Skip to main content

Microsoft is using ML to help you catch ransomware infections early

(Image credit: Pixabay)

Microsoft has taken the covers off of a new ransomware detection functionality for users of its cloud computing platform, Azure.

The tool, dubbed Fusion Detection for Ransomware, is the result of collaboration between Azure and the Microsoft Threat Intelligence Center (MSTIC), and employs machine learning (ML) to detect actions typically associated with ransomware activities and alert security teams in time to take remedial action.

“Once such ransomware activities are detected and correlated by the Fusion machine learning model, a high severity incident titled “Multiple alerts possibly related to Ransomware activity detected” will be triggered in your Azure Sentinel workspace,” shared Sylvie Liu, Security Program Manager at Microsoft in a blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Liu says that the intention with Fusion is to provide Azure users with all the relevant information by correlating signals from various Microsoft products along with those available in the network and the cloud. 

Complete picture

The rise of ransomware-as-a-service vendors and the prevalence of human operated ransomware has compounded not just the scope, but also the sophistication of ransomware attacks, argues Liu.

Building the case for Fusion, Liu argues that with more attackers adopting stealthier attack vectors to infiltrate and compromise their victims, defenders are finding it increasingly difficult to detect the attacks in time to prevent them.

By flagging malicious activity at the “defense evasion and execution” stages of an attack, Fusion will give security teams the opportunity to analyze the suspicious activity and stem an attack in the nascent stages.

To reduce the number of false positives, Microsoft has designed Fusion to connect with and collate relevant data from Azure Defender (Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, and Azure Sentinel scheduled analytics rules. 

“As you investigate and close the Fusion incidents, we encourage you to provide feedback on whether this incident was a True Positive, Benign Positive, or a False Positive, along with details in the comments. Your feedback is critical to help Microsoft deliver the highest quality detections,” Liu rounds off. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.