Capsule Networks vs CNN’s for Ransomware Detection

Ransomware is a type of malware that is designed to encrypt a victim's files and demand a ransom payment in exchange for the decryption key. Ransomware has become a growing threat in recent years due to its ability to evade traditional malware detection methods. 

In this article, we will explore why leveraging Capsule Networks (CapsNets) is a superior approach to detecting different types of ransomware variants and attack campaigns, and how they can overcome some of the challenges involved in detecting ransomware.

Capsule Networks vs. Convolutional Neural Networks

CapsNets and CNNs are two popular approaches to image classification and object recognition tasks. While both approaches use neural networks to learn features and patterns from images, CapsNets differ from CNNs in how they represent and learn these features. 

CapsNets use capsules to represent high-level features that encode object properties like pose, size, and orientation. CapsNets also use dynamic routing to assemble higher-level features from the capsules, while CNNs use pooling layers to down sample the feature maps. 

Additionally, CapsNets can handle more complex objects and can recognize them even if they are partially occluded or have multiple parts.

CapsNets Deliver Superior Ransomware Detection Capabilities 

CapsNets are better suited for detecting ransomware variants and campaigns because they can recognize the complex relationships between different parts of the ransomware. CapsNets can learn from hierarchical relationships between the parts of the ransomware, which allows them to generalize better for ransomware detection. 

CapsNets can also learn from historical data to recognize normal user behavior patterns, which can help them to distinguish between legitimate user activity and ransomware. CapsNets can use context to determine if a given user activity is typical or unusual and can also use temporal information to determine if the activity is part of a larger ransomware attack. 

CapsNets can also use features that capture the semantic meaning of the ransomware code, such as control flow graphs or API call sequences, to detect ransomware more effectively.

CapsNets are like super-powered detectives that can recognize and track the complex relationships between different parts of a ransomware attack. They can learn from previous attacks and normal user behavior to identify patterns that are associated with ransomware. By using context and timing, CapsNets can determine if a particular activity is part of a larger ransomware attack or if it's just normal user behavior. 

CapsNets can also use features that capture the specific behaviors of different types of ransomware to detect them more effectively. Overall, CapsNets are better at detecting different types of ransomware variants and campaigns than other types of malware detection methods.

Where CNNs Fall Short

In contrast, CNNs may not be as effective at detecting ransomware patterns and relationships between different parts of the ransomware as CapsNets. Ransomware is a type of malware that is designed to evade detection, often by using obfuscation techniques that make it harder to recognize. 

CNNs may struggle to recognize the hierarchical relationships between the different parts of the ransomware, which can make it harder for them to generalize for ransomware detection. Additionally, CNNs may not be as effective at learning from historical data to recognize normal user behavior patterns, which can make it harder for them to distinguish between legitimate user activity and ransomware.

For example, a specific ransomware variant may use unique code features to perform encryption, such as certain API calls or system calls. CapsNets can use features that capture the semantic meaning of the ransomware code to detect these unique patterns of ransomware activity more effectively. 

In contrast, CNNs may not be able to detect these patterns as effectively, which can result in missed detections or false positives. Another challenge for CNNs is that they may not be as effective at handling complex objects and recognizing the hierarchical relationships between them. 

Ransomware often uses complex obfuscation techniques to avoid detection, which can make it harder for CNNs to recognize the different parts of the ransomware and how they are related. CapsNets can learn from hierarchical relationships between the parts of the ransomware, which allows them to generalize better for ransomware detection.

Upleveling Ransomware Detection and Response 

In conclusion, Capsule Networks are a superior approach to detecting different types of ransomware variants and campaigns due to their ability to recognize the complex relationships between different parts of the ransomware. 

CapsNets can use features that capture the semantic meaning of the ransomware code to detect ransomware patterns more effectively. CapsNets can also learn from hierarchical relationships between the parts of the ransomware, which allows them to generalize better for ransomware detection. 

The technical differences between CapsNets and CNNs demonstrate why CapsNets are a more effective direction for future research in the field of deep learning for ransomware detection.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

Ransomware Roundup: 07.01.22

A conviction in the fight against ransomware, LockBit announces a bug bounty program (seriously) and ransomware is named the greatest cybersecurity threat - surprising no one.

Read the Blog
No items found.

This week’s round up…

  • It seems like a great side hustle … until it lands you in prison
  • The updated version of AstraLocker is looking for a quick payout
  • UK’s NCSC names the greatest cybersecurity threat of our times
  • Vice Society takes down a medical university
  • So, we found a reason to jeer at a bug bounty program
  • CISA offers warning about MedusaLocker

It seems like a great side hustle … until it lands you in prison

A ransomware affiliate pled guilty to charges in an all too rare instance of legal action against a cybercriminal. Jonathan Greig at The Record Reported that Canada extradited Sebastien Vachon-Desjardins of Quebec to the United States in March 2022 and worked with the NetWalker group to extort a company in Florida.

