I’ve got this idea while replying to some other thread on this forum.
avast! has the functionality ALREADY built in, but avast! team isn’t using it for reasons absolutely unknown to me.
We know ransomware encrypts files like images and music and forces user to pay for it to unlock.
This could easily be solved by a generic, but highly effective method entirely separate from the regular detection signatures.
All we need for this is:
HIPS component (which we already have)
Extensive whitelist (which we already have in Hardened Mode (Aggressive))
Exclusions menu (to give advanced users some control)
HIPS would track what app tries to access other file for write access and allow or prevent it depending on the status on the whitelist.
If program unrecognized by the whitelist tries to write access .jpg file anywhere on the system disk, it should be blocked and popup presented to the user.
If program is verified by the whitelist, it is allowed to modify the .jpg file silently, meaning nothing would really change for the users.
This way only signature required to be processed and updated is the usual whitelist that avast! already has and maintains and the blacklist of extensions to be protected which could be easily updated via VPS at any time.
avast! team literally just has to chain existing features together to get this functionality and add extra exclusion tab next to existing ones for File System, Hardened Moe and CyberCapture. We could have had anti-ransomware protection months if not a year ago and yet for some reason we don’t. Why not?
In one of the article I have read that when Avast and AVG finally is ONE company, that article also mentioned that Avast will provide protection from ransomware and other features and functions. My best guess is that end of this year/early next year Avast and AVG will have a new brand name (not confirmed yet) they will start having those features
Fully agree RejZoR.
Other antiransomwares relay on blocking executables being launched from certain folders, some of them have absolutely no configuration.
There are tons of articles in Avast Blog covering ransomwares blocked by Avast but, indeed, a special protection could make me drop the free CryptoPrevent.
I could be that other Avast users (at least the advanced ones) will have a dedicated protection against ransomwares.
Thanks for raising this point.
avast! isn’t striving for that as much as we’d hope for. If ransomware is on the rise now, make sure you add effective method to prevent that asap. Even if it’s not 100%, dramatically decreasing those chances is a very desired thing. What good is adding this 1-2 years into the ransomware frenzy? It’s pointless and you let down all the users in the meanwhile. The thing is, most other companies that matter have this covered in one or another way. Not avast! for some reason. And it has been like this for quite a while. I have no idea why.
I mean, anyone remembers how certain companies brute forced malware stored in encrypted ZIP archives as e-mail attachments? Or how they went as far to make AV capable of OCR reading the passwords from attached images to unlock those archives? That’s dedication I have yet to see from avast!.
I’m just surprised they skipped this capability even though 90% of it is already there, it’s just not forming a complete, connected functionality. With all the engineers at avast! and no one even came up with this idea, I don’t know…
The few that did detect anything have a wide variety of detection names. Trend with Ransom_HDDCRYPTOR.F detection is very close, AVG with FileCryptor.NAI is close. The rest are very generic and appear very wide of the mark (for ransomware).
TrendMicro is always quick with new ransomware, they seem to have a high priority on it, i guess bc they have lots of business customers
They also have one of the best info blogs about ransomware
Anyway, this is the message that popped up on the screen to the one that found the sample above and found out the hard way
“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”
For me, ransomware and other serious malware/infections really do need the user to have a robust backup and recovery strategy. Relying 100% on your AV and or other malware tools could well come unstuck in the early days of a new variant.
The only real way is hard disk imaging software run at least once a week (and keeping at lease 3 generations of the drive imaging, I keep 6), one that can be restored outside of windows, essentially wiping out the malware infection should you ever get hit.
Why? What’s the purpose of avast! then? And backups are slow, clumsy and they’ll refuse to work just when you’ll need it the most. And you can’t have a backup of the backup for the backup just to be sure. It’ stupid. My approach would block basically 100% of malware. I’ve seen how reliable Hardened mode whitelist is. With that, even if ransomware blocks access to desktop, you could be assured the data is intact. Meaning I can still stick the drive into USB case and pull data in unencrypted form from it. Or just stick it in another PC and do the same. That would be the worst case scenario. Compare that to cost of having an extra drive for backup and spending day after day backing up stupid crap. No thanks. Home users shouldn’t be relying on enterprise measures to protect their data. AV’s are capable enough to do that, some just don’t do that for reasons unknown.
@ RejZoR,
When you deal with enough novice computer users, you’ll find out they can handle a simple backup routine.
They can’t correctly handle dealing with blocks if they use hardened mode.
@ RejZoR,
You only have to browse the viruses and worms forum to see 100% detection isn’t there. As most say 100% is a target that is hard to achieve and maintain.
I don’t spend day after day “backing up stupid crap” I run a full disk image backup once a week, which doesn’t take that long and I’m not sitting waiting on it to complete. There are drive imaging applications that also do incremental backups, my backup software only does full backups, so for me it isn’t much of a hassle.
Look at the Emsisoft like company it is too small compare to avast but it effectively block RANSOMEWARE!!! I know backups are important but it(Ransomware protection) is long time due.Now days Ransomware is a headache to AV company and avast bit late on that list truely.
You don’t understand the priorities here. Yes, I do believe that by employing this whitelist system avast! could have a 100% protection against ransomware because I’ve seen how strong Hardened Mode (Aggressive) is. If it only targeted modification of media files that ransomware usually targets, you make it 99% less annoying to the user compared to any Hardened mode we have now. And ransomware, unlike other malware needs 120% attention from the company. No one cares if some regular malware infects the system. If it doesn’t steal user data like passwords, it’s just an annoyance that needs to be removed at some point. Ransomware doesn’t give you that luxury as it’s irreparable in most cases due to strong encryption. So, prevention is crucial. And we have none. We can only rely on traditional detection methods which we know aren’t 100% like you’ve said. Whitelist system would be unless ransomware specifically targeted avast! protection method and found a way around it. In which case avast! could simply adapt it to protect for that. But now we have neither of that.
Would be nice if anyone from avast! team dropped by and commented on this. Either if they have any plans to implement this or they already are working on something similar, just so we know where we are at.
what say?