Try as they might, organizations can't avoid ransomware forever. Eventually, attackers will get into their systems. The goal then becomes detecting ransomware before it encrypts and exfiltrates business-critical data.
"The world has clearly recognized we cannot prevent every attack from happening," said Dave Gruber, analyst at TechTarget's Enterprise Strategy Group. "The adversary is going to compromise our systems; they're going to get in. The race is to detect and stop attackers before anything happens."
When ransomware gets onto a network, it can cause serious damage, affecting the bottom line and the company's image. By the time security teams see ransom demands, damage is done.
Prevention is critical in the battle against ransomware. But, as Allie Mellen, analyst at Forrester, pointed out, detection and response activities add a layer of protection, especially when it comes to preventing ransomware from moving laterally in a system.
Ransomware detection involves using a mix of automation and malware analysis to discover malicious files early in the kill chain. But malware isn't always easy to find. Adversaries often hide ransomware within legitimate software, such as PowerShell scripts, VBScript, Mimikatz and PsExec, to escape detection.
"The ultimate goal is to detect malicious activity, not necessarily to detect malware. The detection and analysis process is often assembling a series of what might be suspicious activities to determine whether anything malicious is actually happening," Gruber said.
To get started, let's look at ransomware detection techniques, which fall into three main types: signature-based, behavior-based or deception-based detection.
1. Signature-based detection
Signature-based ransomware detection compares a ransomware sample hash to known signatures. It provides quick static analysis of files in an environment. Security platforms and antivirus software capture data from within an executable to determine the likelihood that it is ransomware versus an authorized executable. Most antivirus software takes this step when scanning for malware.
Security teams can also use the Windows PowerShell cmdlet Get-FileHash or open source intelligence tools, such as VirusTotal, to get a file's hash. With current hashing algorithms, security professionals can compare a file's hash to known malware samples. Security teams can then use antivirus and antimalware tools to blocklist specific file types. This prevents users from inadvertently downloading malware via email or the web.
Signature-based ransomware detection techniques are a first level of defense. While useful at finding known threats, signature-based methods cannot always identify newer malware.
Attackers update their malware files frequently to avoid detection. Adding a single byte to a file creates a new hash, decreasing the malware's detectability. In 2022, network security company SonicWall discovered 465,501 never-before-seen malware variants, according to its "2023 Cyber Threat Report."
Despite this, signature-based detection is useful to identify older ransomware samples and known-good files, said Mario de Boer, managing vice president at Gartner. It also provides protection from ransomware campaigns that are general, rather than targeted, he said.
2. Behavior-based detection
Behavior-based ransomware detection methods compare new behaviors against historical data to help security professionals and tools look for indicators of compromise. For example, these methods can detect if someone is accessing a company desktop remotely from another state when the employee logged in from the office that same day.
Behavior-based detection includes the following steps:
- Measuring file system changes. Security teams should look for abnormal file executions, such as an overabundance of file renames. A few happen in a normal workday, but hundreds within a short amount of time raise red flags. Ransomware can stay hidden in systems for a while before executing, so security teams should also look for the creation of a file with larger entropy than an original file, as well as the enumeration and encryption of files.
- Looking for abnormal traffic. Security teams should examine traffic for anomalies, such as whether any software is connecting to suspicious file-sharing sites, and the time of such actions. Teams should also check whether the volume of traffic has recently increased and where it's going. Ransomware requires network connectivity to off-site servers to receive command-and-control instructions and to exchange decryption keys. Note that, while useful, this detection method can yield false positives and requires analysis time. Attackers might also use legitimate file-sharing sites that are allowlisted by the infected company, enabling them to fly under the radar.
- Examining API calls. Security teams should examine API calls to know what commands files execute and whether any are suspicious. For example, spyware and keyloggers use GetWindowDC to capture information from an entire window or IsDebuggerPresent to detect if a debugger is active on a system. Another ransomware ploy is to use GetTickCount to determine how long a system has been on, to the millisecond. A short period of time could indicate the ransomware is in a VM, and therefore, it won't execute any malicious actions.
3. Deception-based detection
Deception-based ransomware detection techniques involve tricking adversaries while they search for data to encrypt or exfiltrate within the organization's system. Security teams use deception techniques to fool malicious attackers into interacting with fake assets in the network. Legitimate users won't touch these false assets, giving security teams a reliable indicator of suspicious activity. Security teams can deploy decoys, including honeynets, honeypots and honey tokens, and ignore them unless an alert is logged. The following are some characteristics of these types of decoys:
- Honeynets are networks of honeypots and honey tokens.
- Honeypots are any intentionally vulnerable network-attached systems, such as a computer, VM, application, file repository or server.
- Honey tokens are individual files, email addresses or user accounts used to attract attackers.
Take a layered anti-ransomware approach
Using multiple ransomware detection techniques together offers security teams a better chance to detect and monitor a ransomware attack -- and isolate it before it gets too far into a system.
"As modern attacks are becoming complex and easily bypass basic techniques, it is evident no single technique can address all use cases," de Boer said.
Organizations need to do more than just install and run antivirus software. Alongside a combination of ransomware detection techniques, security teams should also look for attacks entering through the front door. Insider threats, such as credential reuse and social engineering, can enable adversaries to access a system.
Organizations need to take ransomware seriously. Ransomware payments have nearly doubled in 2023 over 2022, up to more than $1.5 million from $812,380, according to Sophos' "State of Ransomware 2023" report.
Use best practices to train employees about the ransomware risks, and teach infosec professionals the Mitre ATT&CK framework, which includes information on adversary tactics, techniques and procedures. With this knowledge, security teams can determine the organization's strengths and weaknesses and improve system security accordingly.