Written by James Orme Thu 18 Apr 2019

Cache comparison technique could detect and prevent ransomware in its early stages, PayPal says

Despite the dramatic plunge in the value of cryptocurrencies, crypto ransomware still remains a popular weapon of choice for hackers around the world, as crypto transactions provide a reliable and secure means for attackers to process payments extorted from unfortunate victims.

Crypto ransomware has arguably become synonymous with ransomware itself. The first well-known variant was the CryptoLocker botnet, which rose to fame in 2013, extorting $3 million from victims by the time it was shut down May 2014.

CryptoLocker became the go-to template for a raft of future exploits, such as CryptoWall. And then, of course, there were the SamSam ransomware attacks that crippled hospitals, government agencies and institutions in the US and Canada. SamSam’s alleged masterminds raked in $6 million in crypto from ransom payments extorted.

The practice has clearly irked the establishment’s online payment platform PayPal. The payments giant, perhaps viewing itself as the pious custodian of online transactions, has been awarded a patent that seeks to halt the practice by detecting crypto ransomware at an early stage and mitigating its effects before it manages to imprison a victim’s hard drive.

Cache comparison

The techniques described by PayPal work by detecting the cyber-residue left by ransomware when it reads and modifies the data on a host’s computer. PayPal observes that when ransomware writes the encrypted version of a victim’s content, a copy of that data is stored on multiple caches before being stored on the disk, such as a kernel cache, controller cache, physical device cache, or software application cache.

Herein lies the solution, PayPal says. Simply have some software sitting in the background analysing these caches and comparing copies to see if the files residing there represent encrypted versions of the originals, or the originals themselves.

It proposes that the software might be executed by a virtual machine, a virtual machine monitor, or an external device. A number of other techniques are outlined:

“Custom driver software can also be used to read the data from user mode/kernel mode caches. VMI can be used to read the user mode/kernel mode caches; specific opcodes in the CPU can be used to read caches; communication to a device controller can be used to read hardware caches; and specific code can be run on a device to read a cache. Also, hardware can be added before a controller and/or a device to read cache and compare it to the data from the operating system level.”

PayPal recommends a sort of Russian-doll architecture of virtual machines (known as virtual machine introspection) to run to the process. Therefore even if the ransomware detects its own… detection, it won’t be able to prevent its own deletion. In a system that is simply running one instance of an operating system on top of bare hardware, the patent notes, ransomware has the potential to take over the entire system. Which would be somewhat counterproductive.

Naturally, the techniques PayPal describes are purely illustrative at this stage, so the surest way to stay protected for the moment is to make sure you have backups and disaster recovery strategies in place.