PayPal engineer is developing a new way to detect ransomware attacks and stop them. This week, the U.S. Trademark and Patent Office has granted PayPal an online payments patent to detect and stop ransomware attacks.
According to U.S. patent no. 10262138, published on April 16, PayPal believes that early stages of ransomware infection can be detected and one action taken — by stopping encryption, or saving a copy of the unattended original file from a remote server, as a backup before it becomes encrypted and can later be restored.
HOW PAYPAL CAN DETECT RANSOMWARE?
Paypal claims to be able to detect the start of a ransomwares infection at the heart of the patent. PayPal says its system will check to ensure that all files are loaded when local files are loaded into a computer’s memory cache, where an application needs to perform an operation. PayPal’s system will search for a certain pattern of action–when the file is duplicated and high-entropy operations (encryption) are performed on doubles. This is a common technique that many ransomware strains use to encrypt a copy of the original file and delete the original permanently, and to send a encrypted copy to the hard drive to replace the legitimate file.
The solution of PayPal is to detect this pattern and to present a whitelist of apps which can perform these actions. When an app process that does not perform these operations is on the whitelist, the system of PayPal stops the process and/or sends a copy of the original file to remote cloud services for backup.
OTHER RANSOMWARE DETECTION DEVELOPED IN THE PAST
The design has been unique in comparison with other Ransomware detection systems. For example, in early2016, a US developer named sean williams created a ransomware detection system for Linux systems called cryptostalker to monitor the filesystem for newly created files and to alert the system owner if the files were created at high speed and contained a random number of data (the sign of encrypted contents).
Similarly, the cyber-security business Cybereason launched a defeated RansomFree application in December 2016, which detected the onset of ransomware infections by using directory names with special characters to ensure that ransomware first encrypts files stored on these directories.
RansomFree processed changes by monitoring files in these folders, detecting and stopping the process that made changes. Windows 10 v1709 was also included with a ransomware detection system released in October 2017, and includes the Controlled Folder Access function rebrands as Ransomware Protection from Windows 10 v1803.
Microsoft Ransomware detection allows Windows 10 to detect Ransomware by making a whitelist of approved applications which could make file changes in the selected directories. Windows 10 can be used to detect ransomware. Although it is very efficient, the system isn’t widely used because it requires a great deal of manual setup to whitelist all the benign apps the user has installed on his computer and then choose folders to get protection from ransomware. But none of these systems has had a real impact over the years in the general scheme.
Despite ransomware attacks that are more than half a decade old by now, no strong ransomware prevention system is in place, and ransomware still works out amok if deployed on users ‘ or company’s internal networks. The system of PayPal appears solid on paper, but a field test is still needed before it becomes commercially viable.
The patent author is CyberSecurity Schlomi Boutnaru’s former Chief Technology Officer, PayPal now Chief Technology Officer, Cloud Security Bureau Rezilion.