Ransomware Detection Part 1: What Is Ransomware Detection?
Ransomware has become an increasingly prevalent threat for today’s businesses. While ransomware resilience efforts focus mostly on prevention and response, the ability to detect ransomware early is just as crucial. Early detection helps you determine the point of impact.
Using early detection to protect your IT infrastructure against ransomware is much like guarding a bank vault. At a bank, there are security guards who periodically patrol the area as well as security cameras, which are periodically viewed to monitor any suspicious activity. These typical prevention and response techniques are based on a periodic basis schedule which can provide some insight to a bank robber and sometimes mitigate a robbery.
But what if a robber could bypass these security measures and gain access to the vault? It would be ideal to detect the robber’s activity as soon as they enter the vault before they can steal anything. This is where early detection techniques come into play.
Early Detection Is Crucial for Securing Your Business
Just like detecting a robber’s activity in the vault is crucial for securing a bank’s assets, detecting ransomware early is crucial for securing your business. The earlier you detect ransomware, the earlier you can take action to stop it and prevent asset loss and downtime.
Ransomware detection sits between prevention and response—it’s the first line of defense. Since attackers use various evasion techniques to bypass detection, countering with multiple detection techniques is essential to identify ransomware before it damages your environment.
Each detection technique has pros and cons. Below, we’ll examine several common detection techniques, along with their respective advantages and disadvantages. Often, businesses combine multiple detection techniques to find an approach that best fits their needs.
Static File Analysis
When a vague alert is triggered on a server, static file analysis is an option. This method analyzes executable files for suspicious sequences of code without executing the code. For ransomware, static file analysis searches for known malicious code sequences, commonly targeted file extensions, and frequently used words in ransom notes. Although this method is effective against known ransomware with a low false-positive rate, it can be time consuming if conducted manually. It can also be easily bypassed using packers/crypters or by replacing characters with digits or special characters.
Common File Extensions Blacklist
Another detection approach is to blacklist well-known ransomware extensions using file access monitoring tools. These tools can block specific extensions, such as the WannaCry ransomware (.wncry), from being saved or shared. This method is effective against common ransomware, has a low false-positive rate, and does not cause any damage. However, ransomware can easily bypass it by using a new extension. Finding a file-monitoring solution that has an extension blacklist feature can also be challenging.
Honeypot Files and Deception Techniques
A honeypot file is a fake file placed in a shared folder or location to detect an attacker. When the file is accessed, an alarm is triggered. Honeypot files are easy to create with free open-source tools that embed a unique identifier into a document. However, this method has some false positives, as legitimate programs and users may touch the bait files. And if ransomware does successfully attack parts of your system without touching the honeypot files, your files will be encrypted by the attack with no alerting until the decoy files are trigger and alarm. In addition, if attackers detect a honeypot they can choose to bypass the bait files and target other files and systems.
Dynamic Monitoring of Mass File Operations
Monitoring the file system for mass file operations such as rename, write, or delete within a specific time frame can help detect a ransomware attack in real time. A file integrity monitoring tool can compare the latest version of files to a known, trusted baseline and alert you when files have been altered, updated, or compromised. This technique can potentially block a ransomware attack automatically, depending on your solution. However, ransomware that encrypts files slowly over time can evade this method.
Multiple Detection Techniques Is Key
Just as a bank relies on no single security method, there is no one-size-fits-all solution for ransomware detection. Businesses must employ multiple detection techniques for the earliest detection and quickest recovery times, reducing the impact ransomware has on their organizations.
Some data protection vendors are making this journey easier by specifically delivering ransomware resilience. Zerto, a Hewlett Packard Enterprise company, is at the forefront of the industry with early ransomware detection and a new Cyber Resilience Vault. In part 2 of our blog, we will investigate how data protection vendors deliver ransomware detection, including the unique capabilities that Zerto brings to the table.
For more information on how Zerto can help with your ransomware resilience strategy, check out the full Zerto 10 launch announcement page.
Otherwise, keep on improving your knowledge about ransomware resilience with our Ransomware Recovery Guide!
Andrew Silva 
