Cybersecurity firms have released “vaccines” in recent days to protect against the widely used STOP ransomware strain and the new Apache Log4Shell vulnerability.
Germany-based G Data CyberDefense released software designed to trick the STOP ransomware variant into believing that a targeted system has already been compromised and keeping it from encrypting files after the device has been infected.
The vaccine works in a fashion similar to the flu vaccine, which uses a small amount of the virus to trigger the creation of antibodies that can help defend against the effects of the virus if a person is infected.
Various cybersecurity firms over the past several years have created vaccines that have targeted particular variants of ransomware or other malware and defend against them in much the same manner as the latest vaccines. They also come with the same limitations.
Use ‘Harmless’ Parts of Malware
The computer vaccine works by placing harmless parts of the malware into the system, according to G Data malware analysts Karsten Hahn and John Parol. The vaccine doesn’t prevent the ransomware – also known as STOP/DJVU – from infecting the system but stops it from encrypting the files and data, they wrote in a note on GitHub.
“STOP ransomware may still place ransom notes and may change settings on the systems,” they wrote. “But STOP ransomware will not encrypt files anymore if the system has the vaccine.”
Rather than a personal ID, ransom notes will contain a string that says that files were protected by the vaccine. In addition, files 5 bytes or smaller will still be renamed by the ransomware but will remain otherwise unchanged.
“This is because the ransomware starts encryption at the 6th byte,” the malware analysts wrote. “So I guess STOP thinks those files were successfully encrypted and hence renames them.”
Also read: Top Vulnerability Management Tools
Vaccines Target Variants
The vaccine has been tested against versions of the STOP ransomware that have arisen between August 2019 and this month – but that’s no guarantee that it will protect against future strains or other malware packaged with it.
“The vaccine may not work for future versions of this ransomware,” Hahn and Parol wrote. “So if you already take the time to apply it, also take the time to back up your files! If the vaccine prevents encryption of your files, you should still reinstall the operating system to get rid of malware. Comorbid malware infections are common with this threat.”
The STOP/DJVU variant doesn’t have the same high profile as other ransomware, such as Revil, Ryuk and DarkSide, but according to an analysis in October by Cyber Geeks, it’s got a wide reach. The analysts noted a report by internet security company ESET that said in the second quarter 2020, STOP was ranked third among ransomware families.
Many Versions of STOP Ransomware
There is a broad range of variants of the ransomware, which according to Geek’s Advice has affected more than 500,000 victims around the world. The malware primarily targets home users and uses software crack package and adware bundles to get into systems, according to software vendor Wonderland Technology.
The ransomware targets such files like PDFs, jpegs and docs, and once the files are subject to encryption, they’re given an a.djvu extension. Once the files are encrypted, the ransomware sends a note asking for money.
Vaccines a Tool for Fighting Ransomware
Vaccines have been used as a method for combatting the rise of ransomware and other malware for several years. Bitdefender has been creating vaccines since at least 2016, when it came out with a vaccine to battle CryptoWall, a fast-moving ransomware that goes beyond encrypting files and asking for money. It also hides inside the operating system and deletes volume shadow copies of the files, making it more difficult to restore the data.
Bitdefender has since updated the vaccine to keep pace with the latest versions of CryptoWall.
Last year, security researchers released a vaccine – called Raccine – to prevent some ransomware families that leverage vssadmin.exe in Windows systems from erasing shadow copies in hopes of making data recovery impossible. Raccine applies a registry patch that works to intercept vssadmin.exe invocations and kill the process.
“When a global malware outbreak occurs, Minerva’s Endpoint Malware Vaccination can preemptively vaccinate all your endpoints, protecting your organization from global outbreaks,” the company says on its website. “For example, companies could have vaccinated themselves against variants of the highly-prolific WannaCry worm by defining a mutex-based infection marker.”
Also read: Best Patch Management Software
Limitations to Vaccines
However, there are limitations to vaccines, according to cybersecurity professionals.
“Ransomware vaccines are unfortunately not nearly as effective as COVID-19 vaccines,” Oliver Tavakoli, CTO at cybersecurity firm Vectra, told eSecurity Planet. “The vaccines tend to target particular operational characteristics of the malware that encrypts files. and those characteristics are often easy for the malware author to alter in order to circumvent the protection.”
Given that, the vaccine may protect a target against the current variant, “it will likely have a short shelf life,” Tavakoli said. “In the case of the STOP ransomware vaccine, even if it remains effective, you may still receive a ransom note requesting payment lest your exfiltrated data be made public or sold to nefarious parties.”
John Bambenek, principal threat hunter at security firm Netenrich, told eSecurity Planet that such vaccines are good short-term solutions, but once they are publicly released, ransomware authors are quick to engineer the malware around the vaccine.
“Ransomware usually has several checks or things that it needs to execute,” Bambenek said. “If those are blocked, then the encryption does not occur. That being said, this usually only prevents the encryption part of ransomware attacks and not the data theft and data leak extortion component of ransomware campaigns.”
He said that vaccines “typically use software engineering decisions made by the criminal against them to prevent the ransomware from executing. They don’t so much look for specific behaviors but put things in place that force the logic in the code to stop executing, and they are highly dependent on specific malware families.”
Further reading: Best Risk Management Software