As ransomware attacks surge, researchers are devising ways to thwart intruders and protect industries, schools, and governments.
By Thomas K. Grose
Last summer, the University of Utah spent $457,000 in response to a spreading scourge. The money wasn’t for face masks, sanitizing classrooms, or other COVID-19 countermeasures. It was ransom, paid to hackers who had encrypted files, rendered the College of Social and Behavioral Science’s servers ”temporarily inaccessible,” and stolen employee and student data.
Utah’s campus intrusion is no isolated case. Already at plague levels, ransomware attacks have become epidemic, striking enterprises as diverse as meat producers, hospitals, and elementary schools. The damage can extend far beyond locked computer systems or sums demanded to keep personal information such as Social Security numbers private (usually in Bitcoin or another hard-to-trace cryptocurrency). Vital supply chains from fuel and food to emergency ambulance service are vulnerable, too. For example, the disruption precipitated by the ransomware attack that temporarily shut down Colonial Pipeline this past May spawned a massive gasoline shortage in which pumps in the eastern United States ran dry and prices soared.
As the world becomes increasingly automated and interconnected, the risks increase—as do the rewards for cybercriminals. The University of California, San Francisco, shelled out $1.14 million in bitcoin last year to hackers who threatened to publish information stolen from its medical school. The Biden administration considers ransomware a top national security threat—so much so that the Justice Department recently put investigating attacks on par with terrorism. Congress also has made ransomware an urgent priority, advancing bipartisan legislation to fortify K–12 schools and include cybersecurity investments in the $1 trillion infrastructure bill.
Engineering and computer science researchers will play a major role in devising technological countermeasures that can protect businesses, schools, and government agencies from being held hostage by hackers. The goal: make attacks so difficult and costly that cybercriminals will decide they’re not worth the effort.
Scope Creep
According to a 2020 FBI report, 2,474 ransomware attacks last year resulted in losses of more than $29.1 million. Experts say the true numbers are likely far higher, because victims aren’t required to report incidents and many businesses quietly pay up to avoid public embarrassment or alarming their customers.
Ransomware hits on colleges and universities doubled from 2019 to 2020, reports technology news site ZDNet, with average payments about $450,000. Inside Higher Ed has noted attacks in just the past two years at institutions ranging from small private institutions like Regis University in Denver to community colleges such as Sierra College in northern California and large public research institutions like Michigan State University. Focused on remote learning during the pandemic, schools may lack the resources to lock down networks, ZDNet explains, and faculty and students’ reliance on the IT infrastructure makes institutions more willing to pay.
Although the basic technology enabling hackers has existed since the 1980s, the ransomware boom is a fairly recent phenomenon. Many experts tie it to the growth of cryptocurrencies since Bitcoin’s debut 11 years ago. The blockchain system provides an anonymous ledger, making virtual currencies a popular form of exchange among criminals. “Cryptocurrencies are very, very responsible for ransomware attacks,” contends Danny Huang, a New York University assistant professor of electrical and computing engineering, who has researched how to track Bitcoin transactions. Massimiliano Albanese, an associate professor of information sciences and technology at George Mason University, agrees. “The key for a ransom to be successful is that the money you’re paying … should not be tracked,” he says, “and the widespread adoption of cryptocurrencies has played to the advantage of criminals.”
Cybersecurity expert Mitch Thornton, a professor of electrical and computer engineering at Southern Methodist University, offers another complementary driver: “It’s become easier to do,” he says, crediting ransomware-as-a-service sites. People who design and build the malware sell the building blocks to other bad actors on the dark web—the hidden, unindexed webpages that require special software to access—and earn a portion of the proceeds.
There also are many more juicy targets these days, says Elias Bou-Harb, an associate professor of information systems and cybersecurity at the University of Texas, San Antonio. All critical infrastructure, from sensor-studded bridges to office building HVAC systems and elevators, is now embedded with information technologies, making it susceptible to malware. Finally, Thornton says, criminals are “learning to pick good targets.” Some sectors, which he declines to name, are easier to hit than other more secure ones.
The major challenge, however, is that ransomware is extremely difficult to detect. Trying to guard against malware by plugging holes and patching bugs, one by one, is a losing battle. Because bugs are ubiquitous and adversaries are constantly looking for ways in, “once you are online, you have no way to fully protect yourself,” explains Eric Osterweil, an assistant professor of computer science at George Mason. His colleague Albanese agrees. “You need to protect every possible entry point in your system, but attackers have the advantage, because they only need to find one vulnerable point,” he notes. “You don’t know where the attack will come from, so you need to protect everywhere. The cybersecurity landscape is not symmetric.” Moreover, antivirus software works by spotting malware signatures used and documented in the past. A novel probe, called “zero day” malware, will go unrecognized. Says Thornton: “If it’s not catalogued, you can’t detect it.”
