Montreal researchers develop a new method to protect against ransomware attacks
When the WannaCry attack in May 2017 compromised hundreds of thousands of computers worldwide, it was among the biggest such ransomware campaigns on record. Besides countless individual users, organizations like the United Kingdom’s National Health Service, FedEx, Honda, as well as government ministries in Russia, India and elsewhere were affected.
Ransomware is not new, but the scope of the WannaCry attack and others that followed has cybersecurity experts worried. Ransomware is a form of malicious software that encrypts or can even destroy valuable files stored on a computer’s hard drive. Users who find their files encrypted usually receive a message demanding payment — a ransom, usually in the form of one cryptocurrency or another — to descramble the files.
While the most up-to-date operating systems (OS) are equipped with sophisticated anti-malware defenses, no system is immune from outside interference. However, Mohammad Mannan, associate professor at the Gina Cody School of Engineering and Computer Science, with his former PhD student Lianying Zhao, has recently developed a new method of protecting systems against these kinds of attacks.
The method, which he dubbed Inuksuk, uses hardware instead of software to protect sensitive data. Essentially, he has designed a method in which a pre-installed self-encrypting drive (SED) creates a partition that is protected by a high-entropy keyword. Even the user does not know the randomly generated keyword, and it is unique to the machine in which it is operating.
Once the Inuksuk program is installed, the SED pairs with a Trusted Platform Module (TPM) chip attached to the computer’s central processing unit. The TPM will block any process other than the valid Inuksuk program from accessing the SED keyword. Both the SED and TPM are common chips manufactured by major hardware companies.
A protected partition
The partition is a safe, tamper-proof location where data can be stored. If a user wants to write a file into it, they need access to the protected keyword, which is available only to the unmodified Inuksuk software. Inuksuk targets writing operations, so files can be read but not modified — thus thwarting encryption attempts by malware.
“Having a partition like this protects the files that are very special to you — the kind you really don’t want to lose in a ransomware attack,” says Mannan, who works at the Concordia Institute for Information Systems Engineering. “When you get infected, this software ensures that the ransomware can delete anything it likes from your regular partition but it cannot erase anything from your protected partition.”
Inuksuk will also freeze a computer’s operating system while it is running. Any malware that has made its way into the OS will be inactive while files in the protected partition are being modified. However, a computer that is linked to a network can run Inuksuk and its OS simultaneously.
“When your OS is compromised, none of the other solutions that currently exist, either in academia or industry, can survive in any effective way,” Mannan explains.
“Our primary goal was to protect computers from ransomware or any other data deletion attacks and also from rootkit level attacks.”
As for the name, Mannan says he borrowed the word “inuksuk” from the Inuit language of Inuktitut. “It has several meanings, and one of them is to indicate a place where you store food or other valuable things,” he says. “It’s a marker for people so they can find something important. We use it as a marker for your important data.”
Read the cited paper: “TEE-aided Write Protection Against Privileged Data Tampering.”