Home»App Security»Ransomware Detection Techniques: Which One Is The Best?

Ransomware Detection Techniques: Which One Is The Best?

ransomware detection methods

Detecting ransomware attacks is better than dealing with their consequences—downtime, reputational damage, and others. As experts in data protection, we’d like to share our insight into ransomware detection methods.

In this article, we’ll look at three ransomware detection techniques, their features and try to determine the best one.

Three Major Ransomware Detection Techniques

There are three main threat detection techniques: by signature, by traffic analytics, and by file behavior. Let’s take a look at them and their properties.

Detection By Signature

Detecting ransomware by signature is a common technique used by many antivirus solutions. But what is a signature? To put it simply, a signature is a part of its code that can be used to identify a specific ransomware strain (e.g., Ryuk, Sodinokibi, and others).

The signature allows security software to detect and stop an attack quickly. Though useful in detecting old ransomware strains, this method will not protect against ransomware of more modern types. Why?

Detection by signature is one step behind ransomware by design. Let’s take a look at the whole process to understand it better.

Software utilizing this method needs constant updates. An update requires that a strain is found and examined. By the time an update is made, new ransomware modifications will appear. By the time security specialists examine these modifications, hackers create newer ones, and the circle starts again.

Time is not the only issue reducing the efficiency of by-signature detection. Using the Ransomware-as-a-Service model, bots can alter signatures to target specific organizations. This allows creating a highly-customizable ransomware version that will easily bypass the signature-based detection systems.

Detection By Abnormal Traffic

The next method is detection using traffic analysis. This method’s core idea is to examine data traffic and its elements (timestamp, volume, etc.) to find abnormalities.

If an algorithm detects abnormal traffic patterns that may indicate a ransomware attack, access to a targeted account(s) will be locked. Compared to signature-based solutions, this method doesn’t require “knowing” a signature. In other words, analyzing traffic allows you to detect modified ransomware attacks.

The main drawback of solutions using this method is a high false positive rate. If a false positive response happens, and a solution blocks C-level accounts, the downtime will be costly.

Detection By Data Behavior

Monitoring data behavior is the third ransomware detection method. The main idea of this technique is to monitor file executions to identify abnormalities. Behavior-based solutions execute the file and monitor its actions for malicious behavior such as overwriting DLL files or encrypting emails.

What makes this method stand out? Compared to the signature-based approach, a signature is not required. Compared to the traffic-based process, this method’s advantage is that it doesn’t need to block an account if malicious activity is spotted.

The downside of this method is that files need to be executed incorrectly for some time to confirm the attack. In practice, it means that several percent of data within a system becomes encrypted before security algorithms respond.

What Is the Best Technique?

Before answering this question, let’s visualize some of the core ideas about ransomware detection software and techniques within this table.

Detection by SignatureDetection by TrafficDetection by File Behavior
Applied inThe majority of antivirus softwareTraffic analytics solutions (GREYCORTEX MENDEL, Cisco ETA)Some antivirus (Carbon Black) and data protection software (SpinOne)
ProsFast and widely availableDetects modified ransomwareDetects modified ransomware
ConsInability to detect modified ransomwareHigh false positiveDetection takes some time


Summing up the pros and cons of the three techniques:

  • Traditional signature-based techniques detect only well-known ransomware. They won’t protect your data from recent ransomware strains or targeted attacks.
  • Traffic analytics can detect modern ransomware strains. However, this method often has a high false positive rate. This can lead to system downtime, disrupting business operations.
  • Detection by file behavior is accurate and detects even the most recent ransomware strains. However, an attack is detected only after some files are encrypted.

“If all of them have downsides, you may ask, is there a single best threat detection technique?” In our opinion, ransomware detection by file behavior is the best technique. Here’s why:

  • This technique stops even the most modern ransomware strains and targeted attacks.
  • The protected data won’t be locked due to a high false positive rate.
  • The downside can be complemented with a backup. With a backup, you can restore encrypted files.

By combining the innovative behavior-based method with a backup, we’ve created a reliable ransomware protection solution for Google Workspace (G Suite) and Microsoft Office 365. Contrary to detection-only antivirus solutions that can identify and alert, we created a fully automated end-to-end protection solution.

Our solution automatically detects, stops, and recovers your data from a ransomware attack. How? You can find out in our next article.

Read next: How does SpinOne protect your cloud files against ransomware?

Courtney Courtney Ostermann Chief Marketing Officer
About Author

Courtney Ostermann is the Chief Marketing Officer at Spin.AI, responsible for the global marketing program focused on driving brand awareness and revenue growth.

Previously, Courtney served as the Vice President of Corporate and Demand Marketing at PerimeterX, where she helped accelerate revenue and supported its acquisition by HUMAN Security.

She was also the Vice President of Corporate Marketing at PagerDuty, where she assisted with the company’s IPO, and has held marketing leadership roles at organizations such as Imperva, BMC Software, Oracle, and Saba Software. Courtney resides in the Bay Area and is a graduate of Colgate University. She is also a Board member at Lycee Francais de San Francisco.

In her spare time, she can be found standup paddling, wingfoiling, mountain biking, hiking, snowshoeing, and cross-country skiing.

Featured Work: