Detecting ransomware attacks is better than dealing with their consequences—downtime, reputational damage, and others. As experts in data protection, we’d like to share our insight into ransomware detection methods.
In this article, we’ll look at three ransomware detection techniques, their features and try to determine the best one.
Table of Contents
Three Major Ransomware Detection Techniques
There are three main detection techniques: by signature, by traffic analytics, and by file behavior. Let’s take a look at them and their properties.
Detection By Signature
Detecting ransomware by signature is a common technique used by many antivirus solutions. But what is a signature? To put it simply, a signature is a part of its code that can be used to identify a specific ransomware strain (e.g., Ryuk, Sodinokibi, and others).
The signature allows security software to detect and stop an attack quickly. Though useful in detecting old ransomware strains, this method will not protect you against modern attacks. Why? Detection by signature is one step behind ransomware by design. Let’s take a look at the whole process to understand it better.
Software utilizing this method needs constant updates. An update requires that a strain is found and examined. By the time an update is made, new ransomware modifications will appear. By the time security specialists examine these modifications, hackers create newer ones, and the circle starts again.
Time is not the only issue reducing the efficiency of by-signature detection. Using the Ransomware-as-a-Service model, bots can alter signatures to target specific organizations. This allows creating a highly-customizable ransomware version that will easily bypass the signature-based detection systems.
Detection By Abnormal Traffic
The next method is detection using traffic analysis. This method’s core idea is to examine data traffic and its elements (timestamp, volume, etc.) to find abnormalities.
If an algorithm detects abnormal traffic patterns that may indicate a ransomware attack, access to a targeted account(s) will be locked. Compared to signature-based solutions, this method doesn’t require “knowing” a signature. In other words, analyzing traffic allows you to detect modified ransomware attacks.
The main drawback of solutions using this method is a high false positive rate. If a false positive response happens, and a solution blocks C-level accounts, the downtime will be costly.
Detection By Data Behavior
Monitoring data behavior is the third ransomware detection method. The main idea of this technique is monitoring file executions to identify abnormalities. Behavior-based solutions execute the file and monitor its actions for malicious behavior such as overwriting DLL files or encrypting emails.
What makes this method stand out? Compared to the signature-based approach, a signature is not required. Compared to the traffic-based process, this method’s advantage is that it doesn’t need to block an account if malicious activity is spotted.
The downside of this method is that files need to be executed incorrectly for some time to confirm the attack. In practice, it means that several percent of data within a system becomes encrypted before security algorithms respond.
What Is the Best Technique?
Before answering this question, let’s visualize some of the core ideas about the ransomware detection software and techniques within this table.
|Detection by Signature||Detection by Traffic||Detection by File Behavior|
|Applied in||The majority of antivirus software||Traffic analytics solutions (GREYCORTEX MENDEL, Cisco ETA)||Some antivirus (Carbon Black) and data protection software (SpinOne)|
|Pros||Fast and widely available||Detects modified ransomware||Detects modified ransomware|
|Cons||Inability to detect modified ransomware||High false positive||Detection takes some time|
Summing up the pros and cons of the three techniques:
- Traditional signature-based techniques detect only well-known ransomware. They won’t protect your data from recent ransomware strains or targeted attacks.
- Traffic analytics helps to detect modern ransomware strains, yet this method has a high false positive rate, which may cause downtime and, accordingly, the disruption of business operations.
- Detection by file behavior is accurate and detects even the most recent ransomware strains. However, an attack is detected only after some files are encrypted.
“If all of them have downsides, is there a best detection technique?” you may ask. In our opinion, ransomware detection by file behavior is the best technique. Here’s why:
- This technique stops even the most modern ransomware strains and targeted attacks.
- The protected data won’t be locked due to a high false positive rate.
- The downside can be complemented with a backup. With a backup, you can restore encrypted files.
By combining the innovative behavior-based method with a backup, we’ve created a reliable ransomware protection solution for Google Workspace (G Suite) and Microsoft Office 365. Contrary to detection-only antivirus solutions that can identify and alert, we created a fully automated end-to-end protection solution.
Our solution automatically detects, stops, and recovers your data from a ransomware attack. How? You can find out in our next article.