Parameters for ransomware attack detection

The number of private users and companies affected by ransomware attacks has increased considerably over the recent years. The creation of new business models based on the “Internet of Things”, cloud services, e-banking, together with the anonymity of cryptocurrency transactions have caused the design of new attacks.

The attackers have created new malwares that cause alarming damages, both financially and in the corporate image of companies. Therefore, ransomware has become one of the most dangerous attacks able to cause huge losses around the world.

According to a report by Symantec, the number of ransomware attacks increased by 113%. They are considered a threat from the internet core. The attacks are also addressed to large organizations, such as hospitals, educational or banking entities.

Timely detection of a ransomware attack is one of the main goals in the field of ​​cybersecurity development, because once the attack has been carried out, information retrieval becomes very difficult. That’s why we try to find parameters that allow detecting an attack in its early stages (before data encryption).

In order to prevent such attacks, proposals focused on recommendations, such as making backups or updating the operating system, have been developed. There are also strategies that propose different mechanisms for the prevention of loss of information like the creation of a secured repository or deployment of computer security tools.

For example, in some strategic methods API calls have been analyzed through data mining algorithms, such as Random Forest or Support Vector Machine, which includes the extraction and selection of features, information processing, and the analysis of results through learning algorithms.
In other cases, a dynamic classification method has been proposed to detect the type of ransomware to which the attack belongs, which evaluate characteristics such as APIs, monitoring of file system operations, directories and records, among others.

One of the most prominent solutions proposed is the analysis of metrics and statistics of the system or network that allows to detect known patterns and, if possible, predict a future attack.

Some patterns could help to counteract possible attacks and develop a recovery plan, however, it is important to clarify that due to the large number of threats and the characteristics of each type of attack, there is no ideal learning model for ransomware detection. However, the focus has been on the selection of algorithms that allow identifying as suspicious the attributes’ behavior that can be monitored.

For the future we expect the improvement of algorithms that allow detecting, with a greater success rate, if an application is executing malicious ransomware tasks relating parameters of different nature such as created files, network traffic, remote connections or modifications in the registry of the system.

Ikusi’s cybersecurity solutions protect your company’s critical infrastructure by threat detection service which covers the entire cycle of an attack from threat analysis for timely containment.