4 ransomware detection techniques to catch an attack
While prevention is key, it's not enough to protect a company's systems from ransomware. Learn how early detection with these four methods helps reduce damage from attacks.
When it comes to ransomware, prevention is key. But equally important is knowing how to detect ransomware if it infects a network -- before it encrypts and exfiltrates business-critical data. By the time a ransom demand arrives, the damage is done.
Early detection involves a mix of automation and malware analysis to discover malicious files early in the kill chain. But malware isn't always easy to find. To escape detection, adversaries often hide ransomware within legitimate software, such as PowerShell scripts, VBScript, Mimikatz and PsExec. Plus, sometimes detection is not just about the malware itself; it involves using clues from network activity to understand if an attack is about to happen.
Let's take a deeper look at four ransomware detection methods: signature-based, behavior-based, traffic-based and deception-based detection.
1. Signature-based detection
Signature-based ransomware detection compares a ransomware sample hash to known malware signatures. It provides quick static analysis of files in an environment. Security platforms, intrusion detection systems and antivirus software capture data from within an executable to determine the likelihood that it is ransomware rather than an authorized executable. Most antivirus software takes this step when scanning for malware.
Security teams can also use the Windows PowerShell cmdlet Get-FileHash or open source intelligence tools, such as VirusTotal, to get a file's hash. With current hashing algorithms, security professionals can compare a file's hash to known malware samples and ransomware threats. Security teams can then use antivirus and antimalware tools to blocklist specific file types. This prevents users from inadvertently downloading malware via email phishing attempts or suspicious websites.
This article is part of
What is ransomware? How it works and how to remove it
Signature-based ransomware detection techniques are a first level of defense. While useful at finding known threats, signature-based detection methods cannot always identify newer or zero-day threats. For example, attackers update their malware files frequently to avoid detection. Adding a single byte to a file creates a new hash, decreasing the malware's detectability by signature alone.
Despite its issues, signature-based detection is still useful to identify older ransomware variants.
2. Behavior-based detection
Behavior-based ransomware detection methods compare new behaviors against historical data to help security professionals and tools look for indicators of compromise. For example, these methods can detect if someone is accessing a company desktop remotely from another state when the employee logged in from the office that same day.
Behavior-based detection includes the following steps:
- Measuring file system changes. Security teams should look for abnormal file executions, such as an overabundance of file renames. A few happen in a normal workday, but hundreds within a short amount of time should raise a red flag. Ransomware can stay hidden in systems for a while before executing, so security teams should also look for the creation of a file with larger entropy than an original file, as well as the enumeration and encryption of files.
- Examining API calls. Security teams should examine API calls to know what commands files execute and whether any are suspicious. For example, spyware and keyloggers use GetWindowDC to capture information from an entire window or IsDebuggerPresent to detect if a debugger is active on a system. Another ransomware ploy is to use GetTickCount to determine how long a system has been on, to the millisecond. A short period of time could indicate the ransomware is in a VM, and therefore, it won't execute any malicious actions.
3. Traffic-based detection
Traffic-based detection involves monitoring network traffic for suspicious activity or patterns, such as a sudden increase in outward volume. This might indicate a successful cyberattack is exfiltrating sensitive data, resulting in an increase in outgoing traffic.
Security teams should examine traffic for anomalies, such as if software is connecting to suspicious file-sharing sites, and the times of such actions. Teams should also check if traffic volume has recently increased and where that traffic going, as well as compare destinations with known suspicious IP addresses. Ransomware requires network connectivity to offsite servers to receive command-and-control instructions and to exchange decryption keys.
Note that, while useful, this detection method can yield false positives and requires analysis time. Attackers might also use legitimate file-sharing sites that have been allowlisted by the infected company, enabling them to fly under the radar.
4. Deception-based detection
Deception-based ransomware detection involves tricking adversaries while they search for data to encrypt or exfiltrate within the organization's system. Security teams use deception techniques to fool malicious attackers into interacting with fake assets in the network. Legitimate users would never touch these false assets, giving security teams a reliable indicator of suspicious activity.
To enable deception-based detection, security teams deploy decoys, such as honeynets, honeypots and honey tokens, and ignore them unless an alert is logged. The following are some characteristics of these types of decoys:
- Honeynets are networks of honeypots and honey tokens.
- Honeypots are any intentionally vulnerable network-attached systems, such as computers, VMs, applications, file repositories or servers.
- Honey tokens are individual files, email addresses or user accounts used to attract attackers.
Take a layered anti-ransomware approach
When it comes to ransomware detection, there's no one-size-fits-all technique. Using multiple methods together offers security teams a better chance to detect and monitor a ransomware attack, and isolate it before it does too much damage.
Organizations need to do more than just install and run antivirus software. Alongside a combination of the aforementioned ransomware detection techniques, security teams should also look for attacks entering through the front door. Insider threats, such as credential reuse and social engineering, can easily provide adversaries access to a system.
It's time to take ransomware seriously. While the number of payments dropped as some ransomware groups have folded, the overall average ransomware payment remains high. It was around $480,000 in the third quarter of 2024, up 23% from the second quarter, according to incident response vendor Coveware.
Further ransomware prevention involves training employees about ransomware risks and teaching infosec professionals the Mitre ATT&CK framework, which includes information on adversary tactics, techniques and procedures. With this knowledge, security teams can determine the organization's strengths and weaknesses and improve system security accordingly to boost ransomware protection.
Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.