Finding Fingerprints
To resolve that issue, Thornton and his team have been working on a new detection system. Their hypothesis: Data from the sensors packed into modern computers—like those that manage power consumption and monitor internal temperatures and voltage—could help them track down malware, particularly ransomware.
Once executed, malware starts a process that creates unique patterns, “almost like a fingerprint,” Thornton explains. His team’s system trawls through the raw data to “piece together little bits of information” from each sensor that it was designed to look for. The information is then analyzed autonomously by a machine-learning algorithm, which can spot data patterns that would elude humans.
If ransomware is discovered, the technology acts swiftly—usually within 10 seconds—to secure all data files. Some data will be encrypted and lost because, as Thornton says, “you can’t stop [the process] until it starts. But the amount is minute, less than 10 percent.”
Experiments confirmed that the system is effective 95 percent of the time. But could the bad guys eventually find a way to cover their tracks, some sort of workaround? Thornton pauses before answering. “Cybersecurity is a kind of cat-and-mouse game. I would never say we’ve solved the problem. But it’s pretty effective right now.” Accordingly, he adds, “we are getting quite a lot of interest” from industry, and the team’s plans to commercialize the technology is in its initial stages.
Like Bees to Honeypots
At UT San Antonio, Bou-Harb and his team are exploring other ways to harden computer systems against attack. In June, they received a $500,000, three-year National Science Foundation grant to develop data-driven methods to make cyberinfrastructure more resistant to ransomware. Bou-Harb is working with two unnamed North American communications-industry partners that “operate what we call a honeypot system”—essentially fake targets in sectors ranging from education to finance to manufacturing. When they lure attackers, the researchers “collect their binaries,” or executable files containing the zeros and ones that comprise the primary language of computer coding. They expect to collect 2 million samples per month—some seen before, some new, and some evolving versions of older codes. They then plan to analyze and place these codes into different categories. For instance, are they government actors? What sectors do they tend to target?
By applying a machine-learning algorithm to the binary codes, the researchers hope to track the samples’ lineage and evolution in an effort to better understand ransomware’s dynamic characteristics and how it propagates through communications networks. Bou-Harb’s team will use its understanding of those characteristics to conduct behavior analyses “so we can spot these binaries as they traverse these networks and try to mitigate them before they land on target.”
The researchers assume some malware will find a way to fool the system and hit its targets. So the team has already developed and patented a technology that prevents the ransomware from executing on the system. “We call this proactive mitigation—it’s not detection—because with ransomware, detection might sometimes be too late.” This approach, he adds, “basically prevents the samples, regardless of whether they are new or old, from introducing an encryption on files.” This component doesn’t work using typical signatures but rather works on artifacts of the behavior of ransomware as it targets the system.
Change Orders
Another approach that avoids chasing down bugs came from the team led by Todd Austin and Valeria Bertacco, both professors of electrical engineering and computer science at the University of Michigan. They developed the Morpheus chip, a new type of processor that recently proved itself to be unhackable in a DARPA competition.
The technology focuses on what they call “undefined semantics,” or the microarchitecture of a chip that enables the execution of instructions it receives and determines the processes’ speed. Morpheus’s party trick, Austin says, is that “as the name suggests, [the microarchitecture codes] are morphing; they are changing all the time. It’s called a moving-target defense.” By randomly changing the codes, the professors’ solution creates a puzzle that attackers have to figure out before they can reverse-engineer those codes to look for vulnerabilities. To ensure data hostage-takers won’t succeed, the changes occur every few hundred milliseconds.
Austin uses a Rubik’s Cube analogy to describe the method: “You analyze the cube and try to move the pieces in the right direction, but every time you blink, I pull it out of your hands and I rearrange it. You could solve it, but it would be really hard and take a long time to do.” And, no, the constantly morphing microarchitecture won’t also stump programmers and users. It’s not a part of a chip they interact with. “Sometimes you don’t even know if you have the undefined semantics,” Bertacco says, “but hackers go directly to that space, probing it for vulnerabilities.”
The chip stops a class of low-level security attacks called system-level attacks, which comprise the majority of malware incidents and roughly a third of ransomware attacks. “We stop the kind of attacks where basically they’re going to push their tech into your tech without your knowledge,” Austin explains. He and Bertacco got the idea for a morphing chip from studying the human immune system in hopes of applying its attributes—huge amounts of uncertainty, randomization, and moving targets—to computer security.
