Modern field guide to security and privacy

As ransomware rises, cybersecurity researchers fight back

Security researchers are developing new tools for consumers to protect themselves against the scourge of malware designed to encrypt files until victims pay fees.

Illustration by Erick Montes

Patrick Wardle admits he's not an authority on ransomware, but the former National Security Agency computer expert is rarely fazed by even the most cunning computer attacks.

So when he spotted a new variety of the dangerous program designed to encrypt victims' files until they pay ransoms, he set out to build a better tool to thwart the rising technical scourge.  

"Hackers are kind of like burglars trying to break into people’s houses," says Mr. Wardle, who lives in Hawaii – separated from his employers at the Silicon Valley-based bug bounty firm Synack by more than 2,000 miles of Pacific Ocean. “If you have an alarm system, they’re just going to break into your neighbor’s house and steal all of their stuff. It’s just a numbers game.”

While ransomware attacks have been growing over the past several years, making headlines for hitting hospitals, police stations, and universities, many of the technical defenses are designed for large business systems. Until recently, the most that consumers could do was follow basic security practices: backup files and always avoid clicking on suspicious links. 

And, according to Wardle, most antivirus software has failed to defend against new strains of ransomware. But it wasn't until they hit the Mac operating system that Wardle – whose research mainly focuses on Apple's computer security – became engaged in the fight. Until March, when attackers hacked the Mac-friendly BitTorrent program Transmission, ransomware attacks mostly took aim at Windows systems.

The variety of ransomware known as KeRanger proved troubling to Wardle since it appeared like a legitimate Apple application – allowing the process of encrypting files to occur without the computer ever detecting it. Even for people who had the digital equivalent of alarm systems – such as sophisticated antivirus programs – the KeRanger attack had a way around them.

“The download was also signed with a developer ID," he said. "The user wasn’t to blame at all. That’s what spurred me to do something.”

Yet when he examined the KeRanger software, Wardle detected a glaring flaw. When it locked up files, KeRanger left behind a data trail. It was just the opening Wardle needed to build his own antiransomware tool. 

His free program known as RansomWhere? acts as something of a ransomware alert system. It scours log files to provide a desktop warning to Mac users, notifying them when their files are being infected and encrypted by ransomware – and gives them the opportunity to stop it.

So far, RansomWhere? has been downloaded about 20,000 times, but it's hardly foolproof. The program also can't recover files that have already been encrypted.

But as Wardle continues to refine his side project – his day job is director of research for Synack – a growing number of other cybersecurity firms are coming out with programs designed to aid consumers outwit malicious hackers armed with ransomware. 

“We can’t stop this in a traditional method, so lots of new technologies are being developed to counter the threat,” says Adam Kujawa, head researcher at the antivirus company Malwarebytes. “With ransomware, when you find out you’re infected with it, it’s game over.”

Ransomware is spreading so fast that it now represents 70 percent of malware downloaded from webpages on the internet, says Mr. Kujawa. The company offers free antiransomware software to Windows consumers that aims to stop ransomware from encrypting even a single computer file.

But most antiransomware products are designed for large business systems such as the cybersecurity firm SentinelOne's updated malware protection system that includes a feature called "rollback," which will restore clean copies of all files infected with ransomware. 

Another firm, Vectra Networks, has also developed a ransomware detection scheme that can quickly recognize the virus by a series of malicious behaviors, such as unauthorized file encryption – combined with a so-called “file canary” system – a phony file system used to bait hackers.

But just because there are a handful of solutions available to consumers and businesses, ransomware criminals aren’t giving up just yet.

Last month, in fact, after the developers behind the ransomware TeslaCrypt mysteriously shut down their operation and released a master decryption key to security researchers – they cropped up again quickly. According to the Slovakian cybersecurity firm ESET, groups distributing the virus have already begun to move to another ransomware trojan called CryptProjectXXX.

But researchers such as Malwarebytes’ Kujawa can only do so much to stop the spread of ransomware – especially as low-level hackers can get access to the malicious software on internet forums. For now, consumers must remain alert to the threat by installing software updates, keeping software backups, and staying on the lookout for malicious websites and emails.

"People need to get things installed and protected before they get infected," he says. "It still comes down to the user saying 'look, I need to protect myself before this happens.'"


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to As ransomware rises, cybersecurity researchers fight back
Read this article in
QR Code to Subscription page
Start your subscription today