The United States Patent and Trademark Office has granted this week a patent to online payments company PayPal for a technique for detecting and stopping ransomware attacks.
According to US patent number 10262138, issued on April 16, PayPal believes it can detect the early stages of a ransomware infection, and take one of two actions –to stop the encryption process, or to save a copy of the untainted original file to a remote server, before it gets encrypted, as a backup, so it can be restored later on.
How PayPal can detect ransomware
At the patent’s heart is the technique through which PayPal claims it can detect the onset of a ransomware infection.
PayPal says that its system will watch for when local files are loaded inside a computer’s memory cache system, the place all files are loaded when an application needs to execute an operation.
PayPal’s system will look for a certain action pattern –when the file is duplicated, and high-entropy (encryption) operations are performed on the duplicate.
This is a common technique used by many ransomware strains, which encrypt a copy of the original file, and then permanently delete the original, sending the encrypted copy for storage on disk, to replace the legitimate file.
PayPal’s solution is to detect this pattern and introduce a whitelist of applications that are allowed to perform such actions.
If the app process executing these operations is not on the whitelist, PayPal’s system will stop the process, and/or send a copy of the original file to a remote cloud service for backup storage.
Other ransomware detection systems developed in the past
The concept is unique when compared to other ransomware detection systems.
For example, in early 2016, a US developer named Sean Williams created a ransomware detection system for Linux systems called Cryptostalker that monitored the filesystem for newly written files, and if the files were created at high speeds and they contained random data (the sign of encrypted content), Cryptostalker would stop the file writing process and alert the system owner.
Similarly, in December 2016, cyber-security firm Cybereason released the now-defunct RansomFree app, which detected the onset of a ransomware infection using folder names containing special characters that ensured ransomware would first encrypt files stored in these directories before anything else. RansomFree worked by monitoring files in these folders for changes, detecting the process that made the changes, and stopping it.
Another ransomware detection system was included with Windows 10 v1709, released in October 2017, with the addition of the Controlled Folder Access feature, rebranded as Ransomware Protection since Windows 10 v1803.
Microsoft’s ransomware detection system allowed Windows 10 to detect ransomware by creating a whitelist of approved apps that could make changes to files in user-selected folders. Despite being highly efficient, the system is not widely used because it requires a lot of manual setup consisting of whitelisting each and every benign app the user had installed on his computer, and then selecting folders to receive ransomware protection.
But in the general scheme of things, none of these systems have made an actual impact over the years. Despite ransomware attacks being more than half-a-decade old by now, there is no solid ransomware prevention system in place, and ransomware still runs amok when deployed on users’ computers or enterprise internal networks.
PayPal’s system looks solid on paper, but it still needs to pass a field test before it can become commercially viable.
The patent’s author is former PayPal Chief Technology of CyberSecurity Schlomi Boutnaru, now the Chief Technology Officer at cloud security firm Rezilion.