nesting dolls

Malware VS Ransomware: Can AI save the CISO?


AI and ML are promising tools in the cyber security war. Using them to prevent an attack is top of mind for CISOs. But the differences between malware and ransomware make one easy to detect with AI, while the other is still tough to catch.

How malware works, and why AI can detect it.

In the malware vs ransomware discussion, malware is easier to detect by AI and ML models because it behaves in ways and executes tasks a user wouldn’t typically do. Crypto mining, for example, doesn’t behave like a user. Because Malware does things users don’t normally do, it has to temper its actions to be effective. 

Malware takes a “slow and low” approach in an attempt to avoid detection. Threat actors using malware know they will accomplish more if they take a more cautionary approach.  A threat actor may design malware to execute only a single task every few hours. Malware paces its actions to avoid being detected. 

Ransomware, however, can move at a faster pace and do far more damage even with AI tools. 

How ransomware works and why AI struggles

That brings us to ransomware. Threat actors are tasked with encrypting their target’s data quickly because the more data they encrypt, the more likely they are to pay a lucrative ransom. Ransomware is the perfect tool. It reads, writes, and deletes files, but because it behaves like a user, it can move fast and evade detection. This fact is why machine learning struggles to detect ransomware. 

Ransomware is big business, and threat actors are strategic in bypassing your defenses. Not every security leader realizes threat actors are unhooking your EDR tech, like Crowdstrike, Defender, Sentinel One, or Carbon Black in the kernel. In this way, hackers bypass your defenses.

In Mitre, this is in the Defense Evasion column and is sub-technique key 1562.001: “Impair defense, disable or modify tools.” Bypassing EDR tech is more common than one might think. As 3 Tree Tech researched various technologies to stop ransomware, we better-understood ransomware’s stealth-like process.

If fighting against hackers is truly a cat-and-mouse game, how can ransomware be stopped? 

How can ransomware be stopped?

To stop ransomware we’re seeing tech companies take a few compelling approaches to stop it. They’re re-positioning monitoring, utilizing next-gen behavioral capsule networks, making environments unsuitable, and capturing decryption keys.

Closer monitoring

First, cyber tech companies are positioning monitoring closer to ring “0” in the kernel. This allows an AI model (or future technology) to watch a process through its entire life cycle. If something exhibits bad behavior, it could more easily be detected and blocked. 

Next-gen capsule networks

Second, cyber tech companies are utilizing next-gen behavioral capsule networks. Although they’re not commonly used today, capsule networks are good at user-like behavior analysis. Finding a technology that armors your EDR tech by not letting threat actors unhook it is paramount if you want to eliminate the threat of ransomware. 

Appear Russian to avoid ransomware

Third, cyber tech companies are making environments unsuitable for ransomware to exist therein. This one is particularly interesting. 

Because threat actors don’t want to run in a sandbox or in an analyst workstation and find themselves loaded into virus total, they often run “ff then” checks in user land (the application tier) before deploying. Threat actors invest significant resources into ransomware, so most design it to exit a program if it believes it is at risk of losing its valuable IP address. But there’s another reason they run “ff then” checks. They don’t want to deploy to a Russian computer. 

If caught deploying ransomware to a Russian government computer, threat actors know the consequences are extremely severe. Therefore, threat actors put these checks in place to avoid angering the Russian government. This is why it’s rare to deploy ransomware in Russia. For this reason, we’re seeing cyber tech companies make your tech stack appear as though you have all Russian keyboards and IPs. 

The initial concern is shutting down legitimate Russian traffic, but consider this: if a program exits because it thinks it is operating in Russia, you probably don’t want it in your environment.

Capturing Decryption Keys

And lastly, capturing the decryption key is the ultimate safety net to protect against ransomware. When a threat actor deploys ransomware, they load a copy of the decryption key into memory. In one use case, cyber tech companies are preventing ransomware by grabbing a copy of the decryption key in clear text when the threat actor loads it into memory. They then store the decryption key on both your endpoint and in their cloud and can unencrypt your files or folders in seconds or minutes, thus taking ransomware off the table, entirely.

Kris Taylor of 3 Tree Tech

Kristopher Taylor is VP of Cyber Security Sales at 3 Tree Tech in Portland. He is a platform-agnostic tech researcher that transitions siloed organizations into automated DevOps centric businesses. To get his help, message him right here.

Related Posts

Over the Horizon
How can 150 Million in DARPA research improve your security posture?

As our team was researching the DOD’s big 700 Million RFP for their...

hacker using keyboard
Who’s holding you hostage: Cybersecurity companies or hackers?

It’s a serious headline. Although most CISOs, CIOs, and CTOs teams have the...