Home » Spin.AI Blog » SSPM » SaaS Applications Risk Assessment » Ransomware Detection Techniques: Which One Is The Best?
January 28, 2021 | Updated on: March 25, 2024 | Reading time 8 minutes

Ransomware Detection Techniques: Which One Is The Best?

Detecting ransomware attacks is better than dealing with their consequences—downtime, reputational damage, and others. As experts in data protection, we’d like to share our insight into ransomware detection methods.

In this article, we’ll look at three ransomware detection techniques, their features and try to determine the best one.

Three Major Ransomware Detection Techniques

There are three main threat detection techniques: by signature, by traffic analytics, and by file behavior. Let’s take a look at them and their properties.

Detection By Signature

Detecting ransomware by signature is a common technique used by many antivirus solutions. But what is a signature? To put it simply, a signature is a part of its code that can be used to identify a specific ransomware strain (e.g., Ryuk, Sodinokibi, and others).

The signature allows security software to detect and stop an attack quickly. Though useful in detecting old ransomware strains, this method will not protect against ransomware of more modern types. Why?

Detection by signature is one step behind ransomware by design. Let’s take a look at the whole process to understand it better.

Software utilizing this method needs constant updates. An update requires that a strain is found and examined. By the time an update is made, new ransomware modifications will appear. By the time security specialists examine these modifications, hackers create newer ones, and the circle starts again.

Time is not the only issue reducing the efficiency of by-signature detection. Using the Ransomware-as-a-Service model, bots can alter signatures to target specific organizations. This allows creating a highly-customizable ransomware version that will easily bypass the signature-based detection systems.

Detection By Abnormal Traffic

The next method is detection using traffic analysis. This method’s core idea is to examine data traffic and its elements (timestamp, volume, etc.) to find abnormalities.

If an algorithm detects abnormal traffic patterns that may indicate a ransomware attack, access to a targeted account(s) will be locked. Compared to signature-based solutions, this method doesn’t require “knowing” a signature. In other words, analyzing traffic allows you to detect modified ransomware attacks.

The main drawback of solutions using this method is a high false positive rate. If a false positive response happens, and a solution blocks C-level accounts, the downtime will be costly.

Detection By Data Behavior

Monitoring data behavior is the third ransomware detection method. The main idea of this technique is to monitor file executions to identify abnormalities. Behavior-based solutions execute the file and monitor its actions for malicious behavior such as overwriting DLL files or encrypting emails.

What makes this method stand out? Compared to the signature-based approach, a signature is not required. Compared to the traffic-based process, this method’s advantage is that it doesn’t need to block an account if malicious activity is spotted.

The downside of this method is that files need to be executed incorrectly for some time to confirm the attack. In practice, it means that several percent of data within a system becomes encrypted before security algorithms respond.

What Is the Best Technique?

Before answering this question, let’s visualize some of the core ideas about ransomware detection software and techniques within this table.

 Detection by SignatureDetection by TrafficDetection by File Behavior
Applied inThe majority of antivirus softwareTraffic analytics solutions (GREYCORTEX MENDEL, Cisco ETA)Some antivirus (Carbon Black) and data protection software (SpinOne)
ProsFast and widely availableDetects modified ransomwareDetects modified ransomware
ConsInability to detect modified ransomwareHigh false positiveDetection takes some time

Summing up the pros and cons of the three techniques:

  • Traditional signature-based techniques detect only well-known ransomware. They won’t protect your data from recent ransomware strains or targeted attacks.
  • Traffic analytics can detect modern ransomware strains. However, this method often has a high false positive rate. This can lead to system downtime, disrupting business operations.
  • Detection by file behavior is accurate and detects even the most recent ransomware strains. However, an attack is detected only after some files are encrypted.

“If all of them have downsides, you may ask, is there a single best threat detection technique?” In our opinion, ransomware detection by file behavior is the best technique. Here’s why:

  • This technique stops even the most modern ransomware strains and targeted attacks.
  • The protected data won’t be locked due to a high false positive rate.
  • The downside can be complemented with a backup. With a backup, you can restore encrypted files.

By combining the innovative behavior-based method with a backup, we’ve created a reliable ransomware protection solution for Google Workspace (G Suite) and Microsoft Office 365. Contrary to detection-only antivirus solutions that can identify and alert, we created a fully automated end-to-end protection solution.

Our solution automatically detects, stops, and recovers your data from a ransomware attack. How? You can find out in our next article.

Read next: How does SpinOne protect your cloud files against ransomware?

Was this helpful?

Thanks for your feedback!
Avatar photo

Vice President of Product

About Author

Davit Asatryan is the Vice President of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.

Featured Work:


How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

saas application data protection fundamentals

Expert Insights: SaaS Application Data Protection Fundamentals

SaaS applications appeal to organizations because they make running the application “somebody else’s problem.” However,... Read more

Understanding Shadow IT: Risks, Strategies, and Emerging Trends

Since the early adoption of digital technology in business, companies have been struggling to build... Read more

The History and Evolution of Ransomware

The History and Evolution of Ransomware

Ransomware has become an efficient tool for illegal money extortion and achieving political goals worldwide.... Read more