"Typically, when ransomware gets into a Windows machine, it first scans the cached memory, registry keys, file paths, and running processes to see whether the system is already infected, running on a malware analyst's computer, or trying to run in the sandboxed environment of a virtualized machine. If it sees any of these signs, it gives up, but if not, the ransomware sends a message back to the cybercriminals' servers"
"So far, vaccines have worked by creating "infection markers" on Windows systems to trick malware into giving up, by placing small decoy files on the PC, by editing the registry, or by creating fake mutex objects. The decoy files are less of an issue because when they execute, they don't actually do anything, but if the malware looks at the processes currently running on the machine"
"Malware vaccines were a hot topic of discussion at the recent ONE Conference in The Hague, where Justin Grosfelt, senior manager for the Reversing, Emulation and Testing team at global cybersecurity firm Recorded Future, presented new research showing it is possible to develop code that makes only cosmetic changes to a Windows PC in order to trick malware into not bothering to infect it."
Ransomware typically scans cached memory, registry keys, file paths, and running processes to detect prior infection, analyst systems, or virtualized sandboxes. If those signs are present the malware stops; if not it contacts cybercriminal servers and downloads a payload that steals data, encrypts files, and demands money. Vaccines create infection markers by placing decoy files, editing the registry, or creating fake mutex objects to cause malware to abort. Decoy files generally do nothing when executed, while process-name decoys can make malware infer a system is infected or virtualized. Registry edits carry greater risk but have disabled malware in past cases, such as Binary Defense's EmoCrash kill switch in 2020. Code that makes only cosmetic system changes can trick malware into not infecting Windows PCs.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]