Microsoft announces new ransomware detection features for Azure

August 10, 2021 TH Author

Microsoft has unveiled a new ransomware detection feature for its Azure customers that will send alerts to security teams when the system observes actions “potentially associated with ransomware activities.”

In a blog post, Microsoft’s Sylvie Liu said Azure worked with the Microsoft Threat Intelligence Center to create Fusion detection for ransomware. Microsoft’s Fusion technology uses machine learning to find potential attacks in progress and alert security teams.

The system will send alerts when it sees ransomware activities at “defense evasion and execution stages during a specific timeframe.”

Liu explained that the system will send messages like “Multiple alerts possibly related to Ransomware activity detected” in the Azure Sentinel workspace.

The alerts will explain what happened and on which devices or hosts the actions were seen. The Fusion system will correlate data from Azure Defender (Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security and Azure Sentinel scheduled analytics rules.

A report from cybersecurity firm BlackFog released on Monday found that ransomware attacks on government organizations and schools are continuing to increase in 2021, both of which deploy thousands of Microsoft machines.

Liu cited a report from PurpleSec that estimated ransomware attacks in 2020 caused $20 billion worth of damage and increased downtime by 200%

“Preventing such attacks in the first place would be the ideal solution but with the new trend of ‘ransomware as a service’ and human operated ransomware, the scope and the sophistication of attacks are increasing — attackers are using slow and stealth techniques to compromise network, which makes it harder to detect them in the first place,” Liu said.

“When it comes to ransomware attacks, time more than anything else is the most important factor in preventing more machines or the entire network from getting compromised. The sooner such alerts are raised to security analysts with the details on various attacker activities, the faster the ransomware attacks can be contained and remediated.”