Malicious Ransomware Detection

By: Gus Warren / Data Scientist at Adlumin, Inc.

Ransomware attacks work by encrypting critical data on a victim’s devices and network in exchange for payment, generally in cryptocurrency. These attacks have become increasingly prevalent and result in losses worth hundreds of millions of dollars every year, with attackers targeting critical infrastructure, government agencies, and financial institutions. Once perpetrators gain access to a victim’s network through any exploited lapse in security, they deploy malware that works to get the victim to pay the requested ransom. The full scope of the attack may often not be known until well after the attack has concluded and the attacker has been able to spread the malware across the network, affecting maximum damage to critical data.

Adlumin Data Science has developed a machine learning algorithm for detecting ransomware attacks via comprehensive monitoring of changes across the entire file system. The detection system uses an algorithm for measuring the number of access events, specifically monitoring the number of Write/WriteAttribute (Windows Event ID 4663) and Delete (Windows Event ID 4660) events. These access events help provide a clear footprint for encryption and deletion events occurring across the network, which may be indicative of a system-wide ransomware attack. The process is made possible through Adlumin’s serverless data pipeline in the cloud that allows the algorithm to collect and monitor file access events in near real-time. Traditional file auditing processes can be used to monitor these events; however, the volume of the files read/deleted on a network tends to overflow such systems.

The newly developed ransomware detection model monitors the volume of these three events independently of each other per user across the entire network, looking for anomalous spikes in aggregate activity during specific time windows using historical data as a benchmark. If the amount of activity (either write or deletion) exceeds a model-determined threshold relative to the rest of the activity on the network, a detection will be sent for investigation. This proactive monitoring may allow security analysts to quarantine and isolate portions of their network that are being hit by excessive encryption and deletion before the attacker is able to spread the attack to the rest of the system.

In addition to monitoring for excessive levels of file access events, the algorithm analyzes the distribution of objects modified and/or deleted across the network. If the majority of activity is focused in a single subdirectory, which could be associated with software installation or anti-virus scans, the model will not externally raise a detection. However, if the spike in activity is spread across multiple subdirectories, indicative of system-wide activity, the model will raise a detection.

Below is an example of a theoretical ransomware detection. The detection view allows Adlumin users to view the aggregate file access information that triggered the detection, as well as a sample of the individual files that were accessed allowing security analysts to determine where the activity is occurring. Analysts can further click on each file access event to view more detailed information surrounding the event.