searchsecurity.techtarget.com Open in urlscan Pro
2606:4700::6812:5c  Public Scan

Form analysis
1 forms found in the DOM

GET https://www.techtarget.com/search/query

<form action="https://www.techtarget.com/search/query" method="get" class="header-search">
  <label for="header-search-input" class="visuallyhidden">Search the TechTarget Network</label>
  <input class="header-search-input ui-autocomplete-input" id="header-search-input" autocomplete="off" type="text" name="q" placeholder="Search the TechTarget Network">
  <button aria-label="Search" class="header-search-submit"><i class="icon" data-icon="g"></i></button>
</form>

Text Content

3
Trending Now

Ransomware decodedDownload NowView All3
X
3Hello, these 3 documents have been trending and as a member they are free to
you.
 * 
   Ransomware decodedDownload Now
 * 
   Preventing Ransomware From Ever Executing is Actually PossibleDownload Now
 * 
   The evolution of ransomware: New trends & methodsDownload Now




SearchSecurity
Search the TechTarget Network
Sign-up now. Start my free, unlimited access.
Login Register
 * Techtarget Network
 * News
 * Features
 * Tips
 * More Content
    * Answers
    * Buyer's Guides
    * Definitions
    * Essential Guides
    * Opinions
    * Photo Stories
    * Podcasts
    * Quizzes
    * Tech Accelerators
    * Tutorials
    * Sponsored Communities

 * Schools

 * SearchSecurity
 * Topic Information security threats
    * Data security
    * Identity and access management
    * Network security
    * Security training and jobs
    * Infosec programs
    * Risk management strategies
    * Network threat detection
    * Platform security
    * Security compliance
    * Software security
    * Web security tools
    * Wireless and mobile security
    * All Topics

 * SubTopic Malware
    * Nation-state cyberattacks
    * Messaging threats
    * Emerging threats
    * Hacker tools and techniques
    * Malware
    * All Subtopics

 * Follow:
 * 
 * 
 * 



Getty Images/iStockphoto

Getty Images/iStockphoto

Problem solve Get help with specific problems with your technologies, process
and projects.


3 RANSOMWARE DETECTION TECHNIQUES TO CATCH AN ATTACK

 * 




IT'S NOT ENOUGH TO PROTECT A COMPANY'S SYSTEM FROM RANSOMWARE. REDUCE DAMAGE
FROM ATTACKS WITH THESE THREE RANSOMWARE DETECTION METHODS.

Share this item with your network:

 * 
 * 
 * 


By
 * Kyle Johnson, Technology Editor

Try as they might, companies can't avoid ransomware forever. Eventually,
attackers will get into an enterprise system. The goal then becomes detecting
ransomware before it encrypts and exfiltrates business-critical data.



"The world has clearly recognized we cannot prevent every attack from
happening," said Dave Gruber, analyst at Enterprise Strategy Group, a division
of TechTarget. "The adversary is going to compromise our systems; they're going
to get in. The race is to detect and stop attackers before anything happens."

When ransomware gets onto a company's system, it can cause serious damage,
affecting the bottom line and public perception. By the time security teams see
ransom demands, damage is done. Prevention is a critical piece of the battle
against ransomware. But Allie Mellen, analyst at Forrester, pointed out that the
detection and response activities in an IT security organization add a layer of
protection. To protect against ransomware before it can make lateral moves in a
system, companies need effective detection methods in place.

Security teams have plenty of options when it comes to malware detection
techniques. Each technique falls into one of three types:

 1. signature-based methods
 2. behavior-based methods
 3. deception


INSIDE THE 3 RANSOMWARE DETECTION TECHNIQUES

Ransomware detection involves using a mix of automation and malware analysis to
discover malicious files early in the kill chain. But malware isn't always easy
to find. Adversaries often hide ransomware within legitimate software to escape
initial detection. Some software used includes PowerShell scripts, VBScript,
Mimikatz and PsExec.

"The ultimate goal is to detect malicious activity, not necessarily to detect
malware. The detection and analysis process is often assembling a series of what
might be suspicious activities to determine whether anything malicious is
actually happening," Gruber said.

1. SIGNATURE-BASED RANSOMWARE DETECTION

Signature-based ransomware detection compares a ransomware sample hash to known
signatures. It provides quick static analysis of files in an environment.
Security platforms and antivirus software can capture data from within an
executable to determine the likelihood that it is ransomware versus an
authorized executable. Most antivirus software takes this step in a scan for
malicious software.

