A ransomware infection can be identified by a few different means. Some of the most common ransomware detection mechanisms include the following:
Detection By Signature
Signature-based detection is the simplest way to identify the presence of malware on a system. Malware signatures include information like file hashes, the domain names and IP addresses of command and control infrastructure, and other indicators that can uniquely identify a malware sample. Signature-based detection systems store a library of these signatures and compare them to each file entering or running on a system to see if it is malware.
However, signature-based detection is growing less and less useful. Signature-based detection has never been usable against novel malware because no signatures have been created for the malware variant. Today, ransomware groups commonly use unique versions of their malware (with different file hashes, command and control infrastructure, etc.) for each attack campaign, making signature-based detection ineffective.
Detection By Behavior
Behavioral detection is another option for detecting the presence of ransomware on a system. Behavior-based detection algorithms can be designed to look for specific activities that are known to be malicious or to look for anomalous actions that differ from the norm.
Behavior-based ransomware detection takes advantage of the fact that ransomware has very unusual behavior. For example, ransomware’s encryption stage requires the malware to open many files on the system, read their contents, and then overwrite them with an encrypted version. This behavior can help with ransomware detection if an anti-ransomware solution monitored file operations or encryption operations and alerted on this unusual behavior.
Detection By Abnormal Traffic
Monitoring file operations is an endpoint-level form of behavior-based threat detection. However, ransomware can also be detected at the network level by looking for anomalous traffic that may indicate a ransomware infection or malware in general.
In the past, ransomware performed a few network operations before starting encryption to help hide its presence on the system. However, modern ransomware steals and exfiltrates sensitive data before encrypting it to provide the attacker with additional leverage when convincing the victim to pay the ransom demand.
Carrying out a large-scale data breach requires the ability to send large amounts of data from inside the network to outside systems under the attacker’s control. While the ransomware may try to conceal these data transfers, it might create anomalous network traffic that can be detected and traced back to the ransomware present on the system.