There are approximately 250 known ransomware families, and these families are directly related to the rise of ransomware-as-a-service, according to Bitdefender.
“Ransomware infection is just the final step; these modern attacks take some time to prepare and threat actors will try to thoroughly prepare before launching an attack,” Martin Zugec, technical solutions director at Bitdefender, said in a Business Insights blog post.
Defending against the growing number of ransomware families, however, causes problems for two reasons: Samples that are often modified and the cost of real-time detection. The solution for improving ransomware security could be found with machine learning technologies. Vladimir Strogov, director of development, kernel team, and Sergey Ulasen, director of AI development, both with Acronis, spoke at RSA 2022 about how machine learning can be used to address, and possibly defeat, advanced ransomware threats.
Why Machine Learning?
Ransomware is complicated. The regeneration of ransomware families and ransomware-as-a-service makes the malware even more difficult to detect and defend against. As Zugec explained in the Bitdefender blog post, “The modern RaaS model allows cybercriminals to become specialists and focus on their areas of expertise.” This sets it up for the bad guys to do even more damage and leaves the good guys two steps behind in their attempts to address ransomware attacks.
Machine learning is designed to work with large amounts of data. It can use all that data to recognize legitimate processes and model good behaviors. Programmed correctly, it can then be used to detect anything out of the norm. The power of machine learning is in its ability to make predictions, an Acronis blog post stated.
“In the case of machine learning and data protection, stack trace analysis is the foundation of the ML process. By analyzing what happens at each stage, normal activity becomes clear and a reference model is created. In the case of a ransomware attack, new code would be injected into this process—which is readily noticeable.”
In their RSA talk, Strogov and Ulasen cited the Ryuk ransomware as an example of advanced ransomware that can be addressed with machine learning. Ryuk ransomware is commonly used in targeted attacks; not only encrypting network resources but also deleting shadow copies of data stored on end devices. As Strogov and Ulasen explained, Ryuk, in its initial stages, will plant executables into the system with botnets and, in advanced stages, inject malware into multiple systems and trusted processes. The challenge for security teams is to find the abnormal injection from legitimate injection techniques and sniff out the malware.
Machine learning solutions can detect and deter the ransomware injection in the following ways, according to the RSA presenters:
- ML takes snapshots of data changes for the thread.
- It then detects stack anomalies with ML models.
- Changed data is recovered if ransomware is detected.
- And finally, it discards the snapshots of data changes.
The Power of Prediction
The better you know your network’s patterns and behaviors, the easier it is to predict how things should behave. Machine learning recognizes expected executions and transmissions; it basically defines what is normal. Therefore, the ability to predict abnormal behavior is how machine learning defends against ransomware.
Machine learning and its predictive capabilities offer fast detection of abnormal files and call stacks and can trigger data protection to begin in real-time. Going beyond prediction, machine learning can also track the behavior of any injected code; knowing where it is within the network and then taking remediation actions. Just as important, machine learning can be used to monitor backup data to make sure that infected code hadn’t slipped through.
Finally, in their talk, Strogov and Ulasen offered the following tips to enhance your ransomware defense with machine learning:
• Gather all types of injections routinely.
• Develop the model training infrastructure.
• Start with simple models like Random Forest.
• Update your model regularly.
• Automate the data annotation process.
• Apply ML to behavior analysis.
Ransomware families continue to expand, becoming more sophisticated in how they enter and hide in your network, waiting for the opportunity to unleash the attack. Machine learning is a security tool to recognize normal behavior of your code and predict an anomaly, and then offers real-time remediation before the damage is done.