How Machine Learning Can Help Your Company Fight Ransomware

First, what is ransomware?

Ransomware is a form of malware that encrypts files on the victim's machine and demands a ransom for restoring access to the files. The instructions on how to pay the ransom are put in a ransom note.

Ransomware Attack Threats

Ransomware encrypts files. As a consequence of that, the victim loses access to their data.

When the target of a ransomware attack is just a casual user, that’s usually not a big threat. But what about companies or medical institutions storing sensitive data? It can cause major financial losses.

The Cyber Front Lines Report says that the average dwell time grew 10 days to 95 in 2019, up from 85 in 2018. Attack efforts have been lucrative, with an average payment of $41,198, as of Q3 2020, and larger enterprises facing demands over $1 million.

Scale of Ransomware

Ransomware attacks are becoming increasingly popular with almost 200 million attacks in 2019. IT leaders must be prepared to defend against threats to support remote workers and keep company data safe.

Most popular ransomware detection strategies

1. Ransom note detection: This method searches for formerly identified ransom notes of known ransomware.
2. Encrypted files extension detection: This method detects formerly identified file extensions of known ransomware.
3. Signature-based approach: This method detects formerly identified signatures of known ransomware.

Weaknesses of most popular detection strategies

The biggest weakness of these methods is that they work only for known ransomware. What if new ransomware is created that doesn’t appear in databases yet? These ransomware detection methods are then useless because they don’t defend companies from new ransomware attacks.

But there's good news.

The latest advances in data protection and ransomware detection with dedicated AI/ML are specifically designed and trained to fight new ransomware attacks.

Machine Learning-powered ransomware detection

How Machine Learning Can Help Your Company Fight Ransomware

‍

A ransomware attack massively encrypts files on the victim's machine, so it produces high activity on infected users’ accounts. As a result, more and more files are getting encrypted. This means that unknown ransomware malware can be detected by training a machine learning model to detect abnormal activity on a user's account.

Even when an infected file does not match a known signature variant, Engyte’s ML-based behavioral analytics will identify and flag patterns of file activity indicative of ransomware—such as renaming, deletions, and changes in file entropy.

Everything is about trust

A ransomware attack is a serious thing. So we added a second stage to the detection system to ensure that clients are not alerted about false-positive attacks. When the model detects an attack based on the user's activity, we sample user files to check if they are encrypted. If they are, then we raise an attack alert. Otherwise, we don’t alert the user.

Machine learning detection system architecture

Benefits of a machine learning detection system

Having such a system prepared and deployed allows us to detect ransomware attacks, including new ransomware with unknown signatures and ransomware file extensions.

When the attack is detected, the user can be blocked to stop further file encryption, and files can be restored because we keep copies of the previous versions of the encrypted files.

Data is the new currency. Protecting your most important asset requires more than just endpoint protection. Learn how you can stop ransomware attacks and protect your sensitive data with intelligent detection, response, and recovery—all in a single platform.

Egnyte at GHOST Day: Applied Machine Learning Conference

Egnyte's Machine Learning Engineer, Wojciech Mikołajczyk, presented this topic during the GHOST Day: Applied Machine Learning Conference. The conference creates a space for sharing machine learning experience and knowledge from top experts. Conference speakers are both representatives of the scientific community publishing at top-tier global conferences like NeurIPS and experts from leading companies building machine learning-based products like Google, Facebook, or Egnyte.

For more information, watch the full presentation below:

‍