Search and Destroy: 3 Methods of Detecting Ransomware Attacks


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Thursday, July 14, 2022

Could you spot ransomware attacks once they've reached your network? Here are a few detection techniques for hunting down these threats before they have a chance to do damage.

Article 5 Minutes
Search and Destroy: 3 Methods of Detecting Ransomware Attacks
  • Home
  • IT
  • Security
  • Search and Destroy: 3 Methods of Detecting Ransomware Attacks

Ransomware is one of the fastest-growing security threats facing businesses today. According to Sophos, two-thirds of organizations were subject to a ransomware attack in 2021. These aren’t only growing more frequent, but also more expensive, with the average cost to recover from the most recent ransomware attack in 2021 hitting $1.4 million.

Therefore, you must have specific plans in place for dealing with these attacks, and a big part of this is being able to identify and neutralize any threats as early as possible.

The consequences of failing to stop ransomware

If the first you learn of a ransomware attack is when you come into the office and can't log on to your PC, or you open up an email demanding payment, it's already too late.

Once data is encrypted there are very few options open to you. If you've got backups, you can try restoring them and carrying on, and hope you haven't lost too much information. In some cases, decryption keys have been made publicly available to assist companies with retrieving data. Otherwise, businesses may feel they have to pay up in order to restore operations - a route that can come with its own range of risks, from ransomware authors failing to fully decrypt data to enterprises being seen as a lucrative target for future attacks.

Other likely long-term consequences of falling victim to ransomware may include the potential for reputational damage, regulatory action, and lost business. For instance, if you refuse to give in to an extortion demand and see sensitive information such as customer details published, it can hugely damage trust in your business.

It's clear that prevention is a much better option than cure, but even if your first line of defense fails and ransomware does enter your network, all is not lost. With the right tools, you may still be able to detect an attack in progress and shut it down before the damage is done.

3 techniques to detect an in-progress ransomware attack

There are a few ways to spot ransomware within your network, but these will depend on you having the right monitoring and anti-data breach tools in place. However, with these technologies, you can hunt down ransomware attacks in progress and destroy them. Here are three ransomware detection techniques.

1. Signature-based detection

One tried and tested way of spotting malware is to use signature-based ransomware detection, which looks at samples of an executable file's code for telltale signs that match those of known ransomware variants.

This is usually done as part of routine antimalware scanning, so this technique can be effective at stopping attacks quickly at the point they enter the network. However, the downside of this method is that it can only spot known ransomware, so you're still left vulnerable to new, as-yet-unidentified strains.

While it's still an essential first line of defense and will block many older malware types early, you shouldn't be relying solely on this, as new variants are emerging all the time and signature-based detection methods will always be reactive by their nature.

2. Behavior-based approaches

The main alternative to using signature-based detection tactics is to look at behavior within your network. This comes in two forms - analyzing the activities of users and file executions, or looking for abnormal traffic patterns, especially those leaving the network.

For example, a simple red flag based on behavior may be if a user is detected logging into a company PC from a location where they’re known not to be that day. Meanwhile, an unusually high number of edits to a file in a short space of time, or if files appear to be copied or recreated when they shouldn't, are also signs of an attack in progress.

When it comes to monitoring traffic, suspicious activity to look out for may include larger quantities of data being sent than normal, or changes in time patterns that see activity occurring at unusual times of the day.

These methods, while effective, can have their own drawbacks too. For instance, studying the behavior of files or traffic takes time, so some limited damage may be done before an attack can be stopped. It may also lead to a high number of false positives that can disrupt genuine business activities, so this can be a hard balance to get right.

3. Using deception-based detection

If you want to take a more proactive approach to defending your network - and even go on the offensive against the ransomware hackers, the use of this third ransomware detection technique could be an appealing option. This combines the detection of attacks with active prevention, and works by creating a fake network within your systems that acts as a honeypot to attract ransomware, therefore keeping it away from your valuable data.

This typically works by setting up a fake shared network drive that can be accessed from any endpoint within your network. Within this will be (again fake) files and folders that aim to tempt ransomware hackers into attacking. All of this needs to be closely integrated with your cybersecurity defenses and monitoring tools, so you have complete visibility into who's accessing it - which, all being well, should be nobody.

If you do get compromised by ransomware that starts to encrypt or exfiltrate files, the decoy server should be able to spot this immediately and slow it down, allowing you to take steps to stop it from spreading and, hopefully, isolate it away from valuable data.

This, however, is a technique that needs to be used in tandem with other security solutions, including next-generation firewallsendpoint security, and security information and event management tools, to ensure you're able to spot and respond to an incident.

Further reading:


Tech Insights for Professionals

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...