Ransomware is a significant threat that organizations are facing today, and it continues to evolve as threat actors refine their techniques. Recent developments include tweaks to ransomware-as-a-service models, the adoption of new programming languages, changes in targeting and deployment methods, and attacks being launched outside of regular business hours to hinder detection and response efforts. One notable development is the increase in remote ransomware attacks, where an organization’s domain architecture is leveraged to encrypt data on managed domain-joined machines. Our telemetry shows a 62% year-on-year increase in intentional remote encryption attacks since 2022, and Microsoft’s 2023 Digital Defense Report states that 60% of human-operated ransomware attacks involve remote encryption. Ransomware families known to support remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal.
The rise of ransomware has led to extensive research aimed at detecting and preventing it. Various solutions proposed by academics, security researchers, and vendors target ransomware’s distinct behavioral traits, such as enumerating filesystems, accessing and encrypting files, and generating ransom notes. Some solutions apply common anti-malware techniques to ransomware. This article provides an overview of these techniques and their advantages and disadvantages, with a focus on a solution called CryptoGuard.
Static solutions for ransomware detection are similar to those used for detecting other types of malware. These solutions include signature-matching, comparing file operations, examining behavioral traits, deep learning techniques, and examining PE headers. While static methods are relatively rapid and low-cost, determined attackers can evade them by modifying code. They are also less effective against new variants, packers, obfuscators, and remote ransomware.
Dynamic solutions tend to offer greater coverage but are more computationally expensive. They include monitoring filesystem interactions, leveraging folder shielding techniques, assessing API calls invoked by processes, using honeyfiles as decoy files, and fingerprinting malicious patterns in network traffic or CPU signals. Each of these techniques has its advantages and disadvantages, and they may not be effective against all types of ransomware.
Automated telemetry-driven containment is another approach to combat ransomware. Modern endpoint protection solutions transmit data to the cloud for incident response and alert analysis. By analyzing telemetry data, these solutions can automatically contain and respond to active human-led ransomware attacks. However, piecing together the details of an ongoing attack from telemetry data can be time-consuming.
In conclusion, ransomware is a significant threat to organizations, and battling it is a challenging task due to the evolving techniques used by threat actors. Various solutions have been proposed to detect and prevent ransomware, targeting its distinct behavioral traits or applying common anti-malware techniques. Each solution has its advantages and disadvantages, and organizations should consider multiple layers of protection to stop attacks at various points. When all else fails, automated telemetry-driven containment solutions can help respond to active ransomware attacks.