Patrick Wardle admits he's not an authority on ransomware, but the former National Security Agency computer expert is rarely fazed by even the most cunning computer attacks.
So when he spotted a new variety of the dangerous program designed to encrypt victims' files until they pay ransoms, he set out to build a better tool to thwart the rising technical scourge.
"Hackers are kind of like burglars trying to break into people’s houses," says Mr. Wardle, who lives in Hawaii – separated from his employers at the Silicon Valley-based bug bounty firm Synack by more than 2,000 miles of Pacific Ocean. “If you have an alarm system, they’re just going to break into your neighbor’s house and steal all of their stuff. It’s just a numbers game.”
While ransomware attacks have been growing over the past several years, making headlines for hitting hospitals, police stations, and universities, many of the technical defenses are designed for large business systems. Until recently, the most that consumers could do was follow basic security practices: backup files and always avoid clicking on suspicious links.
And, according to Wardle, most antivirus software has failed to defend against new strains of ransomware. But it wasn't until they hit the Mac operating system that Wardle – whose research mainly focuses on Apple's computer security – became engaged in the fight. Until March, when attackers hacked the Mac-friendly BitTorrent program Transmission, ransomware attacks mostly took aim at Windows systems.
The variety of ransomware known as KeRanger proved troubling to Wardle since it appeared like a legitimate Apple application – allowing the process of encrypting files to occur without the computer ever detecting it. Even for people who had the digital equivalent of alarm systems – such as sophisticated antivirus programs – the KeRanger attack had a way around them.
“The download was also signed with a developer ID," he said. "The user wasn’t to blame at all. That’s what spurred me to do something.”
Yet when he examined the KeRanger software, Wardle detected a glaring flaw. When it locked up files, KeRanger left behind a data trail. It was just the opening Wardle needed to build his own antiransomware tool.
His free program known as RansomWhere? acts as something of a ransomware alert system. It scours log files to provide a desktop warning to Mac users, notifying them when their files are being infected and encrypted by ransomware – and gives them the opportunity to stop it.
So far, RansomWhere? has been downloaded about 20,000 times, but it's hardly foolproof. The program also can't recover files that have already been encrypted.
But as Wardle continues to refine his side project – his day job is director of research for Synack – a growing number of other cybersecurity firms are coming out with programs designed to aid consumers outwit malicious hackers armed with ransomware.
“We can’t stop this in a traditional method, so lots of new technologies are being developed to counter the threat,” says Adam Kujawa, head researcher at the antivirus company Malwarebytes. “With ransomware, when you find out you’re infected with it, it’s game over.”
Ransomware is spreading so fast that it now represents 70 percent of malware downloaded from webpages on the internet, says Mr. Kujawa. The company offers free antiransomware software to Windows consumers that aims to stop ransomware from encrypting even a single computer file.
But most antiransomware products are designed for large business systems such as the cybersecurity firm SentinelOne's updated malware protection system that includes a feature called "rollback," which will restore clean copies of all files infected with ransomware.
Another firm, Vectra Networks, has also developed a ransomware detection scheme that can quickly recognize the virus by a series of malicious behaviors, such as unauthorized file encryption – combined with a so-called “file canary” system – a phony file system used to bait hackers.
But just because there are a handful of solutions available to consumers and businesses, ransomware criminals aren’t giving up just yet.
Last month, in fact, after the developers behind the ransomware TeslaCrypt mysteriously shut down their operation and released a master decryption key to security researchers – they cropped up again quickly. According to the Slovakian cybersecurity firm ESET, groups distributing the virus have already begun to move to another ransomware trojan called CryptProjectXXX.
But researchers such as Malwarebytes’ Kujawa can only do so much to stop the spread of ransomware – especially as low-level hackers can get access to the malicious software on internet forums. For now, consumers must remain alert to the threat by installing software updates, keeping software backups, and staying on the lookout for malicious websites and emails.
"People need to get things installed and protected before they get infected," he says. "It still comes down to the user saying 'look, I need to protect myself before this happens.'"