Use Case ‐ Ransomware

Ransomware Attack
Targeted ransomware attacks on government entities such as state departments, local (city /
municipality) entities, schools, universities, enterprises, service providers and even small-medium
businesses have seen a constant rise over the years. Much like the evolution of malware, Ransomware
attacks have also evolved from basic type of attacks, usually limited to single host with some valuable
data, to advanced attacks that are capable spreading across the network, aided by worms
(ransomworm or cryptoworm) to increase hostages and monetary gains. Often, ransomware (e.g Ryuk)
are invoked through sophisticated trojans like Emotet that take evasive actions and even destroy
backups, such as shadow files, on hosts/servers to maximize damage and prevent recovery through
alternate means without payoff. Some of the well knows ransomwares that have caused considerable
damage are WannaCry, CryptoLocker, Ryuk, Petya, notPetya and Maze.

Challenges
Ransomware attack typically involves multiple stages and each stage can be usually detected as a suspicious
threat indicator leading to a potential ransomware attack by different security products. However, the challenges
with detecting and preventing the ransomware with the existing security tools is as follows:

 Increased number of false positives because of limited visibility of each security tool which most of the

times results in alert fatigue.

 Misdetection because of lack of advanced correlation across the multiple security tools.

 Delayed response because of more reliance on expert security analysts to correlate multiple suspicious

activities in order to confirm the attack and then take action.

Page 1 of 2
 Use Case ‐ Ransomware

AICYBERWATCH’s Solution
Detecting ransomware requires a high degree of reliance on behavioral analytics and threat modelling to follow
various stages of its propagation. Traditional threat detection tools rely heavily on the security analyst to discern
unusual activities and create correlation rules to stitch indicators together. This approach heavily weighs on the
analyst’s skill in threat detection and fluency with a complex UI, thus leaving a factor of subjectivity in reaching the
desired outcome. In sharp contrast, AICYBERWATCH’s aiSIEM/aiXDR leans into Machine Learning for behavioral
analytics and Artificial Intelligence for correlating indicators driven by built-in dynamic threat models. When these
indicators line up with a certain degree of confidence, the algorithm raises an alert for the analyst to act upon.

Here are the top 3 scenarios corresponding to Ransomware detection with AICYBERWATCH aiSIEM and aiXDR.

Detection at Host: The ransomware payload tries to make its way to the endpoint host. In the case of an attack
based on email phishing, aiSIEM/aiXDR quickly swings into action, correlating logs from email server with
endpoint activities to find traces of unusual or suspicious process spawned on the endpoint.
Detection at Host Connecting with C&C: The malware tries to establish connection with the Command and
Control Center (C&C) from the affected host. It could potentially generate a new domain, programmatically and
attempt connecting. During this stage, AICYBERWATCH’s aiSIEM/aiXDR platform steps in to detect the auto-
generated domain names and correlate that information with other threat indicators to raise an alert.
Detection of Lateral Movement: Introduction of an infected host in the network could lead to a network scan
conducted by the malware for the purposes of identifying potential target before propagating to other
endpoints/servers like a worm. AICYBERWATCH aiSIEM/aiXDR can detect this activity rapidly and correlate with
contextual events to raise a “Potential Malware Infected Host” alert, followed by quarantining the infected host.

Page 2 of 2