How A.I. is taking on ransomware
NEW YORK — Twice in the space of six weeks, the world has suffered major attacks of ransomware — malicious software that locks up photos and other files stored on your computer, then demands money to release them.
It’s clear that the world needs better defenses, and fortunately those are starting to emerge, if slowly and in patchwork fashion. When they arrive, we may have artificial intelligence to thank.
Ransomware isn’t necessary trickier or more dangerous than other malware that sneaks onto your computer, but it can be much more aggravating, and at times devastating. Most such infections don’t get in your face about taking your digital stuff away from you the way ransomware does, nor do they shake you down for hundreds of dollars or more.
Despite those risks, many people just aren’t good at keeping up with security software updates. Both recent ransomware attacks walloped those who failed to install a Windows update released a few months earlier.
Watchdog security software has its problems, too. With this week’s ransomware attack , only two of about 60 security services tested caught it at first, according to security researchers.
“A lot of normal applications, especially on Windows, behave like malware, and it’s hard to tell them apart,” said Ryan Kalember, an expert at the California security vendor Proofpoint.
How to find malware
In the early days, identifying malicious programs such as viruses involved matching their code against a database of known malware. But this technique was only as good as the database; new malware variants could easily slip through.
So security companies started characterizing malware by its behavior. In the case of ransomware, software could look for repeated attempts to lock files by encrypting them. But that can flag ordinary computer behavior such as file compression.
Newer techniques involve looking for combinations of behaviors. For instance, a program that starts encrypting files without showing a progress bar on the screen could be flagged for surreptitious activity, said Fabian Wosar, chief technology officer at the New Zealand security company Emsisoft. But that also risks identifying harmful software too late, after some files have already been locked up.
An even better approach identifies malware using observable characteristics usually associated with malicious intent — for instance, by quarantining a program disguised with a PDF icon to hide its true nature.