• Aviv Yehezkel

Predicting Ransomware Instillation from Akamai IPs


Is it possible to predict a Ransomware attack without running an agent on the endpoint?


Cynamics unique AI-based threat prediction technology provides various layers of ransomware prediction. One of them is predicting ransomware installation - i.e., the moment where the host is infected for the first time, becoming a ‘time bomb’.


Cynamics approach is completely agnostic to the malware and ransom type and characteristics, as well as robust from variations and changes to the attack that may cause current rule-based tools to not detect the attack.


Just this week, we detected two such installations into internal workstations, both attempts were trying to hide behind allegedly legit downloads of Akamai-associated IPs residing in the US.

The concern with content providers like Akamai is that anyone can be hosted behind their servers, so sophisticated attackers take advantage of Akamai to uncover themselves in US IPs instead of geographically un-allowed IPs, thus being able to penetrate through the Firewall and not raise suspicions.


The IT director of a mid-size hospital chain in North America told Cynamics:


“This internal IP is being used by our design team. After receiving the alert, we immediately disconnected it and checked with the user who confirmed browsing on the web looking for some software and suddenly noticed files being downloaded to his computer. Thanks to Cynamics we were able to mitigate this, we didn’t receive any alert from our other solutions”.


As the industry shows, there is an increase in Ransomware-as-a-service offerings by bad actors and their techniques become more advanced and sophisticated which surpasses the existing endpoint protection tools (as shown frequently). One of Cynamics advantages is being non-intrusive, not increasing the attack surface, yet providing a wide range of agnostic threat predictions.