Malicious computer software, such as viruses, computer worms and trojans, present one of the most important computer security issues. It was calculated that annual financial losses of businesses caused by malicious software amount to tens of billions of dollars.
In recent years, a new type of malicious software, ransomware, has become widespread. The term ransomware as used herein refers to a family of malicious programs that block or impede user interaction with the operating system. Oftentimes, these programs demand the transfer of funds to the offenders in exchange for restoration of the computer's operability. Technically, ransomware programs are a variant of trojan program, which infect their target computer systems using techniques such as attaching executable files to emails, or attacking a vulnerability in the network service to gain access to the target computer system.
In order to combat ransomware, antivirus companies have traditionally used basic signature detection methodology, which is based on the comparison of program codes with the signatures of known malicious programs stored in antivirus databases. Other approaches have used a combination of multiple proactive antivirus security technologies, the main goal of which, in contrast to the reactive (signature-based) technologies, is to prevent infection of the user's system by unknown malicious software. For example, heuristic analysis during code emulation has been combined with behavior analysis in order to prevent infection of the user's operating system with a ransomware program.
In the code emulation mode, the behavior of the operating system and of the central processor is simulated; therefore, the application in question cannot harm the user's operating system. Heuristic analysis based on the application code analysis determines the parts of the code which are responsible for malicious activity. A behavior analysis of the execution mode determines whether a program is malicious, based on its behavior.
The main advantage of these technologies consists in their ability to differentiate safe programs from malicious ones without using a professional virus analyst. One shortcoming, however, is that there is a certain intermediate zone between clearly malicious actions and acceptable actions. Moreover, the same actions or parts of a code can be malicious in a malicious program intended to extort money but useful in legitimate software. For example, running a full-screen application with a window in front of the other windows is used by ransomware programs to complicate the user's interaction with the operating system's graphical interface, but this is quite legitimate in computer games—for example, when a computer game application is run full-screen and does not respond to special key combinations like ALT-F4 or ALT-TAB.
This creates the possibility that antivirus technologies may be unable to detect an unknown ransomware program, which may result in a blockage of the user's interaction with the operating system, and, consequently, a blockage of the user's access to the antivirus product tools. Therefore, there is a need for quickly detecting the presence of an active ransomware program in the operating system, so that the antivirus software can alleviate the problem in a timely manner.