Can machine learning prevent another WannaCry?
Mumbai: WannaCry, the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—demanding that they either cough up money or lose their data—may be on the wane but this is no time to be complacent.
While hackers are bound to be a step ahead of security experts and companies in most cases, the answer lies in seeking the help of newer technologies like machine learning that can automate the function of malware detection.
What does WannaCry do?
Also going by names such as WannaCrypt, WCrypt, WCRY, WannaDecrypt0r or WanaCrypt0r 2.0, ransomware WannaCry is designed to prevent access to a system until a sum of money is paid, usually in bitcoins. The malware is programmed to spread via SMB (Server Message Block), a protocol specific to Windows machines to communicate with file systems over a network.
WannaCry takes advantage of the machines that support this protocol but have not received the critical MS-17-010 security patch from Microsoft that was issued on 14 March.
Once the initial worm module is introduced to a system, according to Paladion Networks, it scans hosts on the local area network or LAN, while simultaneously scanning the Internet by generating random internet protocol (IP) addresses. “If connection to port 445 ( traditional Microsoft networking port) on that random IP address succeeds, the entire range is scanned, and if port 445 is found open, exploit attempts are made,” explained Sunil Gupta, president and chief operating officer of Paladion Networks.
While Microsoft released updates for the unsupported Windows XP and Windows Server 2003 and patches for the Windows 8 operating systems to combat the attack, no incidents of Microsoft Windows 10 being affected have been reported till now.
Russia and India were hit, largely because many users, companies and government departments still use the unsupported Microsoft’s Windows XP. “It indeed is the biggest ransomware outbreak in history in terms of infections. But as of Saturday morning, the day after the outbreak, it had only made a measly $25,000, according to our researchers,” said Amit Nath, head of Asia Pacific-corporate business at F-Secure Corp.
Nature of the ransomware beast
As the name suggests, it is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid.
According to security experts from Trend Micro Inc., ransomware can be downloaded on to systems when unwitting users visit malicious or compromised websites. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through mal-advertisements, or dropped by exploit kits on vulnerable systems. Once executed in the system, ransomware can either lock the computer screen, or, in the case of crypto-ransomware, encrypt predetermined files.
Trend Micro points out that cases of ransomware infection were first seen in Russia between 2005 and 2006. The infections were initially limited to Russia, but spread across Europe and North America in early 2012.
Reveton, for instance, is a ransomware type that impersonates law enforcement agencies and is known as Police Ransomware or Police Trojans. In late 2013, a new type of ransomware emerged that encrypted files, aside from locking the system. The encrypted files ensured that victims are forced to pay the ransom even if the malware itself was deleted. Due to its new behaviour, it was dubbed “CryptoLocker”.
Ransomware, notes Trend Micro, began to incorporate cryptocurrencies (for example, bitcoin) too sometime in 2014. With the exception of some ransomware families that demand high amounts, ransomware variants typically ask for 0.5-5 bitcoins (as of 2016) in exchange for a decrypt key. Bitcoins allow the cybercriminals to receive extorted payments without authorities being able to identify them.
The problem is that even if users pay the ransom, there is no guarantee that the ransomware authors will decrypt the files with the private key.
Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
The problem will only get compounded when billions of devices get connected in the next few years—the phenomenon known as the Internet of Things (IoT).
Can machine learning come to the rescue?
The simplest method to detect malware, security experts will tell you, is by using the “Hashing” method which checks the existence of a hash (#) sign in a database. Of course, this is a very tedious exercise. The other method involves the use of signatures where security experts looks for specific strings in the file. But this, too, can easily be bypassed by malware authors. Behaviour-based malware detection examines what the program does when executed.
The question, then, is whether we can automate this process of malware detection with machine learning?
Machine learning, which enables systems to learn from data sets without having to be programmed specifically, would be the next best weapon in this cyber war, Trend Micro security experts believe. It can take advantage of existing data to determine patterns and use those patterns to adjust its own actions. It could, thus, provide the key to detecting ransomware attacks before they become too widespread, providing the opportunity for an organisation to react ahead of malicious file encryption.
Trend Micro cautions, though, that ransomware such as Cerber has the ability to avoid detection by machine learning security solutions. Cerber, security experts note, is able to identify the type of environment it is running in, and then check for certain analytics and antivirus products, including Task Manager and Wireshark, as well as security solutions from AVG, Kaspersky, Norton and Trend Micro.
Trend Micro threat analyst Gilbert Sison wrote on 26 April that “the new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches—i.e, methods that analyze a file without any execution or emulation”.
He recommends a “layered” anti-malware approach to “better” identify suspicious file packages and provide a strong safeguard against the type of malicious activity ransomware is known for. Sison concluded, “Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”