Detecting Ransomware via Machine Learning & Artificial Intelligence

Written by: RANK Software  |  May 18, 2017

Last week’s unprecedented spread of WannaCry Ransomware again brought attention to the limitation of traditional technologies and processes in detecting and responding to ever increasing Cyberthreats. Many blogs and articles appropriately focus on the need for every machine to be on the latest version and patches for software, with a validated backup & disaster recovery plan.

But we also know that in a budget constrained world with limited IT resources, 100% adherence to this practice isn’t happening. There will always be systems running without the latest patch. Can Machine Learning & Artificial Intelligence technologies help in staying ahead of the game, not only for WannaCry but also for other threats that may happen in future?

The simple answer is Yes.

Unlike traditional rules based systems, Behavioral Analytics systems are trained to detect anomalous behavior in users and machines across multiple dimensions of connectivity, bandwidth and processes. It is this ability to provide deeper visibility and real time analysis that make Machine learning & Artificial Intelligence systems optimal to detect cyberattacks and enable rapid response.

RANK’s product VASA (Virtual Advisor for Security Analytics) helps customers in many ways for Day Zero attacks

  1. Behavior Based Anomaly Detection that will detect anomalous behavior by users and machines across multiple dimensions of network connectivity, bandwidth and processes
  2. Visibility across the network to identify malicious traffic patterns in both North-South (traffic from and to your enterprise) as well as East-West (traffic within your enterprise)
  3. Integrated Threat Intelligence to identify known Indicators of Compromise
  4. Flexible Architecture to connect different point solutions in your security stack to provide unparalleled context and visibility into potential breaches

Let’s go deeper into each of those points to demonstrate how VASA works for WannaCry attack (and others like it)

1. Machine Learning based Behavioral Anomalies: VASA helps identify suspicious processes running on machines, without requiring any hardcoded file-hashes or rules. The Indicators of Compromise (IOCs) for the WannaCry family of ransomware are bread and butter use cases for VASA.

network visibilitynetwork visibility
  1. Spikes in network traffic from processes connecting to the same domain
  2. Excessive NXDOMAIN responses on end-points
  3. Processes making connections to unusual domains
  4. Connections on unusual listening port on a machine
  5. Processes launching from unusual paths/parent processes

2. Network Visibility & Timeline view: VASA identifies reconnaissance to open SMB shares. This allowed VASA customers to proactively tighten up their network configuration to reduce their risk exposure. VASA provides a timeline view of the SMB scan which reveals a couple of different network outliers that analysts can immediately action.

I. Spikes in the network share connection count indicate a very high number of network connections emanating from the internal machine

II. The specific events to Port 445 (used for SMB traffic) that provide specificity on the network connections

activityactivity chart
activity chart

3.Threat intelligence: RANK VASA automatically connects to threat intelligence sources and immediately flags the appearance of known Indicators of Compromise published by security researchers throughout the world

4. Architecture: VASA has an open and flexible architecture and integrates with many popular Malware Sandboxes. This enables VASA to analyze all files downloaded in an organization in real time and alert analysts in real-time.

CyberAttacks are growing at an unprecedented rate. It is not a matter of if, but rather when, an organization will get breached. It is time to move the Cybersecurity game from a Reactive to a Proactive approach. Artificial Intelligence can be an effective tool in helping Predict, Prevent, And Defeat Attacks. VASA coupled with best practices like patch management, backups and standard end-point protection provide organizations with an effective tool to fight back against growing cyberthreats.