SBN

Ransomware deletion methods and the canary in the coal mine

Introduction 

Ransomware is an emergent threat. Every week, there is a new and notable outbreak of this class of data encryption malware. From Ragnar Locker to Netwalker, the threats are increasing, and they are crippling and extorting an ever-widening group of organizations.

This piece of malware is not new. Early on, ransomware encrypts everything as fast as possible, trying to do damage before any response/reactions could initiate from the victim’s side. The point-of-infection is easy to detect — usually an unfixed or out-of-date device. The problem here is that the threat is only detected when the encryption process is terminated, making applications stop working and resulting in a large volume of data encrypted.

In this article, we will discuss some deletion methods used by recent ransomware threats and how canaries can help to fight and detect early ransomware activity.

Deletion methods used by ransomware

To be an effective incident, a ransomware incident begins by discovering how to delete shadow copies on the target device. In addition to the backup file recovery mechanism, the Windows operating system has another complementary way to recover data. Shadow copies have been present since Windows XP. In a nutshell, this tool allows one to create backup copies of files, making it possible to go back to the previous point or perform a system restore.

Despite this functionality of Windows operating systems, the story does not always have a happy ending. Recent pieces of ransomware look for this feature during the infection chain and eliminate all copies of the device, making it impossible to restore the system to an earlier point.

This mechanism works on the Volume Shadow Copies Service (VSS) and is supported by other important components named VSS Writers and VSS Providers. VSS Writers are responsible for supplying a steady pipeline of data (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/y7DqJnM_t_8/