The vexing tech challenge of fighting ransomware: A battle of milliseconds
As quick as a blink, that's the amount of time a new technology - developed by researchers from Australia's national science agency and a university in South Korea - takes to detect that ransomware has detonated on a computer and block it from causing further damage.
The finding seeks to address a vexing challenge that has stymied international efforts to stop such attacks. As hackers execute bolder attacks with bigger potential payouts, computer scientists are pushing the limits of software to make near-instantaneous decisions and save victims from ruin.
A spree of recent ransomware attacks have focused attention on the issue and spurred booming growth for part of the cybersecurity industry - one that has benefited from a presidential endorsement of sorts.
Since 2016, spending on "endpoint protection" software has more than doubled to $9.11 billion last year, according to data from Gartner Inc. Those are cybersecurity tools that protect "end user" devices such as laptops and desktop computers, which are vulnerable to being hacked through their users clicking on malicious links or phishing emails.
Last month, U.S. President Joe Biden issued an executive order that will require civilian federal agencies to deploy a specific type of that technology, called endpoint detection and response software, on their networks. Leading companies include SentinelOne Inc., Cybereason Inc., Microsoft Corp. and CrowdStrike Holdings Inc., according to Gartner.
The innovation of that software is that it blocks files deemed to be malicious - what traditional antivirus does - and goes a step further, automating the hunt for suspicious behavior on users' machines, aiming to identify poisoned code before it causes damage, according to Oliver Spence, co-founder of U.K.-based North Star Cyber Security. Still, Spence said the technical challenge remains daunting.
"Solving ransomware is magnitudes harder than solving spam and that isn't solved yet," he said. "How do you tell which email is legitimate or not? How do I tell if a process is legitimate or not? Solve either problem completely, and you are well on your way to being rich enough to retire."
Ransomware is a type of cyberattack that encrypts files on victims' computers, rendering them useless until a ransom is paid. It can take just minutes to cripple an entire network. The recent hacks of Colonial Pipeline Co., which shut the biggest gasoline pipeline in the U.S. for nearly a week, and of JBS, which temporarily shut all U.S. beef plants for the largest meat producer globally, have exposed gaps in protection for critical industries.
One of the few ways to get ahead of the problem is to have security software running deep inside a computer's operating system. There, it can see each program - or process - running on the machine and have the best shot at distinguishing between legitimate and nefarious ones.
"The technology exists to identify authorized processes versus unauthorized processes - that's actually not that terribly hard," said Lawrence Pingree, a managing vice president at Gartner. "The hard part is that ransomware, as a category, can use many hundreds of techniques including modifying or injecting authorized processes. Most security practitioners will tell you that it's a race condition where defenders keep augmenting security to match the changing threats."
Hackers often trigger alarms as they move around victim networks, performing reconnaissance and manipulating accounts while staging ransomware attacks, said Jared Phipps, senior vice president of sales engineering for SentinelOne. Endpoint detection and response software automates the analysis of those behaviors to try and stop the hackers before they escalate, he said.
"Executing the ransomware is the last thing they do," Phipps said. "There are weeks and weeks or even months of lead time in the attack. There are going to be many different systems touched and in most cases there are a lot of security alerts. There is absolutely time to stop those attacks."
One challenge of staying ahead of the problem is that skilled hackers routinely test their code and techniques against the latest security software, adapting when needed to evade detection, said Andrew Howard, chief executive officer of Switzerland-based Kudelski Security.
"Ransomware attacks today are typically human-operated, meaning that a human is actively guiding the attack," Howard said. "As the defenses get better, this drives new offensive techniques, which drives better defenses, which drives new offensive techniques, and so forth. There is not a 100% effective technical solution for this problem."
An executive at a leading cyber incident response firm, who asked not to be named discussing internal matters, said his company always recommends that ransomware victims it's assisting buy some form of endpoint detection and response software, and that about 70% do. He said his firm analyzed its deployments from one of the leading vendors and found that the software blocked almost all of the attacks. "The only three fails we have seen in three years were because of poor implementation by the client," the person said.
The person noted that such technologies aren't cheap, starting at about $12 per "endpoint" - or device - per month, with discounts for big deployments. For large organizations, that can mean millions of dollars per year. But to put that in perspective, Colonial paid a $4.4 million ransom, while JBS paid $11 million.
One way that organizations are paying for the upgrade is by replacing their antivirus programs. Gartner projects that within five years, more than 60% of large organizations will have replaced antivirus with endpoint detection and response and similar software.
In the meantime, computer scientists are racing to improve the speed and accuracy of their code for handling the "response" part of the equation, trying to shave milliseconds off their times for blocking malicious actions.
In January, researchers from the digital arm of Australia's national science agency - the Commonwealth Scientific and Industrial Research Organization's Data61 unit - and from Sungkyunkwan University in South Korea published details of an experimental technology they developed to detect ransomware by looking at some of the lowest-level signals in a computer's operating system.
One result, the researchers said, was the ability to detect ransomware on average in about 115 milliseconds, after just one file was encrypted - saving the rest of the computer and its contents. Software makers generally haven't disclosed specific performance metrics in this area, so it's unknown how the researchers' findings compare to commercial efforts to thwart the attacks.
The paper's lead author, Muhammad Ejaz Ahmed, wrote in an email that these results point to a goal that the security industry is urgently chasing. "Our approach can detect such activities at the early stages of a ransomware infection," he said. This opens the door to "detect and give and early warning even before any damage is done."