“United States Attorney for the Middle District of Florida Roger Handberg said Vachon-Desjardins has agreed to plead guilty to four charges: Conspiracy to Commit Computer Fraud, Conspiracy to Commit Wire Fraud, Intentional Damage to a Protected Computer and Transmitting a Demand in Relation to Damaging a Protected Computer,” Greig wrote.

It should be noted that Vachon-Desjardins cybercriminal enterprises were a side hustle and he worked fulltime – wait for it - "for the Canadian government as an IT employee while conducting ransomware attacks on behalf of NetWalker,” Greig reported.

A Canadian court sentenced Vachon-Desjardins to seven years in prison on separate charges in Feb. 2022.  

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

UK’s NCSC names the greatest cybersecurity threat of our times

The United Kingdom’s National Cyber Security Centre declared ransomware the greatest global cybersecurity threat. Danny Palmer at ZDNet reported that “the volume of ransomware has risen significantly with the amount of detected activity in the first quarter of 2022 more than three times what was detected during the same period last year.”

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," Palmer quoted Lindy Cameron, CEO of the NCSC.

Vice Society takes down a medical university

Vice Society – the group that claimed responsibility for extorting the Italian city of Palermo – scored another victim this week. Bill Toulas at Bleeping Computer reports that the cybercriminal group attacked the Medical University of Innsbruck, which “caused severe IT service disruption and the alleged theft of data.”

“On June 21, 2022, the university's IT team proceeded to reset all 3,400 students' and 2,200 employees' account passwords and called everyone to go through a manual process of personally collecting their new credentials.

“In the days that followed, the university gradually restored its online services and returned operations to its main site, which had previously been initially taken offline,” Toulas reported.

Vice Society have been particularly active lately, including “a college in the UK, a hospital in Italy, and two universities in the UK. This makes the Medical University of Innsbruck the fifth disclosed European victim of Vice in the past month” according to Toulas.

So, we found a reason to jeer at a bug bounty program

Usually, the launch of a bug bounty program is a cause for celebration. Unless a ransomware gang announces it, in which case … disgusting.

Adam Janofsky at The Record by Recorded Future reported that the LockBit gang recently released the third version of its ransomware and a new bug bounty program, which ostensibly seeks to crowdsource the improvement of the malware – again, disgusting.

“Although few details were provided about technical changes to the ransomware-as-a-service operation, the group said it was inviting all security researchers and hackers to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million. The group is seeking website bugs, locker errors, and ideas to improve the group’s software, among other things. A $1 million bounty is reserved for discovering the true name of the affiliate program manager, known as LockBitSupp,” Janofsky reported.

CISA offers warning about MedusaLocker

The United States Cybersecurity & Infrastructure Agency (CISA) released an alert about MedusaLocker. The RaaS gang targets specific vulnerabilities and the CISA notice includes indicators of compromise, MITRE ATT&CK Techniques and mitigation details to enable organizations to reduce the risk of infection.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” CISA wrote in the alert.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Netwalker ransomware affiliate agrees to plead guilty to hacking charges.  

Catalin Cimpanu at The Record - Recorded Future for their reporting on NetWalker ransomware affiliate sentenced to seven years in prison.

Lindsey O’Donnell-Welch at Deciper by Duo for their reporting on AstraLocker Ransomware Spread in ‘Smash and Grab’ Attacks.

Joseph Edwards at ReversingLabs  for their research on Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs.

Danny Palmer at ZDNet for their reporting on Ransomware is the biggest global cyber threat. And the attacks are still evolving.

Bill Toulas at Bleeping Computer for their reporting on Vice Society claims ransomware attack on Med. University of Innsbruck.

Adam Janofsky at The Record - Recorded Future for their reporting on LockBit adds a bug bounty program in its revamped ransomware-as-a-service operation.

Cybersecurity & Infrastructure Security Agency for their #StopRansomware: MedusaLocker alert.

Ransomware Roundup: 07.22.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

Welcome back to this week’s round up…

Ransom City Blues

Corin Faife at The Verge reports that a small Canadian town, St. Marys, Ontario has been hit by the LockBit group. According to the report, most of the essential services in the town of 7,500 were not impacted but screenshots from the leak site show possible impact to finance, health and safety, sewage treatment, property files and public works. St. Marys is unfortunately not alone in this recent spurt of LockBit activity as the town of Frederick, Colorado’s data is also listed as compromised by the group.

School of Hard Knocks

According to a recent Sophos survey of 5,600 IT workers representing 410 colleges and universities across the globe, nearly 75% of these institutions suffered from successful ransomware attacks.

This astounding statistic (unfortunately) shows that higher education institutions are a rich and profitable hunting ground for ransomware groups with a success rate greater than healthcare or even financial services. As attackers run up against better defenses in other market segments, they will look for targets that, for a variety of reasons, do not commit the necessary resources to protecting their infrastructure. If you’ve been in cybersecurity for long enough, this will not come as a surprise – even with specific education-centric discounted programs the adoption of new cybersecurity products and services in education has always lagged other segments.

