Ransomware continues to be a problem. Building a defense strategy is tough as many attack vectors / paths can result with a ransomeware infection. There isn’t a single solution to reduce this risk however, Adam Shostack recently posted an interesting concept on Darkreading found HERE. Many solutions can work as a defense against ransomware however, they tend to not have enough time to the threat leading to a game of post compromise catchup. Adam’s idea addresses this problem.
A quick summary of the idea is having Microsoft allow for rate-limiting the CreateFile() API. The concept works by first understanding that ransomware needs to open a file before it can encrypt it. Microsoft has anti ransomware features that include not allowing 3rd party encryption, various anti malware tools within the Defender offering, threat intelligence resources, etc etc however, those all can be beaten as long as the file can be open quickly before the tools can do their job. Adam’s concept implements defense before the file is opened hence the CreateFile() API becomes a throttle point allowing for other security tools to have enough time to do their job.
Check out the post to get more details but I agree that it is an interesting point. Many of the ransomware workshops I’ve created or worked through had an initial infection exercise that didn’t have a ton of details about the threat. Analysts have to reinfect a system once they identify the threat to get a better understand of how the threat works. This simulates how most ransomware situations involve security tool catchup, which this CreateFile throttle approach would solve.