Ransomware Detection Techniques: Which One Is The Best?

Detecting ransomware attacks is better than dealing with their consequences—downtime, reputational damage, and others. As experts in data protection, we’d like to share our insight into ransomware detection methods.

In this article, we’ll look at three ransomware detection techniques, their features and try to determine the best one.

Three Major Ransomware Detection Techniques

There are three main threat detection techniques: by signature, by traffic analytics, and by file behavior. Let’s take a look at them and their properties.

Detection By Signature

Detecting ransomware by signature is a common technique used by many antivirus solutions. But what is a signature? To put it simply, a signature is a part of its code that can be used to identify a specific ransomware strain (e.g., Ryuk, Sodinokibi, and others).

The signature allows security software to detect and stop an attack quickly. Though useful in detecting old ransomware strains, this method will not protect against ransomware of more modern types. Why?

Detection by signature is one step behind ransomware by design. Let’s take a look at the whole process to understand it better.

Software utilizing this method needs constant updates. An update requires that a strain is found and examined. By the time an update is made, new ransomware modifications will appear. By the time security specialists examine these modifications, hackers create newer ones, and the circle starts again.

Time is not the only issue reducing the efficiency of by-signature detection. Using the Ransomware-as-a-Service model, bots can alter signatures to target specific organizations. This allows creating a highly-customizable ransomware version that will easily bypass the signature-based detection systems.

Detection By Abnormal Traffic

The next method is detection using traffic analysis. This method’s core idea is to examine data traffic and its elements (timestamp, volume, etc.) to find abnormalities.

If an algorithm detects abnormal traffic patterns that may indicate a ransomware attack, access to a targeted account(s) will be locked. Compared to signature-based solutions, this method doesn’t require “knowing” a signature. In other words, analyzing traffic allows you to detect modified ransomware attacks.

The main drawback of solutions using this method is a high false positive rate. If a false positive response happens, and a solution blocks C-level accounts, the downtime will be costly.

Detection By Data Behavior

Monitoring data behavior is the third ransomware detection method. The main idea of this technique is to monitor file executions to identify abnormalities. Behavior-based solutions execute the file and monitor its actions for malicious behavior such as overwriting DLL files or encrypting emails.

What makes this method stand out? Compared to the signature-based approach, a signature is not required. Compared to the traffic-based process, this method’s advantage is that it doesn’t need to block an account if malicious activity is spotted.

The downside of this method is that files need to be executed incorrectly for some time to confirm the attack. In practice, it means that several percent of data within a system becomes encrypted before security algorithms respond.

What Is the Best Technique?

Before answering this question, let’s visualize some of the core ideas about ransomware detection software and techniques within this table.

	Detection by Signature	Detection by Traffic	Detection by File Behavior
Applied in	The majority of antivirus software	Traffic analytics solutions (GREYCORTEX MENDEL, Cisco ETA)	Some antivirus (Carbon Black) and data protection software (SpinOne)
Pros	Fast and widely available	Detects modified ransomware	Detects modified ransomware
Cons	Inability to detect modified ransomware	High false positive	Detection takes some time

Summing up the pros and cons of the three techniques:

• Traditional signature-based techniques detect only well-known ransomware. They won’t protect your data from recent ransomware strains or targeted attacks.
• Traffic analytics can detect modern ransomware strains. However, this method often has a high false positive rate. This can lead to system downtime, disrupting business operations.
• Detection by file behavior is accurate and detects even the most recent ransomware strains. However, an attack is detected only after some files are encrypted.

“If all of them have downsides, you may ask, is there a single best threat detection technique?” In our opinion, ransomware detection by file behavior is the best technique. Here’s why:

• This technique stops even the most modern ransomware strains and targeted attacks.
• The protected data won’t be locked due to a high false positive rate.
• The downside can be complemented with a backup. With a backup, you can restore encrypted files.

By combining the innovative behavior-based method with a backup, we’ve created a reliable ransomware protection solution for Google Workspace (G Suite) and Microsoft Office 365. Contrary to detection-only antivirus solutions that can identify and alert, we created a fully automated end-to-end protection solution.

Our solution automatically detects, stops, and recovers your data from a ransomware attack. How? You can find out in our next article.

Read next: How does SpinOne protect your cloud files against ransomware?