Part 2: Capsule Network Detections vs Ransomware

Written by
Tommy Perniciaro
Published on
Feb 21, 2023

In our post, Capsule Networks vs CNN’s for Ransomware Detection, we explored why leveraging Capsule Networks (CapsNets) is a superior approach to detecting different types of ransomware variants and attack campaigns, and how they can overcome some of the challenges involved in detecting ransomware.

In this post, let's dive deeper into the technical details of how a capsule network could prevent a Ransomware-as-a-Service (RaaS) campaign like LockBit 2.0, and how it could work in conjunction with an Extended Detection and Response (XDR) tool. First, let's talk about how a capsule network works. 

CapsNets 101

Capsule networks are a type of neural network that can identify complex patterns in data and represent them as vectors. Unlike traditional neural networks like convolutional neural networks (CNNs), capsule networks are designed to identify spatial hierarchies and relationships between various features in the data, making them highly effective at detecting anomalies in data and predicting complex patterns.

In the case of detecting RaaS campaigns, a capsule network can analyze various patterns of data, such as the type of files being encrypted, the time of day the attack occurred, and the specific ransom note left by the attacker. By identifying the spatial hierarchies and relationships between these features, the capsule network can detect anomalies that would signal a potential RaaS campaign.

CapsNets vs. Ransomware

Now, let's talk about how a capsule network could have prevented the LockBit 2.0 attack on the US airline company. If a capsule network had been in place, it could have analyzed the various features of the attack and identified it as a potential RaaS campaign.

The capsule network would have flagged the attack as an anomaly and sent a signal to an XDR system. The XDR system would have correlated this signal with data from other sources, such as endpoint devices and network traffic, to validate the signal and generate a detection.

This detection could then be sent to security personnel, who could take action to contain the attack and mitigate the damage. For example, they could isolate the affected endpoint, limit access to sensitive data, and take steps to prevent the attack from spreading to other systems.

By integrating a capsule network with an XDR system, organizations can leverage the strengths of both technologies to improve their security posture and better protect their systems from RaaS campaigns and other cyber threats.

For example, a capsule network can identify patterns of lateral movement, which is a technique used by attackers to move through a network undetected and gain access to sensitive data or systems. By identifying patterns of lateral movement, the capsule network can detect and prevent these attacks before they cause damage.

The capsule network can send a signal to the XDR system, which can correlate it with data from other sources to provide context and validate the signal. The XDR system can then generate an alert, notifying security personnel of the potential lateral movement and providing them with actionable insights to respond to the threat.

In conclusion, by combining the power of capsule networks and XDR systems, organizations can stay one step ahead of RaaS campaigns and other cyber threats. Capsule networks can provide high-quality signals that can be integrated into an XDR system to enhance its detection capabilities and improve the organization's overall security posture. So, let's leverage these powerful technologies and keep our systems safe from attackers. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.