Perhaps the most common ransomware detection method, and the main one used by antivirus products, is signature-based detection.
Find unique footprints
All programs, software, files, and apps have their own digital footprint or signature, usually unique to each one. This is usually in the form of a hash file, which is a numerical representation of data designed to protect it. To detect malware, antivirus products scan a computer and compare the signatures it finds to those on a database of known malware. If it discovers such a footprint, the antivirus product will either delete it or quarantine it.
A company’s security team can also use software tools to get a file’s hash and compare it to known malware.
Although useful and highly effective, signature-based detection is only an initial line of defense. Ransomware developers are constantly evolving and updating their malware to evade signature-based detection. Even adding a single byte to a file creates a completely new hash, making malware harder to detect. For this reason, although signature-based methods are good at finding established ransomware, they can struggle to find newer threats.
Some antivirus products also support behavior-based detection. Malware behaves differently than legitimate software, and antivirus products can detect this, even before the malware has executed.
Manual checks can also reveal suspicious activity that is indicative of ransomware. One of these indicators is excessive file renaming. Some renaming happens every day, but if hundreds of files are being renamed, it could indicate the presence of ransomware.
Analyze traffic patterns
Security teams can also analyze traffic to see whether any software is connecting to dubious websites, particularly file sharing sites. Increases in the volume of traffic can also be an indicator, as ransomware needs to connect to offsite servers to receive instructions and exchange decryption keys.
Analyzing traffic can be time consuming, and because it is not as accurate as behavior-based detection, it may also yield false positives. Attackers might also use legitimate file sharing sites to avoid detection.
A third technique is to use deception by creating a honeypot, setting up a file server to act as bait for attackers. Because legitimate users do not access this server, any activity on it is likely to be the result of an attack and thus can warn teams of a pending attack before or during execution.