JJ'Studio - Fotolia
Ransomware infections seem to have gained steam in recent months, but there is promise of security with a new ransomware vaccine that could protect against popular ransomware variants like Locky, TeslaCrypt, or CTB-Locker.
Cybersecurity company Lexsi, based in France, has developed four "minor system modifications" which it calls ransomware vaccines aimed specifically at preventing Locky infections.
However, Lexsi warned that the vaccines it presented in its blog post "are not efficient against the current Locky variant."
"A minor modification can be a specific mutex or registry key creation, or a simple system parameter modification which will not cause any inconvenience to the user," Sylvain Sarméjeanne, malware reverse engineer at Lexsi, wrote in a blog post. "... [A]t the beginning of its execution, Locky checks the system language and doesn't infect those configured in Russian. It is therefore possible to set the system language to Russian to prevent from being infected but the system is likely to be hardly usable for many people."
The blog post describes protections including changes to the Windows registry or forcing the ransomware to use a public RSA key or a corrupted RSA key. Sarméjeanne noted in the post that these ransomware vaccines "must be administered before the disease arrives."
In order to more easily administer said vaccines, security researchers at Bitdefender Labs have created a new tool that bundles the Locky ransomware vaccines from Lexsi with previous vaccines created to protect against TeslaCrypt and CTB-Locker.
"The new tool is an outgrowth of the CryptoWall vaccine program, in a way," Alexandru Catalin Cosoi, chief security strategist at Bitdefender, wrote in a blog post. "We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea."
Bogdan Botezatu, senior e-threat analyst at Bitdefender, said the tool should help to reduce the "extremely tedious" work of implementing the protections as well as mitigate against mistakes to registry edits which could "permanently damage the operating system."
How long will it last?
Experts generally agreed that the ransomware vaccines in question would be successful in protecting users, but all questioned how long such protections would last.
In addition to the Lexsi vaccine being ineffective against the current Locky variant, the CryptoWall vaccine that Bitdefender had created in Nov. 2015 was retired last week because Bitdefender could no longer "guarantee the proper functioning of the vaccine."
Botezatu said Bitdefender will be working to defeat future versions of ransomware with its tool.
"Ransomware creators would be able to issue a fix to circumvent this kind of detection and this is exactly why we have built in the automatic update feature," Botezatu said. "Whenever we detect a new variant of ransomware that tries to get around the vaccine, we research the sample, see how it interacts with the system and update the vaccine."
Travis Smith, senior security research engineer at Tripwire, said ransomware vaccines are short-term solutions at best.
"A ransomware vaccine is like plugging a hole in a boat with your foot, it's a short term solution which gives you some time to fix the overall problem," Smith said. "Criminals adapt to their surroundings, once it's well-known that the infection can be prevented via a specific means, attackers will change their tactics to infect machines in another way."
Günter Ollmann, chief security officer at Vectra Networks, said these kinds of vaccines are designed to break the "sequential installation or malicious activities of malware" and may not protect against an entire family of malware.
"While such approaches can successfully protect against that single permutation of the threat, those protections are quickly circumvented with subsequent iterations of the threat. In fact, the more a company explains or boasts about a simple protection scheme, the quicker it is circumvented by the malware authors," Ollmann said. "Malware authors have likely already updated and released new variants of their malware within 24 hours of reading any public disclosures of methods to vaccinate a computer against their previous variant of malware. It is a trivial task."
Smith said deploying such vaccines may not be worth the cost for a relatively short period of protection.
"Deploying the vaccine is letting someone else's detection become your prevention. Organizations with a mature security department may be looking into deploying such protections to their users," Smith said. "However, testing, deploying and supporting the fix can be time-consuming and costly for many organizations. For what may be a short term fix, some organizations may not see the return on investment and choose instead to focus efforts on other areas of security."