Machine learning and the fight against ransomware
Credit to Author: Trend Micro| Date: Wed, 26 Apr 2017 17:34:51 +0000
Ransomware is now everywhere.
The number of emails containing ransomware rose 6,000 percent since 2015, and in 2016, 40 percent of all spam emails had one of these malicious programs hidden within, according to IBM.
Other reports highlight the sophistication of ransomware nowadays and it's financial impact on organizations that become victims of such attacks. In short, it's all bad news. But this isn't all doom and gloom.
Thankfully, new approaches like machine learning are blazing a trail in the fight against ransomware, and against malicious activity in general.
What is machine learning?
Machine learning is a new type of artificial intelligence that is emerging more often in mainstream technological pursuits. Machine learning enables systems to learn and shift their capabilities without having to be programmed specifically. In this way, access to new data allows a system to adjust or change its processes depending on the information it is given.
What does machine learning have to do with ransomware?
Machine learning is being applied to all kinds of systems and activities, allowing systems to become smarter and shift processes without the need for human interaction. This type of advanced capabilities may prove invaluable to cyber security.For organizations across every industry, a solution like this could be just what's needed to guard against increasingly complex malicious threats like ransomware. And this help is desperately needed.
In fact, it appears even law enforcement isn't immune to ransomware. Naked Security recently reported on an incident involving Texas police, where a significant amount of data was lost after files were encrypted by hackers. Overall, the department lost eight years' worth of digital evidence after an employee clicked a malicious link in a legitimate-looking email.
The attack impacted every file on the organization's connected server. Instead of paying the ransom to attackers, the FBI and department's IT staff decided the best course of action was to wipe the server of all affected files, thereby eliminating the ransomware.
Could machine learning provide the answer?
"Machine learning could be the next best weapon in this cyberwar."
Machine learning could be the next best weapon in this cyber war. An AI system of this kind could potentially slow the spread of the type of malicious program used to encrypt files and prevent authorized access, reducing the overall impact of the infection.
Data mining processes scour data sets to pinpoint patterns that could be used to bolster human comprehension. Machine learning works in comparable way, leveraging existing data to determine patterns and using those patterns to adjust its own actions.
Machine learning could provide the key to detecting ransomware attacks before they become too widespread, providing the opportunity for an organization to react ahead of malicious file encryption.
CERBER: Ransomware sidesteps machine learning protection
Similar to the pattern seen throughout the history of cyber security, just as a viable protection measure is created, hackers are quick to establish strategies to circumvent preventation tactics. In true cybercriminal form, a new family of ransomware was recently discovered with the ability to avoid detection by machine learning security solutions, Trend Micro reported.
The new infection family, dubbed CERBER, are still delivered via a malicious email link like its ransomware predecessors. This sample packs an extra punch, however, and is one of the most advanced attacks seen yet.
CERBER is able to identify the type of environment it is running in, be it a virtual machine or sandbox. The infection then checks for certain analytics and antivirus products, including Task Manager and Wireshark, as well as security solutions from AVG, Kaspersky, Norton and Trend Micro.
What's more, CERBER also includes a separate loader specifically designed to evade machine learning solutions.
"A layered anti-malware approach can safeguard against ransomware."
"The industry has created features to proactively detect malicious files based on features instead of signatures," Trend Micro threat analyst Gilbert Sison wrote. "The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches – i.e, methods that analyze a file without any execution or emulation."
Ransomware protection in the age of machine learning
As Sison pointed out, this doesn't mean machine learning is invaluable in protecting against ransomware. CERBER appears to include the first attempt to evade machine learning protection solutions, but hackers' approach here hasn't been fully perfected.
A layered anti-malware approach can better identify suspicious file packages and provide a strong safeguard against the type of malicious activity ransomware is known for.
"Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats," Sison explained.
In this way, it's important to vary the types of protections in place, and use a multi-layered system to close any gaps in security. To find out more, contact Trend Micro today.