Researchers develop method to stop 100% of ransomware before it encrypts all files

Researchers of the University of Florida have developed a new solution that aims to stop ransomware. In a test, the method called CryptoDrop, was able to detect and stop 100% of all 492 tested ransomware variants. The system works by detecting when malware tries to encrypt multiple files. After an application has encrypted a certain number of files, CryptoDrop will consider it as ransomware and stop it from further encrypting files.


CryptoDrop is not developed to prevent ransomware infections but instead to limit the damage as much as possible. In tests the software started to do its job when an average of 10 of 5100 files on the test computer were encrypted by ransomware. CryptoDrop prevented the ransomware from encrypting all files on the computer, which saves potential victims from paying a ransom. According to the researchers, the damage of a ransomware infection is limited to the user losing a handful of documents when CryptoDrop does it work properly.

The technology works by monitoring the files on the computer,  which is different from most other malware detection software. These usually monitor for applications that modify files. CryptoDrop instead recognizes suspicious file activity and then stops the responsible process. The system therefore monitors for overwriting, moving and replacing of files. Ransomware usually performs these operations while legitimate software hardly ever does.


This way CryptoDrop is able to detect and stop ransomware before a lot of files are lost. The researchers hope that this way users no longer need to pay a ransom, which makes ransomware less financially attractive to cybercriminals. In the end they hope it will end the current wave of ransomware infections.

The researchers have a working prototype for Windows and are currently looking for a partner to make it available on the market.