Jump to content

Recommended Posts

So, this may be entirely unreasonable in a productivity sense, but I have been thinking about a ransom software firewall that would essentially remove almost all ability for even unknown ransomware threats to truly be feasible in large scale attacks.  The unreasonable part I will start with in that, this is an entirely different approach to security than normal.  Generally, almost all IT software that must be maintained on systems approach security as well as others interests with the idea that productivity first and foremost are the most important aspect of IT.  There was also a time in history when productivity was more important than employee safety, and as time went on this has mostly changed.  I believe too, with IT security, there is a change coming from where instead of approaching security with productivity being the leading factor forcing an allow all ideology unless otherwise known to be malicious in nature to the opposite, where security concerns and breaches will outweigh the gains in productivity to approach security in this manner, and at this time, like productivity and worker safety, they will invert, and security will become more important than productivity which will spur a new way of thinking of security instead of an allow all unless otherwise known to be malicious, it will be the block all unless otherwise known to be good.  We have already reached this point with firewalls and so on, which was not always the case before.  With this thinking, it makes me wander if creating a true ransomware soft firewall would be in line with this notion.  In ransomware, there is primarily one major flaw that can  be exploited to be used against itself in my opinion which ties almost all ransomware together in this one flaw.  Encryption requires a key, there are only two true ways of creating an encryption key, there are PSK's, pre-shared keys, which are not suggested to be used unless necessary and in large deployments they are essentially their own undoing because there are more "victim" machines to manipulate to garnish this PSK from and that is the flaw in the PSK method, rendering it a less secure way of creating encryption keys and as such, easier to "break" the encryption key or acquire it by other means such as decompilation of malware, and so on.  The only other method for creating encryption keys, which all Ransomware and encryption requires, is to use the RNG(Random number generator) chips and functions to create a truly unique string to be used as a key.  In this method, because each key is random and unique, and usually the formulas are not reversible, you cannot find, acquire, or break the decryption key, with a single victim machine using this key.  As such, I believe creating software with signatures to block all calls to RNG's chips/functions first and foremost, and have a whitelist function to allow bypassing of this check or block, would be one way of stopping almost all credible Ransomware threats known and unknown, while PSK ransomware will be it's own undoing in the long run.  Mostly, while others do for one reason or another, RNG calls are used in encryption and gaming.  As such, whitelist could be pre-filled with known good software for encryption and games, etc, while blocking anything else from creating uniquely random strings.  I do not have the experience to write the signatures myself, so I am not sure if this is a reasonably effective way of blocking ransomware.  Does it seem this might be worth pursuing or researching from other more experienced security engineers?

Share this post


Link to post
Share on other sites

Hello, @oblivionisinevitable, and belated welcome to the Malwarebytes community!

What you're suggesting here sounds a whole lot like a variant of a Host Intrusion Prevention System. From a pure security standpoint, this is very much something I would want to see especially seeing as I've suggested similar stuff before, myself), but HIPS-based security in any form (even VoodooShield) tends to require a lot of micromanagement and is probably not something that the Malwarebytes developers would likely want to try implementing. However, I can probably get @exile360 or @KDawg to check in on your idea; this is for Business product line after all, so maybe a HIPS would be acceptable in this instance.

Unfortunately, not all random number generation is based in hardware. In fact, the  grand majority of Random Number Generation is only pseudo-random, and is performed in software.

Spoiler

https://en.wikipedia.org/wiki/Random_number_generation#%22True%22_vs._pseudo-random_numbers

https://en.wikipedia.org/wiki/Hardware_random_number_generator

https://en.wikipedia.org/wiki/Pseudorandom_number_generator

https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator

Even if most Ransomware out in the wild is lazy and uses existing system calls for generating random numbers, once what you are proposing gets put into effect, they'd probably all switch to Cryptographically-secure Pseudo-RNG, built directly into the Ransomware itself. So this trick could really only be used once before Ransomware developers start to catch on. However, it would at the very least slow them down~

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.