Ransomware is one of the most prolific and vicious digital threats on the web today. Ransomware families – Locky, WannaCry, NotPetya, Cerber and others – keep getting talked about. These ransomware lock the infected systems and then demand payment in exchange for the decryption key which will give access – or not – to the encrypted files.
The popularity of ransomware as a service (RaaS) has also increased among criminal activities. RaaS allows cybercriminals to buy access to ransomware to use in their campaigns, whether they’re targeting the masses or going after big game companies.
According to Microsoft’s 365 Defender research team, human-led ransomware campaigns are complex and multi-faceted, which can make early detection very difficult, especially as campaigns continue to evolve.
AI to counter ransomware
In a blog post published on Tuesday, the American giant’s teams tell how they are exploring “new ways” to exploit AI in the face of an “increasingly complex threat landscape”. Leveraging AI enhancements through their Microsoft Defender for Endpoint platform, they work to disrupt ransomware attacks as soon as they hit. They do this using the technique of “early incrimination”, which uses machine learning algorithms to determine “malicious intent” in files, processes, user accounts and devices. .
Indicators of a human-led ransomware campaign may include suspicious activity on user accounts. For example, when a cybercriminal buys stolen credentials and begins to poke around a network, cataloging files and processes as they go, or testing their privileges.
Additionally, attackers can roam the network outside of the usual business activity associated with an account. In the final step, of course, the encryption software is run.
Prevent and cure
Microsoft’s AI allows the American giant to generate a risk score to determine if an entity is involved in an active ransomware attack. To arrive at this score, it relies on:
- temporal and statistical analysis of organizational-level security alerts;
- graphical aggregation of suspicious events between devices;
- Device monitoring to report suspicious activity.
By correlating these data sets, Defender can detect patterns and connections that might otherwise have been overlooked. If a high enough level of trust is achieved, files and entities involved in the ransomware operation are automatically blocked. The results are in: In tests, Defender was able to detect and stop a ransomware attack in the early stage of encryption, when less than 4% of network assets were encrypted.
“With its enhanced AI-based detection capabilities, Defender for Endpoint successfully detected and incriminated a ransomware attack early in its encryption phase, when attackers had less than four percent encrypted files ( 4%) of the organization’s devices, which demonstrates a better ability to interrupt an attack and protect the organization’s remaining devices.
Source: ZDNet.com