While some researchers point out how ransomware is quickly growing more sophisticated, Engin Kirda says the lion's share of ransomware seen in the wild isn't so clever.
"People are making it sound like it's so bad it can't be detected," says Kirda, chief architect and co-founder of Lastline and a computer science professor at Northeastern University. "I just want to set it in perspective."
At Black Hat Las Vegas next month, in his session "Most Ransomware Isn't As Complex As You Might Think," Kirda will present his findings from looking at a broader selection of ransomware samples. He'll show what they can and can't do, and how they could be detected.
Certainly, Kirda acknowledges, there are cases when truly clever cryptoransomware confounds security forensics companies. In April, the Tewksbury, Mass. police department paid a $500 ransom to CryptoLocker operators after private information security firms, the Department of Homeland Security, and the FBI all failed to decrypt locked files (which included backups) after five days of trying.
Similarly, Kirda says that cases like the WIPALL wiper malware -- which locked the client machines at Sony Pictures Entertainment, made mysterious requests, then later wiped all the machines -- have led some people to the perception that malware is frequently used in targeted attacks.
Yet, targeted attacks aren't really the ransomware M.O. -- unlike kidnappers, ransomware operators go for volume, asking many targets for modest sums.
"Who do you make money from? You make money from normal people," Kirda says, and most ransomware is simply "good enough for normal people."
Kirda says that although ransomware technology could be used for very nasty attacks, in the majority of cases, the payloads aren't actually very sophisticated. Even CryptoWall, which the FBI called "the most current and significant ransomware threat targeting U.S. individuals and businesses," has different families, some of which are equipped with the most nefarious capabilities and others that aren't.
In a lot of cases, Kirda says, they don't run in kernel level; just the regular application layer. They might use encryption, but they'll use weak algorithms and poorly implement them.
"They do encryption, but they do a terrible job of it," he says.
Other ransomware doesn't even have the capabilities it claims to have; it's just bluffing, says Kirda. It might threaten that it's going to delete data that it doesn't actually have the ability to delete.
"It's more like scareware [than ransomware]," says Kirda, "but the [regular] user doesn't know that."
Among these methods is behavior-based detection and watching for how files change. Of course, that requires a move up from simply signature-based anti-virus -- something that has been a tough sell even in the business world, much less the consumer world.
"Some of the technology we have right now, it's not targeted to normal users," says Kirda. He hopes behavior-based detection will make the jump to the consumer market soon, because it could make a big difference against ransomware.