I just thought of an idea to prevent ransomware that encrypts the hard drive. I am not an expert in this field, so would like some feedback. It is very simple. Maybe this has already been thought of before.
Would it be viable to have a policy in OS that prevents file encryption without master password? Which would obviously prevent the malware from encrypting the drive without it.
The nature of malware is about circumventing security measures altogether. So, no.
So should I just disable all the security measures on my computer? such as anti-virus, firewall, etcâŚ
The big problem is that an OS doesnât know that a file is being encrypted. It only sees program A open file B, change the file or replace it with one that has different content, then move on to file C, do the same with that, then file D, etc etc.
You canât just stop programs from making changes to files, otherwise youâd have to enter your master password every time you save a file, change a setting in the game, whenever your Windows decides to update or make a system restore point.
Youâd end up with a Vista-like security system, which will get annoying real quick and will be disabled by people.
Thus far the absolute best way to protect yourself is frequint backups of ALL data from ALL devices on a network and store the backups offline and away from potentially infected devices., in that case, you can simply restore from a backup and go.
That is exactly what I do.
So the issue I see here is that the OS canât differentiate between making changes to a file, and encrypting it. Maybe if you setup something that could just detect encryption methods. This would not stop malware from deleting or changing files on the drive. But at least they wouldnât be able to hold anything for ransom.
problem being is the method would either have to
problem with method a is some hacker tweaks something or translates it to russians and boom you have no defense.
problem with method b is we cant get ai to accurately identify a cat 100% of the time much less identify every variation and possible variation of encryption. and thats not going into the actual system stress and difficulty to run this ai.
that kind of AI would take an entire core of the CPU running ALL the time. and that would be rudimentary AI at that checking the entire system, it would not affect massive 16 core 32 thread chips as badly, but more common quad-core systems would take a massive hit. The AI would basically be sending a âhey, what are you doing?â request to EVERYTHING being stored on the drive. Not to mention, the AI itself could be used to kill systems because of the extensive access it would have to the entire system.
I see.
If blacklists of encryption methods are not viable. Maybe then there are some general telltale signs of encryption, that could be flagged.
there is also the false positive aspect as you NEED to be able to use encryption. if you have some sort of encryption flagging method if it exist going in the background it could create a lot of problems when you try to say use your bank online or encrypt or decrypt a file.
I donât THINK there are âuniversalâ signs of something being encrypted. But even then, we go back to the cpu looking at EVERYTHING for a longer period of time. someone may be able to clarify better, but it is not like an anti-virus looking at every file being downloaded because an AV only acts during a download. This thing would have to CONSTANTLY look at files to see what they are doing and see if they are triggering x y or z. The first step in what you are talking about would be a hardware firewall that monitors such things and that would require a system with some balls. it is Far more than anyone but an enthusiast would do. The average person would not want to learn to set it up assuming it could be set up. It would be one system monitoring ALL systems on the network. and would likely require its own OS.
@fredrich_nietze Yes, that may be an issue. Even though you could simply type in the master password if you actually wanted to encrypt something, it may break certain programs that use encryption. Such as video-game save/user files that are encrypted.
@ProSonicLive Would it really have to constantly monitor everything? Or could it not just take a look when any changes are being saved?
You could take the rights to change files in a directory from the user/admin so only System can write to it. That way ransomware would have to get system level privilege at which point it is game over anyway.
The downside to the method is having to allow users to write to the directory when you want to update files or add new ones.
Iâm not too familiar with windows, but what if you just allow executables to run only from the Programs folder?
I am curious if a TPM or similar hardware could be utilized in some way to mitigate ransomware attacks, but then again, it may already be in use and yet ineffective.
I think even if the OPâs idea was feasible and Microsoft implemented such a feature most people would still disable or ignore it. Microsoft have long introduced methods by which to secure and lock down Windows systems but at the same time try to maintain backwards compatibility and user friendliness - which can weaken them (SMB v1.0 being enabled by default in Windows 10!).
E.g. how many companies actually introduced this kind of thing on their Windows estates?
https://technet.microsoft.com/en-us/library/aa940985.aspx
The only industries I have worked in that are anal about security and actually implements this stuff properly is banking and defence. The retail and logistics sectors tend to have IT departments that get ignored or told to shut up - until itâs too lateâŚ
The big Wannacrypt and NotPetya attacks this year only took hold in areas where patching and security were neglected, the tools to stop ransomware already exist, they just need to be used.
My workplace uses one password for nearly everything, and it doesnât meet basic password standards. We joke about how it will be the downfall of the company one day when a disgruntled employee decides to use it maliciously. I only just recently managed to convince the sysadmin to allow us to change the default password of our email away from the name of the email itself (formerly user:[email protected] password:sfakename for Scott Fakename).
So many facepalmsâŚ
âŚthat is seriously scary and could well mean the companies systems get so compromised or corrupted that it never recovers.
Just look at how much the recent NotPetya has cost FedEX - $300 million. The subsidary (TNT) whoâs systems were compromised basically no longer exists in Windows AD terms, from what I understand they had to rebuild into FedEx. If TNT was a standalone business it could well have gone under.
If I were you, I would actually consider looking for a job elsewhere. Itâs no longer a case of âifâ a company will get compromised, but rather âwhenâ and by how much.
Meh, every day I spend here ups my resume. I run an R&D department for a SAN-building company. They do take my advice, if slowly. One day Iâll have it patched down tight. Hopefully before the SHTF.