Why Doesn’t My Antivirus Protect Against Ransomware?

Ransomware is growing at an exponential rate. Victims of ransomware have lost irreplaceable documents and precious photos and videos. Businesses have been harmed and in some cases had to shut down. And hospitals and law enforcement agencies have been disrupted risking peoples’ lives.

Given the magnitude of this problem, why does ransomware continue to plague so many? While many of us might expect the antivirus software that we already have installed on our computers will protect us from ransomware, this is not the case.

Clearly, a new approach is needed to accurately detect a ransomware attack and prevent loss of data.

How Does Ransomware Work?

Ransomware starts with the delivery of malware to the victim’s computer. The malware looks for versions of software to exploit and attempts to execute a malicious application that propagates through the file system encrypting files. The ransomware software then sends the encryption key and other information back to a command-and-control server. The server then sends a message to the victim demanding a ransom to release their files.

Limitations of Traditional Antivirus Software

Antivirus software relies on signature-based techniques to detect malicious files. A signature is like a digital fingerprint and could include a series of bytes in the file or the cryptographic hash of the file.

The challenge with signature-based detection is that antivirus software can only detect known signatures. A victim must be first infected in order to determine that a certain file is malicious. After the first infection, it takes some time for the malicious signature to be updated into the database of malicious signatures, and still more time for users to update their software with the latest version.

If the user has not updated their antivirus software or if the signature of the malware is new or not recognizable, then the ransomware will not be detected and stopped. In the ransomware world, this turns out to be a big problem for the following reasons:

Variations in Ransomware. The financial success of ransomware has led to a proliferation of ransomware strains. There are many strains of ransomware and new versions are being created at an alarming rate. Examples include Cerber, CryptoLocker, CryptoWall, Crysis, CTB Locker, Jigsaw, KeRanger, LeChiffre, Locky, Petya, TeslaCrypt, TorrentLocker, WannaCry, and ZCryptor. New variations of old strains also regularly appear. For example, Cerber has changed over half a dozen times since first introduced with a recent variant adding the capability to steal Bitcoin wallet data.

Morphing. In the cat-and-mouse game between cybercriminals and security software vendors, ransomware hackers are now using Metamorphic and Polymorphic algorithms to generate different versions that are difficult to detect. These techniques enable new variants of ransomware to be developed in seconds further eroding the efficacy of signature-based detection methods.

File Deletion. Some ransomware variants can delete the ransomware file after a victim’s files are encrypted making it difficult to trace file signatures.

Fileless Ransomware. Not all ransomware saves a file to disk. Some variants take advantage of scripting tools to execute in memory.

Next Generation Anti-Ransomware

New anti-ransomware products, like RansomStopper, use a variety of new techniques not dependent on identifying the signature of a ransomware file and designed to address the challenges of ransomware. These techniques include:

Static Analysis. Also called heuristics-based detection, this technique detects new malware by examining files for suspicious characteristics without an exact signature match.

Behavioral Analysis. This is where the anti-ransomware software observes real-time behavior in the Kernel layer of the Windows OS and identifies actions that are consistent with ransomware. The behavior can be terminated or suspended to give the user the choice to allow it or stop it. By detecting behavior vs. file signatures, the anti-ransomware software is able to identify the presence of previously unseen malware and provide protection against new strains and variants of ransomware.

Machine Learning. Advanced cybersecurity tools use proprietary machine learning algorithms to quarantine malicious files before they execute.

Deception and Honeypots. Advanced anti-ransomware software uses honeypots and on-demand traps to lure ransomware into revealing itself.

Antivirus and Ransomware Protection Work Better Together

The best practice for cybersecurity is to use both antivirus software and next-generation anti-ransomware tools like RansomStopper. Antivirus is needed to address a wide range of malware that can infect a computer. Affordable, light-weight, anti-ransomware applications complement traditional antivirus tools and ensure your files are protected.