By Francesco Palmieri, professor of Computer Science at the University of Salerno
Ransomware, considered today an important emergency from the cyber security point of view, is from malware agents who limit access to a device or to the data stored on it, typically using robust cryptographic techniques, and offer the possibility of unlocking only after the payment of a ransom.
This type of threat began to acquire notoriety in 2013, following the massive spread of the Cryptolocker worm, associated with the extortion for about 3 million dollars. Even though it seems new, the concept behind ransomware was introduced in 1996 by Adam L. Young and Moti Yung in their article “Cryptovirology: extortion-based security threats and countermeasures” presented at the IEEE Symposium on Security and Privacy. The authors called this attack a kind of “cryptoviral extortion”.
We are therefore talking about a concept that has been discussed for a long time, but which saw the first practical applications around the years 2005-2006 with the spread of the first real examples of ransomware worms such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive, which caused the first major damages.
The spread of a well-designed ransomware can create large-scale problems in general, but what can a user do against malicious agents like these? In reality there is not much that the user can do, apart from not succumbing to blackmail, since in the vast majority of cases lead to absolutely nothing. Paying could only be useful to facilitate tracking operations to get to the origin of the malware. Even thinking about recovering your data through sophisticated cryptanalysis and key recovery techniques starting from the knowledge of your data and the encrypted material left available on your device is practically utopia, given that the cryptographic techniques used are typically very sophisticated and well tested.
How can we prevent a ransomware attack?
If after the attack there is not much to be done, before the attack, users can do a lot. Making sure they have an up-to-date backup of their data in order to be able to rebuild everything is always a good idea, as well as having basic protection elements on their device, such as updated antivirus and system activity monitoring agents. However, antiviruses generally only recognise known ransomware activities, so it’s quite difficult to recognise one showing up for the first time. Users are therefore quite defenseless against this threat.
What can be done at a systemic level?
Ransomware, even when it is not a known entity, somehow it has a typical behaviour, such as, for example, reading the content of the entire disk, progressively or in blocks, and then encrypting it. This activity leads not only to a more extensive use of the CPU, but, as the data blocks are encrypted, the global entropy on disk increases, i.e. the degree of disorganisation of all data.
The user does not notice anything, but when active agents are installed on the individual devices for monitoring purposes, there is a real possibility for them to detect if something is wrong. And here comes the first interesting aspect of a response at the systemic level. In fact, this detection should not remain closed in the device, but it should be communicated externally. It has to be communicated to an ecosystem of closely cooperating enforcement security devices, located at users and providers, dealing with security following a holistic approach. Whether it is a firewall or an intrusion prevention system, for example, the individual agents, which operate as security “sensors”, must notify this detection from the involved device to all devices participating in this global cooperation of logic and knowledge sharing.
An artificial immune system
At this stage, a very critical point is that the various systems that receive this information should not keep it closed within their own brand or cooperation network. It is essential that information relating to a new threat is shared on the largest possible scale, allowing it to be analysed, verified, compared and correlated with other events recorded at the level of the various organisations involved, which can determine its threat character, as well as automatically identify and disseminate countermeasures. We are talking about an early alerting system that integrates network devices, collects reports and creates shared knowledge using Artificial Intelligence technologies and more specifically machine learning.
In this situation it is possible to operate in a logic of situation of awareness both through the identification of specific countermeasures, linked to a particular context (for example, already compromised systems), and through counter-reaction techniques of a more general nature, to be applied in order to anticipate, for example, the spread of malware: it is very difficult to find an isolated case and most of the times the malicious agent begins to spread like wildfire in a fairly aggressive logic. Only if this massive propagation is promptly noticed countermeasures can be generated and propagated, thus addressing the proliferation of agents on the machine. Obviously, the detection must be as timely as possible and only the use of sophisticated inference logics managed at the machine level (starting from the analysis and correlation of large amounts of data collected by the “sensors” available on user devices and on those of network) can guarantee the necessary reaction times.
It is important to build a defence system that can become a sort of artificial immune system, which perceives the hostile element and nips the activity in the bud. It’s a change of vision, a change of approach, caused also by the changes in the way we connect to the network and work. Until recently, it was enough to have efficient perimeter protection to be able to feel safe, while today the perimeter no longer exists, it has become liquid, also thanks to mobility and the availability of connectivity everywhere.
Holistic and collaborative approach to security
We are talking about known components to be harmonised in a logic of security fusion according to the various defense functions that have to be orchestrated. Threat intelligence, which consists in the structured recognition of threats followed by the automation of the response, helps us in this.
It is necessary to create common standards and interfaces so that these systems can cooperate with each other, so the vendors of antivirus should use completely open and available APIs that anyone can integrate into their system.
As the threat is evolving, we will be almost forced to go in this direction so that we can have a real protection ecosystem that can do prevention, threat identification and real-time update for the creation of countermeasures. Not only, as the information available to individuals can be limited, it is necessary to have integrated visibility that gives access to everyone’s information. Of course, this approach cannot ignore the innovative machine learning techniques allowing us to analyse large amounts of data and more generally from new AI technologies.
The driving role of research
In this context, the driving role of research becomes fundamental to promote new mechanisms of inference and construction/elicitation of knowledge as well as the use of common standards that can create interoperability. Research can lead us to build prototypes of these solutions to show that they are the most valid and “future safe” solutions to address this problem and thus give the right path to vendors and suppliers of services and equipment. In relation to this aspect, I’m working with my group to develop solutions that rely on AI techniques to recognise new threats by putting together events collected in multiple points of observation through standardised interfaces.
About the author
Francesco Palmieri is currently full professor of Computer Science at the University of Salerno where he teaches Computer Networks and Cybersecurity. His scientific interests are essentially focused in the field of telecommunications networks and systems.
He had a significant role in the development of research networks in Italy, as a member of the Scientific Technical Committee of the Italian Research Network GARR. He also actively contributed to the security of networks in universities and research, as a founding member of the Computer Emergency Response Team of the GARR Network.
About Salerno University
The Computer Science Department of the University of Salerno represents an important point of reference in the national and international panorama. It is the only IT department located in Southern Italy that has obtained recognition as a department of excellence for the five-year period 2018/2022. It was one of the first computer science departments established in Italy. About 40 teachers and researchers in the IT area belong to it and contribute to the creation of a wide range of training and research activities of recognized quality.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020