AI: Microsoft reveals its recipe to combat ransomware

Ransomware is one of the most prolific and malicious digital threats on the web today. Ransomware families (Locky, WannaCry, NotPetya, Cerber and others) continue to be talked about. These ransomware lock down infected systems and then demand payment in exchange for the decryption key that will grant access, or not, to the encrypted files.

The popularity of ransomware as a service (RaaS) has also increased among criminal activities. RaaS allows cybercriminals to buy access to ransomware to use in their campaigns, whether they’re targeting the masses or going after big gaming companies.

According to Microsoft’s 365 Defender research team, human-led ransomware campaigns are complex and multifaceted, which can make early detection difficult, especially as campaigns continue to evolve.

AI to counter ransomware

In a blog post published Tuesday, the US giant’s teams tell how they are exploring “new ways” to exploit AI in the face of an “increasingly complex threat landscape.” Leveraging AI enhancements through their Microsoft Defender for Endpoint platform, they work to disrupt ransomware attacks as soon as they happen. They do this using the “early fraud” technique, which uses machine learning algorithms to determine “malicious intent” in files, processes, user accounts, and devices.

Indicators of a human-directed ransomware campaign may include suspicious activity on user accounts. For example, when a cybercriminal buys stolen credentials and starts poking around a network, cataloging files and processes as they go, or testing their privileges.

Additionally, attackers can traverse the network outside of the normal business activity associated with an account. In the final step, of course, the encryption software is executed.

prevent and cure

Microsoft AI enables the US giant to generate a risk score to determine if an entity is involved in an active ransomware attack. To arrive at this score, it is based on:

  • temporal and statistical analysis of security alerts at the organizational level;
  • graphical aggregation of suspicious events between devices;
  • Device monitoring to report suspicious activity.

By correlating these data sets, Defender can detect patterns and connections that might otherwise have been missed. If a high enough trust level is reached, the files and entities involved in the ransomware operation are automatically blocked. The results are in: In testing, Defender was able to detect and stop a ransomware attack at the early stage of encryption, when less than 4% of network assets were encrypted.

“With its enhanced AI-based detection capabilities, Defender for Endpoint successfully detected and incriminated a ransomware attack early in its encryption phase, when the attackers had less than four percent of encrypted files (4%) of organization’s devices, demonstrating a better ability to disrupt an attack and protect the organization’s remaining devices.

Font :

Leave a Comment