Researchers from two well-known university has identified the new method to bypass Anti-ransomware defense feature from Antivirus by circumventing “Cut and Mouse” & simulating click events via “Ghost Control” techniques.

Researchers from University of Luxembourg and University of London had identified the new techniques using which they can defeat the Anti-ransomware protection on world’s renowned Antivirus solutions.

Cut and Mouse:

In this technique, ransomware can bypass anti-ransomware protection via controlling a trusted application such as notepad or paint and encrypt the files of the victim, including those stored in protected folders.

“The trusted applications should not receive messages from non-trusted applications” as the proposed mitigation strategy by the researchers.

Source: Research paper

Ghost Control:

In this technique, an attacker can disable the AV protection by simulating the legitimate user actions to activate the Graphical User Interface of the AV programs and then it can be clicked to turn-off by the turn off button.

Researchers suggests that this technique can be mitigated by two principles:

  1. AV’s should run the main GUI with administrative privileges only.
  2. Scan components of AV should be accessible in such a way it would require the user to have administrator rights

The researches have evaluated 29 Antivirus solutions out of which ,14 of them are found to be vulnerable to Ghost Control attack and all the 29 Antivirus solutions are found to be vulnerable for Cut-and-Mouse attack.

Below table depicts the AV solutions which are affected.(Note: The researchers didn’t named the vendors name, AV vendors are depicted as AV1, AV2, AV3,etc).

Source: Researchers paper.

–-For more Cyber security news in crisp content . Please follow our site

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s