In the lights of increasing activities of ransomeware across the world, everybody is in the search of something that can give early warnings about the infection. After getting hit by the 2 different variants of it, we also started thinking in the same line. Being an Antivirus administrator, we also thought of playing our part by putting restrictions such as blocking executable from the areas generally used by malicious software. But this proved to be of very little use in case of ransomeware. So we thought about hitting the ransomeware exactly where it tries to hit us.
Most of the ransomeware targeting end users and encrypting files are targeting office documents and pdfs. These are the file that are most important to users. So we thought about taking a white-listing approach to protect these files.
We did this,
- List down what are the legitimate ways in which a user may delete these files. For example, if user want to delete excel files, he may do it using Windows Explorer, or through command prompt, or he can use excel to overwrite existing file, or user may download a file using a browser and overwrite existing file. Using this way list down all the processes (i.e explorer.exe, cmd.exe, excel.exe, iexplore.exe etc.) according to the environment, that are allowed to make modifications to excel files.
- Allow only these binaries to do modifications to excel files. Terminate any other executable that tries to modify these files. Same method can be followed for other type of files that we want to protect.
- We achieved this using application control feature of SEPM. If such event occurs, it can be found in application control logs of SEPM.
- Warning can be set for users if such event occurs; so that they can report about it immediately.
Though this will allow the ransomeware to run up to some extent but will protect office documents. But as soon as it tries to touch any office document ( or any file format we are protecting) it will be terminated and further damage is prevented. Obviously we do expect to get some false positives but we can surely add them to white-list. We had carried out few test with ransomeware samples in a test environment and method is proving to be effective. Let us know your view about this approach.