Morpheus gained media celebrity when it stumped 530 security experts in 2020 during DARPA’s three-month hacking competition, which offered a $50,000 bounty for successful breaches of the technology. All competitors failed to hack into a fake medical database run on Morpheus.
Austin and Bertacco have now spun off a company, Agita Labs, to commercialize the technology. And while Morpheus is a new type of chip, its methods can also be inexpensively deployed in the cloud so it can run on existing chips, Austin says.
At George Mason, Massimiliano Albanese’s lab is also researching moving-target defenses, particularly in an area called IP optics. “In cyberdefense, systems are kept static, never changing,” Albanese explains, “so it’s only a matter of time before attackers know enough to breach them.” With his lab’s strategy, the machine’s IP address keeps changing, so by the time an attacker strikes, the address is no longer valid. “The idea is to make life for the attacker much more complicated,” Albanese says. Nevertheless, he admits, “any moving-target defense comes with a cost. It’s a trade-off between security and functionality.” Moving defenses must also come with a protocol or some other mechanism to securely communicate the changes to legitimate users.
A ‘Mosaic of Solutions’
If a ransomware attack is successful, do victims have options beyond paying to free their snatched files? Security experts underscore that the best defense is to regularly and robustly back up files so that the data can be recovered. The trouble is, as GMU’s Osterweil points out, “having a plan to recover data and having it work are two different things. A plan is only as good as its execution.”
In addition, many organizations don’t regularly back up their files, or they fail to do it properly. A secure backup should not be online, but many are. In many cases, Thornton says, the backup systems are even less secure than the main systems. Not surprisingly, criminals are increasingly targeting backup systems, looking for ways to compromise or terminate them.
When files can’t be salvaged from backups, reverse-engineered keys offer another slim chance of decrypting them. Sites exist that warehouse strains of ransomware that have been reverse-engineered, and in some cases victims can download from these sites the decryption keys needed to unlock their files. But first they need to know what type of infection has snarled them, Bou-Harb says. “There are techniques that are very simple to reverse engineer; it depends on the encryption methodology.” But, Osterweil emphasizes, suppose a company tells an attacker it won’t pay a ransom because it can decrypt the files itself using a reverse-engineered key but then fails because the attacker has made one change to it. The result, he reckons, will “be one pissed-off attacker,” who will likely destroy the data.
Jian Huang, an assistant professor of electrical and computer engineering at the University of Illinois at Urbana-Champaign, and his team may soon offer a better solution. Most computers today use flash-based storage. Huang notes that every time a flash drive overwrites data, the previous version remains in place. “We leverage this to get data back. Even though the operating system is compromised, we can still recover the data.”
Huang says his system, called RAfFLE (ransomware-aware flash-based storage), can recover 100 percent of encrypted data and ensure all recovered data was created by the user, not the attacker. He has filed a patent and wants to commercialize RAfFLE, noting that a Silicon Valley venture capitalist “tells me it’s very promising.”
As the fight against ransomware revs up, many experts predict that criminals will soon move on from attacking data to services, targeting the Internet of Things (IoT) and devices that rely on it. Use of the IoT is already accelerating, Osterweil says, and 5G cellular technology will speed it up even more. His lab is working on developing a high-speed, zero-trust framework called SPaTE, or security, privacy, and trust enrollment. It would enable devices to automatically use crypto-identification and authorization to ensure that each device, such as an internet-enabled thermostat, can securely verify the legitimacy of any other device that wants to communicate with it. “It won’t solve the problem,” he says, “but if you make it harder for devices to try to impersonate someone else, there will be much less harm.” And SMU’s Thornton says that while his sensor-fingerprint technology hasn’t yet been tested on IoT devices, he believes that “there’s a good chance it can detect those attacks, too.”
Simultaneously, the U.S. government is ramping up its work on the issue. For example, the Biden administration has created an international coalition to hold countries harboring cybercriminals accountable, according to a June Washington Post article. To stem the undercurrent of anonymous ransom, the White House wants to ensure that offshore cryptocurrency exchanges report suspicious activity and perpetrators’ identities.
Engineering researchers are confident that the technologies they and others are working on should sharply reduce the number of ransomware attacks, even if they don’t completely stop them. All of these approaches and more will be needed to reach that end. As Osterweil puts it, “We need a mosaic of solutions … to make a difference.” In the meantime, make sure you back up your files.
Thomas K. Grose, Prism’s chief correspondent, is based in Great Britain.
Design by Francis Igot