How Machine Learning Will Help in the Fight Against Ransomware

Among the many cyber threats that businesses face today, one of the most troubling is ransomware. This type of malware - which encrypts files on infected devices and then demands payment for the decryption key - can be hugely disruptive to businesses and even threaten operations completely.

These attacks are often relatively easy to initiate. Ransomware kits can be picked up cheaply on the dark web, while for the more advanced and organized gangs, they can prove highly lucrative. And as many firms don't have the right defenses in place to guard against this type of threat, there are a wealth of easy targets out there.

Therefore, adopting new techniques and technologies such as machine learning will be key to detect and defend against ransomware.

The growing threat posed by ransomware

The use of ransomware by cybercriminals has exploded in the past couple of years. For many people, the first exposure to what ransomware was capable of was the 2017 WannaCry attack on the UK's NHS. But since then, these types of attacks have become commonplace.

In 2020, one in four cyber attacks dealt with by IBM's Security X-Force Incident Response team involved ransomware, while the amounts demanded by hackers are also growing exponentially. Overall, it was estimated ransomware cost businesses $20 billion last year, when both ransom payments and downtime costs are factored in.

One reason for this has been the impact of COVID-19. With more people working from home and communicating digitally with colleagues and customers, this presents more opportunities for criminals to access business networks through tactics like email attacks.

New variants of ransomware are constantly emerging, while the tactics used by criminals are also evolving. In 2020, for instance, one growing trend was 'double extortion' ransomware that not only encrypted data, but also stole it, with hackers then able to demand more money from companies in order to not publicly reveal this data. This can be particularly effective as it increases pressure on firms to pay the ransom even if they have backups that can allow them to keep operating.

The challenges facing businesses

Once infected with ransomware, many firms may feel they have little choice but to pay up. If they haven’t put in place the right mitigation measures beforehand, there’s often little they can do to recover encrypted data other than pay the ransom, or wait and hope encryption keys will be published.

This is why targets are often carefully selected to maximize the chances of a result. Large, multinational firms may be able to ride out the disruption caused by ransomware as they’ll have comprehensive backups and redundancies in place for just such an occasion. But this won't be the case for every organization.

Therefore, ransomware creators often attack those seen as more vulnerable, for whom even short periods of downtime can be hugely damaging. For instance, institutions such as schools, healthcare providers and even local governments are often prime targets, as they’re seen as having no alternative but to pay ransoms in order to restore essential services. For example, Baltimore’s government computer systems in 2019 were infected with a ransomware variant called RobbinHood.

How businesses respond to ransomware attacks is also a difficult issue, with the key question being to pay or not to pay. Experts generally advise against giving in to demands for two main reasons. Firstly, this only encourages hackers to launch more ransomware attacks in the future, and secondly because there’s no guarantee paying will lead to data being restored.

Only a quarter of ransomware victims see all their data restored, with one in three firms reporting losing a significant amount of files - regardless of whether or not they paid the ransom.

How machine learning tools will be at the forefront of the ransomware fight

Ultimately, the best recourse to fight ransomware is to be proactive and stop these threats before they have a chance to infiltrate networks. But as the explosion of incidents shows, many traditional defenses, such as antimalware software, aren't up to the job. Those that rely on methods such as signature detection can often be bypassed by the new generation of as-yet unknown malware.

Therefore, new tools and technologies are required to identify and block these threats before they have a chance to spread. One of the most effective solutions to tackle the ransomware issue is machine learning.

This works by analyzing data to identify patterns of behavior. When it comes to tackling malware, this means it can monitor all incoming traffic to a network and look for anything that appears out of the ordinary. If it does spot anything anomalous, such as a suspicious email with language that doesn’t match that used by the purported sender, it can then be quarantined and flagged up for review.

Machine learning can also monitor activities within the network, such as who’s logging in, which files are being accessed and how they’re being altered.

This can be used to build up a picture of normal behavior and block any unusual activity. And the more the system learns, the more accurate it’ll get, reducing the risk of false positives that disrupt everyday work.

With ransomware set to continue being a major threat for the foreseeable future, being able to work proactively to block threats before they have a chance to take hold will be vital. This is definitely an area of cybersecurity where prevention is better than cure, and machine learning could well be the key for many firms in making this approach effective.