Security Notes: How to Defeat Ransomware

Stolen data presents a burden to the thief. He needs to bring it to market, find a buyer, and compete with other hackers. Ransomware gains, by contrast, are paid in a lump sum by the victim, the money is Bitcoin-protected, and any other data crime can be executed on top of the exploit.

It’s a no-brainer, though these attackers are quite a brainy bunch. More victims pay every year, which is expected. The attackers can adjust their demand to a sum so low that, economically, it would be cheaper to pay the ransom than bother with a costly, tedious recovery.

The countermeasures are deterrence, defense, and recovery. Deterrence may be based on a “shame-ledger” for ransom-collecting Bitcoin accounts, and smartly tailored laws. Defense is largely based on behavior and data patterns. The former is a cat-and-mouse game: the attackers cleverly hide their actions as a bona fide computational task, while the defenders seek to flush them out. Too often, the attackers out-imagine the defenders.

Data patterns are largely based on the “known signatures” of attack viruses. All the attackers need to do is to write new viruses. A more sophisticated method being developed by BitMint is to hunt high-entropy bit strings. Unencrypted data, especially text, and payment forms are highly sub-randomized, while malware is highly-randomized. By constantly scanning data through an entropy-meter device, one will focus on a small fraction of the stored data, which has a greater likelihood to be malware. Flagged data strings can then be individually analyzed.

Recovery is either “low tech” or “high-tech.” A clean backup is the natural means of simple recovery. Alas, attackers now embed dormant ransomware viruses that sneak into the backup and are activated when reloaded. You better have an older, and clean, backup.

High-tech recovery is based on Skeleton technology (U.S. Patent  10,523,642). The network is anchored on a “core skeleton” that is immunized to malware. When compromised, the network is disinfected and restarted from the protected core. The Skeleton subnetwork is constructed from nodes that have only one port of data entry, and all the data that flows through this port is hardwired-decrypted. This means that the only meaningful information flowing into a core node is information that was match-encrypted in a similar core node.

Decryption is so disruptive that no malware can survive its onslaught. The secret recovery key shared among the nodes of the core cannot be extracted from the ciphertext traversing between these nodes because the nodes use Trans-Vernam ciphers, which don’t commit to the plaintext that generated them—and are, hence, secure against the coming quantum computer attacks.

A hacker then will have to steal the crypto key from the secure enclosure where it is housed. Tamper-resistant technology will hinder this effort. (U.S. Patent 9,471,906). Moreover, the key reservoir used by the core nodes may be written off the digital grid. Via a nanotechnology-constructed “rock,” data is being captured through the chemical bonds of the chip, not as a hackable bit string (U.S. Patent 10,467,522).

The catastrophic breach of the federal cyber systems, attributed to Russia, exposes a fundamental strategic weakness in recovery technology. It is hard for security professionals to admit they might have to resort to it. People who exercise daily and live a healthy life should still make sure there is a good hospital nearby.

Defense is a battle of wits. Defenders cannot reasonably hope to win every round. Given that ransomware is so attractive to its practitioners, they will keep trying. By contrast, an effective recovery will dry out this revenue stream and de-motivate the attackers.

—Gideon Samid, gideon@bitmint.com