Part 2: Capsule Network Detections vs Ransomware

Written by
Tommy Perniciaro
Published on
February 21, 2023

In our post, Capsule Networks vs CNN’s for Ransomware Detection, we explored why leveraging Capsule Networks (CapsNets) is a superior approach to detecting different types of ransomware variants and attack campaigns, and how they can overcome some of the challenges involved in detecting ransomware.

In this post, let's dive deeper into the technical details of how a capsule network could prevent a Ransomware-as-a-Service (RaaS) campaign like LockBit 2.0, and how it could work in conjunction with an Extended Detection and Response (XDR) tool. First, let's talk about how a capsule network works. 

CapsNets 101

Capsule networks are a type of neural network that can identify complex patterns in data and represent them as vectors. Unlike traditional neural networks like convolutional neural networks (CNNs), capsule networks are designed to identify spatial hierarchies and relationships between various features in the data, making them highly effective at detecting anomalies in data and predicting complex patterns.

In the case of detecting RaaS campaigns, a capsule network can analyze various patterns of data, such as the type of files being encrypted, the time of day the attack occurred, and the specific ransom note left by the attacker. By identifying the spatial hierarchies and relationships between these features, the capsule network can detect anomalies that would signal a potential RaaS campaign.

CapsNets vs. Ransomware

Now, let's talk about how a capsule network could have prevented the LockBit 2.0 attack on the US airline company. If a capsule network had been in place, it could have analyzed the various features of the attack and identified it as a potential RaaS campaign.

The capsule network would have flagged the attack as an anomaly and sent a signal to an XDR system. The XDR system would have correlated this signal with data from other sources, such as endpoint devices and network traffic, to validate the signal and generate a detection.

This detection could then be sent to security personnel, who could take action to contain the attack and mitigate the damage. For example, they could isolate the affected endpoint, limit access to sensitive data, and take steps to prevent the attack from spreading to other systems.

By integrating a capsule network with an XDR system, organizations can leverage the strengths of both technologies to improve their security posture and better protect their systems from RaaS campaigns and other cyber threats.

For example, a capsule network can identify patterns of lateral movement, which is a technique used by attackers to move through a network undetected and gain access to sensitive data or systems. By identifying patterns of lateral movement, the capsule network can detect and prevent these attacks before they cause damage.

The capsule network can send a signal to the XDR system, which can correlate it with data from other sources to provide context and validate the signal. The XDR system can then generate an alert, notifying security personnel of the potential lateral movement and providing them with actionable insights to respond to the threat.

In conclusion, by combining the power of capsule networks and XDR systems, organizations can stay one step ahead of RaaS campaigns and other cyber threats. Capsule networks can provide high-quality signals that can be integrated into an XDR system to enhance its detection capabilities and improve the organization's overall security posture. So, let's leverage these powerful technologies and keep our systems safe from attackers. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

Subscribe to receive the latest blog posts to your inbox every week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

See All Blog Posts

The Resilient Enterprise: Navigating the Evolving Threat Landscape

This article examines the evolving threat landscape and trends, providing valuable insights into constructing a robust security framework for prevention and resilience...

Read the Blog

Bypassing, Evading and Unhooking Endpoint Security Solutions

The top 20 most active ransomware groups have been observed leveraging one or more Endpoint Protection bypass and evasions techniques to get around security tools...

Read the Blog

Unmasking QakBot: A Deep Dive into Osquery for Enhanced Detection and Response

In this article, we'll delve into the technical aspects of osquery, exploring how it can enhance your QakBot detection and response capabilities...

Read the Blog

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.