Microsoft announces Fusion detection for spotting ransomware activity

Get a free Techzine subscription!

Microsoft has announced a new ransomware detection feature for Azure customers that will alert security teams when the system spots activity potentially associated with ransomware attacks.

In a blog post by Microsoft’s Sylvie Lu, we learned that Azure worked with the Microsoft Threat Intelligence Center to develop Fusion detection for ransomware.

Microsoft’s Fusion technology uses machine learning to spot potential attacks in progress and let security teams get ahead of the problem. The system will alert security teams of ransomware activity at ‘defense evasion and execution stages in a specific timeframe.’

How it will work

Liu explained that the system will send messages that read like: “Multiple alerts possibly related to Ransomware activity detected” in the Azure Sentinel workspace. The alerts will explain what happened and on which devices the actions have been detected.

The Fusion system will correlate data from Azure Defender (Azure Security Center), Microsoft Defender for Identity, Microsoft Defender for Endpoint, Azure Sentinel scheduled analytics rule, and Microsoft Cloud App Security.

In a report compiled by BlackFog (a cybersecurity firm) and released on Monday, analysis shows that ransomware attacks on government organizations and schools continue to increase this year. Both institutions deploy thousands of Microsoft machines.

Changing the approach

Liu cited a report by PurpleSec that estimated ransomware attacks in 2020 caused $20 billion worth of damage and increased downtime by 200%.

She continued to say that preventing attacks in the first place would be the ideal way to approach the emerging ransomware-as-a-service trends as well as human-operated ransomware, its scope, and the increased sophistication.

Liu said that attackers are using slow and stealth techniques, meaning they can be in networks long before they even spring the attack. That is why looking for markers or signals that they could already be up to something, is a good way to try and stop them before they attack.