Microsoft has launched a new AI-driven ransomware attack detection system for its Defender for Endpoint customers. The new system evaluates risks and blocks, actors, at the perimeter while complementing cloud protection.

Human-operated ransomware attacks exhibit a specific set of behaviors and methods, and Microsoft believes that it can detect these attacks using an AI approach based on data. There are many executables used in attacks that are legitimate programs, including built-in Windows commands, but not all binary files used in attacks are known to be malicious. Some defenders view the indicators generated by such binaries as low priority and ignore them.

Microsoft explained about their AI-driven defense system, “In a customer environment, the AI-driven adaptive protection feature was especially successful in helping prevent humans from entering the network by stopping the binary that would grant them access. By considering indicators that would otherwise be considered low priority for remediation, adaptive protection stopped the attack chain at an early stage such that the overall impact of the attack was significantly reduced. The threat turned out to be Cridex, a banking trojan commonly used for credential theft and data exfiltration, which are also key components in many cyberattacks including human-operated ransomware.”

AI-driven adaptive protection systems that detect unusual behavior, even in legitimate binaries, can be invaluable in preventing further compromise on devices and providing response teams with valuable time to block attacks.
The new adaptive cloud protection model offers the advantage of automatically adjusting the aggressiveness of cloud-delivered blocking verdicts based on real-time data and machine learning (ML) predictions, as opposed to manual adjustments.

With adaptive protection, Microsoft explains, seemingly benign operations like network enumerations, used by ransomware actors during their reconnaissance phase, can be detected and blocked. Furthermore, open-source tools are commonly exploited for lateral movement. Similarly, commodity malware with slightly modified signatures can be detected and blocked.