How to defeat every ransomware with Crypto Drop

Pierluigi Paganini July 13, 2016

A group of American boffins have devised a system dubbed Crypto Drop that working with a “save what you can” approach is able to defeat all ransomware.

A group of researchers from the University of Florida and Villanova University has devised a technique, dubbed Crypto Drop, to defeat all ransomware. The team published a paper on their study that demonstrate that it is possible to stop the threat by monitoring the activity on the targeted files.

Of course, it is a best effort approach, the countermeasures are triggered once the ransomware start encrypting files, the experts demonstrated that it is possible to block it when it had encrypted just 0.2 percent of files on the infected machine.

The technique relies on three primary indicators of the ransomware activity:

  • Bulk modification of file types;
  • Dissimilarity – the encrypted file looks nothing like the plaintext. This, after all, is a characteristic of all encryption;
  • Entropy – encryption should produce consistency high entropy in its output.

The researchers also identified so-called secondary indicators that support the primary ones, including deleting files in bulk and file type funnelling.

To analysis of the file modifications was conducted by the researchers using a tool called sdhash, which once executed provides a similarity score between the original file and the encrypted one.

The test confirmed that the technique is able to contain the action of the ransomware, for all malware samples only 10 files were lost out of a total of 5,099 (0.2 percent).

The table below includes the results for the test conducted using  Crypto Drop against the principal ransomware families.

crypto drop ransomware results

It is important to clarify that the Crypto Drop is not a totally automated system, instead it requests user’s interaction to distinguish between legitimate activity (encrypting files with common compression tool) and a ransomware-based attack.

Stay Tuned!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Crypto Drop, ransomware)



you might also like

leave a comment