Microsoft has launched an AI-powered ransomware attack detection system for Microsoft Defender for Endpoint customers that complements existing cloud protection by assessing risk and intercepting participants on the periphery.
Because human-operated ransomware attacks have specific methods and behaviors, Microsoft believes they can use data-driven AI methods to detect these types of attacks.
Block the initial foothold
Attackers typically establish a foothold in a target system by planting malware binaries that provide remote access to devices.
However, not all binaries used for attacks are malicious, and many executables used for attacks are legitimate programs, including built-in Windows commands.
Metrics generated by these binaries may be considered low priority and ignored by defenders.
Adding an AI-driven adaptive protection system that can detect unusual behavior, even from legitimate binaries, can play a key role in preventing further device compromise and giving response teams valuable time to block attacks.
"In customer environments, ai-driven adaptive protection has been particularly successful in helping to block human access to networks by blocking binaries that allow human access," Microsoft explained.
"By taking into account metrics that are considered low-priority remedies, adaptive protection stops the attack chain at an early stage, thus greatly reducing the overall impact of the attack."
"The threat turned out to be Cridex, a banking Trojan commonly used to steal certificates and data, which is also a key component of many cyberattacks, including manually operated ransomware."
Unlike manually adjusted cloud protection, the new system is adaptive, meaning it can automatically increase the aggressiveness of cloud-delivered blocking decisions based on real-time data and machine learning predictions.
Block subsequent attack steps
Even if algorithms cannot assess the true extent of the risk, and ransomware perpetrators find a way into targeted networks, the system will remain an obstacle for them.
Adaptive protection can detect and block seemingly benign operations, such as network enumerations, that ransomware actors use during the reconnaissance phase, Microsoft explained.
Similarly, open-source tools are often abused for lateral movement, or slightly modified commodity malware without an identifiable signature can be detected and blocked.
"Assuming that in the early to middle stages of an attack activity is not detected and blocked, ai-driven adaptive protection still has tremendous value in terms of the ultimate ransomware payload,"Microsoft explained that
"Given that the device has been compromised, our AI-powered adaptive protection system can easily automatically switch to the most aggressive mode, blocking the actual ransomware payload and preventing important files and data from being encrypted so that attackers can't demand ransom."
As defense mechanisms become more complex, actors are more likely to try to neutralize them rather than try to evade or circumvent them.
This means that administrators should periodically check the status of their defense tools to make sure they are always up and running.
Cloud protection is turned on by default, and AI-driven enhancements are now automatically included in Microsoft Terminal Defense as an "always-on" feature.
If any of these features are now disabled, the administrator should immediately investigate further to determine if they have been broken.