Security teams can also use the Windows PowerShell cmdlet Get-FileHash or open
source intelligence tools, such as VirusTotal, to get a file's hash. With
current hashing algorithms, security professionals can compare a file's hash to
known malware samples.

Signature-based ransomware detection techniques are a first level of defense.
While useful at finding known threats, signature-based methods struggle to
identify newer malware.

Attackers update their malware files to slip past detection. Adding a single
byte to a file creates a new hash, decreasing the malicious software's
detectability. In the first half of 2021, network security company SonicWall
discovered 185,945 new malware variants, according to its "2021 Mid-Year Cyber
Threat Report."

Still, signature-based detection is useful to identify older ransomware samples
and "known good" files, said Mario de Boer, analyst at Gartner. It provides
protection from ransomware campaigns that are general, rather than targeted, he
said.

2021 ransomware attacks by month


2. BEHAVIOR-BASED DETECTION METHODS

Using behavior-based detection methods that examine new behaviors against
historical data, security professionals and tools look for indicators of
compromise by comparing recent behavior against average behavioral baselines.
For example, is someone accessing a company desktop remotely from another state
when the employee logged in from the office that same day?

Here are three such methods.

File system changes

Security teams should look for abnormal file executions, such as an
overabundance of file renames. A few happen in a normal workday, but hundreds
within a short amount of time should raise red flags.

Ransomware can stay hidden in systems for a while before executing. Therefore,
security teams should also look for the creation of a file with larger entropy
than an original file, as well as the enumeration and encryption of files.

Traffic analysis

Security teams should examine traffic for anomalies, such as whether any
software is connecting to shady file-sharing sites and the time of such actions.
Teams should also check whether the volume of traffic has recently increased and
where it's going. Ransomware requires network connectivity to off-site servers
to receive command and control instructions and to exchange decryption keys.

While useful, this detection method does yield false positives and requires
analysis time. Also, attackers might use legitimate file-sharing sites,
allowlisted by the infected company, to fly under the radar.

API calls

A third behavior-based method security teams can use is examining API calls.
What commands are files executing? Are any suspicious? For example, spyware and
keyloggers use GetWindowDC to capture information from an entire window. Or they
use the IsDebuggerPresent to see if a debugger is active on a system.

Another ransomware ploy is to use GetTickCount to see how long a system has been
on, to the millisecond. A short period of time may indicate that the ransomware
is within a VM, and so it doesn't execute any malicious actions to prevent
detection.

3. DECEPTION-BASED DETECTION

Tricking adversaries is the third ransomware detection technique. The most
common example is to create a honeypot. This file repository or server is a
decoy or bait for attackers. Normal users do not touch this server, so if it
sees activity, the odds are good it's an attack.


TAKING A LAYERED ANTI-RANSOMWARE APPROACH

Using multiple ransomware detection techniques together offers security teams a
better chance to detect and monitor a ransomware attack -- and isolate it before
it gets too far into a system.

"As modern attacks are becoming complex and easily bypass basic techniques, it
is evident no single technique can address all use cases," de Boer said.

As such, companies need to do more than just install and run antivirus software.
Alongside a combination of ransomware detection techniques, security teams
should also look for attacks entering through the front door. Insider threats,
such as credential reuse and social engineering, often give adversaries access
to a system.

Companies need to take ransomware seriously. Ransomware payments are up 82% from
2020, according to data from Palo Alto Networks. Use best practices to train
employees about the different ransomware risks. Teach infosec pros the Mitre
ATT&CK framework, which provides tactics, techniques and procedures that
adversaries use. With this knowledge, security teams can determine the company's
strengths and weaknesses and improve systems accordingly.

This was last published in September 2021


DIG DEEPER ON MALWARE, VIRUS, TROJAN AND SPYWARE PROTECTION AND REMOVAL

 * HOW DOES ANTIMALWARE SOFTWARE WORK AND WHAT ARE THE DETECTION TYPES?
   
