Image

- Bulk modification of file types,
- Dissimilarity in how an encrypted file looks compared to its plaintext version, and
- High entropy output consistently produced by encryption.
"Our system does not attempt to prevent all files from loss and is not intended to replace a user’s normal anti-malware software; rather, CryptoDrop is de-signed to be effective even when the user’s anti-malware software has failed to block the malware. Our system is built on Windows, a platform frequently targeted for ransomware attacks, providing a realistic solution to 'in-the-wild' threats. In doing so, we attack the core behavior of ransomware in a novel and practical manner that other anti-malware technologies fundamentally cannot."The researchers tested their system by unleashing 14 distinct ransomware families consisting of 492 individual samples onto a directory of 5,099 user documents.
Image

"An average of 10 files encrypted can cause enough problems. Attackers can break in through RDP. Once they are in, they can manually inspect the server and encrypt the most important files, or they can disable security tools to make sure nothing on the system is left untouched, thereby rendering CryptoDrop useless. Additionally, there are already some ransomware families that attack files with specified sizes or specified extensions (not the full extension list) first. If one of those files happens to be one of the 10 encrypted, that could spell a huge amount of trouble for the average user."Aside from not being able to protect critical files, CryptoDrop still runs the risk of picking up false positives. The research team elaborates on that point:
"CryptoDrop is unable to determine the intent of the changes it inspects. For example, it cannot distinguish whether the user or ransomware is encrypting a set of documents. As a result, we expect that programs such as GPG and PGP, compression applications, and other applications which perform similar transformations will cause a CryptoDrop detection when applied to many user documents."The system is not without its drawbacks, meaning its effectiveness would likely vary from user to user based upon how many critical files they have and how many background encryption-type tasks typically run on their computers. For now, CryptoDrop remains in the lab, but the research team hopes their system will eventually move to the public in the belief it can benefit the average user or company employee. You can read more about CryptoDrop in the researchers' paper here.