, chief executive officer of Switzerland-based Kudelski Security. “As the defences get better, this drives new offensive techniques, which drives better defences, which drives new offensive techniques, and so forth.”
An executive at a leading cyber incident response firm, who asked not to be named discussing internal matters, said that company always recommends ransomware victims it's assisting end point detection-and-response software, and that about 70 per cent do. He said his firm analyzed its deployments from one of the leading vendors and found that the software blocked almost all of the attacks. “The only three fails we have seen in three years were because of poor implementation by the client,” the person said.
The person noted that such technologies aren't cheap, starting at about $12 per device per month, with discounts for big deployments. For large organizations, that can mean millions of dollars per year. But for perspective, Colonial paid $4.4 million in ransom, while JBS paid $11 million.
Meanwhile, computer scientists are racing to improve the speed and accuracy of their code for handling the “response” part of the equation, trying to shave milliseconds off their times for blocking malicious actions.
In January, researchers from the digital arm of Australia's national science agency — the Commonwealth Scientific and Industrial Research Organization's Data61 unit — and from Sungkyunkwan University in South Korea published details of an experimental technology they developed to detect ransomware by looking at some of the lowest-level signals in a computer's operating system.
One result, the researchers said, was the ability to detect ransomware on average in about 115 milliseconds, after just one file was encrypted — saving the rest of the computer and its contents.
The paper's lead author, Muhammad Ejaz Ahmed, said these results point to a goal that the security industry is urgently chasing.
“Our approach can detect such activities at the early stages of a ransomware infection,” he said. This opens the door to “detect and give an early warning even before any damage is done.”