   

 * SODIN RANSOMWARE EXPLOITING WINDOWS ZERO-DAY, KASPERSKY WARNS
   
   
   By: Warwick Ashford

 * 10 ENDPOINT SECURITY PRODUCTS TO PROTECT YOUR BUSINESS
   
   
   By: Linda Rosencrance

 * 'TRIPLE THREAT' MALWARE CAMPAIGN COMBINES EMOTET, TRICKBOT AND RYUK
   
   
   By: Mekhala Roy

Sponsored News
 * Choosing the Right Cloud Storage Infrastructure for Improved Risk Management
   –NetApp
 * Software Protection Isn’t Enough for the Malicious New Breed of Low-Level ...
   –Intel
 * Three Tenets of Security Protection for State and Local Government and
   Education –Dell Technologies
 * See More

Related Content
 * How does antimalware software work and what are the ... – SearchSecurity
 * How does the SynAck ransomware use Process ... – SearchSecurity
 * 'Triple threat' malware campaign combines Emotet, ... – SearchSecurity



Latest TechTarget resources
 * Cloud Security
 * Networking
 * CIO
 * Enterprise Desktop
 * Cloud Computing
 * Computer Weekly

SearchCloudSecurity
 * Why zero-trust models should replace legacy VPNs
   
   Many organizations use legacy VPNs to secure their networks, especially in
   the work-from-home era. Expert Pranav Kumar explains ...

 * Cloud-native security benefits and use cases
   
   'Cloud native' has described applications and services for years, but its
   place in security is less clear. Get insight into ...

 * How to use the NIST framework for cloud security
   
   Aligning the NIST Cybersecurity Framework with cloud services such as AWS,
   Azure and Google Cloud can improve cloud security. ...

SearchNetworking
 * How remote work changes the future of network management
   
   The pandemic ushered in a new normal of hybrid workplaces. What's also new is
   how network teams manage these remote networks, ...

 * Comcast Business to acquire network service provider Masergy
   
   Masergy could bring needed midsize to large enterprise business to Comcast
   Business. Masergy, based in Plano, Texas, provides ...

 * CompTIA Cloud+ tips to troubleshoot cloud networks
   
   The CompTIA Cloud+ exam covers a range of topics, including how to secure and
   troubleshoot cloud networks. Some of the first ...

SearchCIO
 * South Korea law upends app store practices
   
   A new law in South Korea enables developers to use payment systems outside
   those offered by app store platform providers. One ...

 * Governments continue to eye data privacy, forcing CIOs to adapt
   
   With new data privacy regulations like China's personal data protection law
   coming down the pike, CIOs need to make privacy and ...

 * App store commission fees scrutinized by South Korea
   
   In this week's antitrust roundup, South Korean officials focus in on Apple
   and Google app store practices, while U.S. officials ...

SearchEnterpriseDesktop
 * Microsoft announces release date for Windows 11
   
   Windows 11 will include integration with unified communications platform
   Teams but won't initially include the option to download...

 * Microsoft to offer online-only Office, Outlook on Chromebooks
   
   Starting on Sept. 18, Chromebook users will have to rely on the web-based
   versions of the popular Microsoft apps. Google welcomed...

 * A guide to Microsoft Endpoint Manager licensing and cost
   
   There are many options for Microsoft Endpoint Manager licensing.
   Organizations should evaluate each licensing, including Intune, ...

SearchCloudComputing
 * Compare AWS Cloudtrail vs. Config for resource monitoring
   
   When your IT team needs more detailed info about resource activity in AWS,
   they have options. See how AWS Cloudtrail and Config ...

 * Understand the 5 main benefits of hybrid cloud for businesses
   
   Why choose between public cloud and private systems when you can have both?
   With hybrid cloud, enterprises can address workload ...

 * 9 IBM Cloud Paks for app modernization and cloud efforts
   
   While businesses seek benefits in outsourced and scalable infrastructure and
   services, moving to cloud creates challenges in ...

ComputerWeekly.com
 * Estonian government opens its digital heart to tech testers
   
   Tech startups are being invited to build and test their products and services
   on the Estonian government’s IT estate for free, in...

 * Dell, NetApp and Pure: Healthy results on Covid easing
   
   Dell’s still top of the storage supplier pile with midrange arrays doing
   well, but meanwhile NetApp and Pure are making gains on ...

 * Security Think Tank: Optimising privacy, post-GDPR
   
   Airbus CyberSecurity CTO Paddy Francis explores the impact of regulation on
   data protection, and how it has changed how one goes ...

 * About Us
 * Editorial Ethics Policy
 * Meet The Editors
 * Contact Us
 * Videos
 * Photo Stories

 * Definitions
 * Guides
 * Advertisers
 * Business Partners
 * Media Kit
 * Corporate Site

 * Contributors
 * CPE and CISSP Training
 * Reprints
 * Events
 * E-Products

All Rights Reserved, Copyright 2000 - 2021, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info


Close