Twisted Metal

As we’ve written about in previous Ransomware Roundups, ransomware targeting ESXi environments continues to grow.

While it’s one thing to ransom an endpoint, targeting bare-metal hypervisors that host multiple VMs or even clusters of hosts can have devastating results. DarkReading has an excellent roundup of the growth in Luna and BlackBasta that have cross-platform capabilities to target Windows, Linux and ESXi systems. VMware has disclosed several critical vulnerabilities this year that attackers have been taking advantage of.

It’s yet to be seen whether the targeting of ESXi is driven solely by the opportunity these vulns have provided or if these groups are intentionally going after a new and lucrative market segment.

Ransomware goes Freemium

Getting traction with a new product in a crowded market is always difficult, it’s why Product Led Growth (PLG) is such a hot topic with SaaS companies over the last few years. So, it only makes sense that an up-and-coming group would simply give their ransomware away for free, the stipulation being a higher cut on commission. With Redeemer 2.0’s release, the barrier for entry for anyone to kick off a ransomware campaign has never been lower. Plus, the group has stated if the adoption rate isn’t high enough, they’ll just open source the entire project. What a wonderful new world we’re living in.

Down the Drain

There are reports coming in that an organization that runs sewer systems in the Providence and Blackstone Valley areas of Rhode Island was hit by a yet-to-be-known cyberattack, rumored to be ransomware. While details are scant, the crossover from cyber into physical systems has seemingly been increasing in 2022. Be on the lookout next week, as more details come to light.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

https://www.theverge.com/2022/7/22/23274372/st-marys-canada-lockbit-ransomware-cyber-incident

Author: Corin Faife

https://assets.sophos.com/X24WTUEQ/at/pgvqxjrfq4kf7njrncc7b9jp/sophos-state-of-ransomware-education-2022-wp.pdf

Author: Sophos

https://www.darkreading.com/attacks-breaches/snowballing-ransomware-variants-highlight-growing-threat-to-vmware-esxi-environments

Author: Jai Vijayan

https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/

Author: Bill Toulas

https://www.providencejournal.com/story/news/local/2022/07/16/ri-sewer-system-narragansett-bay-commission-hit-cyber-attack/10076978002/

Author: Paul Edward Parker

Ransomware Roundup: 07.15.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

This week’s round up …

  • Doxxed: Because paying for that surgery wasn’t enough
  • BlackCat claims credit for Bandai Namco breach
  • Ransomware statistics for June are out, and it’s kind of encouraging (narrator: It is not)
  • A new player has joined the game: Lilith ransomware
  • From North Korea, with love

Doxxed: Because paying for that surgery wasn’t enough

Professional Finance Company issued a statement that a ransomware group was able to access databases holding personal information of patients at 657 healthcare organizations in Feb. 2022. PFC handles payments for many hospitals and the information includes names, addresses and Social Security numbers of account holders.

“PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information,” the company wrote in a statement.

PFC states that they had notified the affected organizations and an investigation is ongoing. However, the Quantum ransomware group has been attributed to the attack.  

BlackCat claims credit for Bandai Namco breach

The malware intelligence group, vx-underground, posted a screenshot on their official Twitter account that shows the (ALPHV) BlackCat ransomware group seemingly taking credit for the Bandai Namco breach that occurred this week.

“On July 3, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan). After we confirmed the unauthorized access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause,” the company wrote in an official statement.

Bandai Namco is a video game publisher of popular franchises such as Elden Ring, Soulcaliber and Dark Souls.

A new player has joined the game: Lilith ransomware

An independent malware hunter discovered a new ransomware operation, dubbed Lilith, that claimed its first victim in South Africa.

“Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices,” reported Bill Toulas at Bleeping Computer.

Threat Intelligence firm Cyble published a report detailing the technical analysis of Lilith. Admittedly, the RaaS group is in the early days of operations but worth watching.  

From North Korea, with love

The Microsoft Threat Intelligence Security Center (MSTIC) released research detailing the HolyGh0st ransomware group (whom Microsoft tracks as DEV-0530), which has been active since 2021 and is reportedly acting out of North Korea. Attribution is notoriously fraught for malware researchers, but the MSTIC team provides compelling evidence.

“MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the team wrote in their report.

HolyGh0st attempted to legitimize their activities by claiming to help increase victim organizations’ security posture but … you know, extortion.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs and Bandai Namco confirms cyberattack after ransomware group threatens leak.  

Sergiu Gatlan at Bleeping Computer for their reporting on Quantum ransomware attack affects 657 healthcare orgs. 

Adam Janofsky at The Record - Recorded Future for their reporting on Ransomware tracker: the latest figures [July 2022].

vx-underground at for their research on vx-underground on Twitter: "ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

JAMESWT at for their reporting on JAMESWT on Twitter: "#Ransomware #Lilith.

Bill Toulas at Bleeping Computer for their reporting on New Lilith ransomware emerges with extortion site, lists first victim. 

Cyble for their research on New Ransomware Groups on the Rise.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog. 

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.