Hidden Pattern Recognition (HPR) - Generic and Agnostic Ransomware Detection
Ransomware is on the rise, with a new spike every year in the number of reported incidents and the amount that cyber hackers are attempting to extort from organizations. Ransomware attacks are not only increasing in frequency, but they are also becoming more sophisticated and complex. Specifically, ransomware is becoming a popular attack vector and effectively shutting down critical infrastructure networks one after the other.
According to a Forrester report, ransomware attacks on organizations have been up 500% over the past year, costing businesses $11.5 billion and losing customer/partner loyalty and trust.
Current ransomware detection tools are based on agents running on the computer hosts, looking for specific signatures of attacks. Unfortunately, bad actors are constantly creating new types of attacks, sometimes even with only slight variations of the previously known attack, to be unnoticed by these already known signatures, taking advantage of the naive rule-based paradigm used by existing tools to check activities versus an array of known signatures Thus, the attackers keep winning in this constant race between the defenders and attackers.
Not anymore.
Cynamics Hidden Pattern Recognition (HPR) technology can detect ransomware attacks in a completely generic and agnostic manner.
How? By monitoring the network traffic between the users and file servers, backup servers, and predicting unusual network behaviors.
The idea is that in any organization, there are several types of users and processes, e.g.:
Active users who interact more with files, such as creating new files, modifying existing files, etc., for example, the finance department.
Passive users with very few interactions with files, for example, the software developers, may only modify a few files in a workday and mainly perform actions in their dedicated software tools.
Backup: periodic procedure happening daily, weekly and monthly, consisting of checking which files were modified and creating a copy of them.
Consider the “file-access” pattern. While in normal times, this pattern will be consisted of the above types of users and processes, in a ransomware attack, it will be significantly unusual: no matter what malware or what specific ransom technique is used. In the end, the ransomware lifecycle can be described as the following:
Ransom installation to a specific host: for example, by prompting a user to open an allegedly legitimate email attachment.
Ransom propagation to other hosts: for example, in the Wannacry attack, the ransomware was propagating by exploiting a specific vulnerability in windows servers’ SMB1 protocol, which was open by default in old server versions. The malware easily propagates through the compromised network by exploiting this open port.
Waiting for a specific time to attack, either per-configured or from a C&C activation.
Attacking: all infected hosts are beginning to access all their files from the file servers, encrypting them and saving them as encrypted.
The entire flow is generic in terms of Cynamics HPR and thus entirely agnostic for the malware, ransom type, and characteristics. As well as robust from variations and changes to the attack that may cause current rule-based tools not to detect the attack.
Reach out to us today and get ready for the future.