{"id":116382,"date":"2022-06-21T09:00:00","date_gmt":"2022-06-21T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=116382"},"modified":"2023-08-03T15:25:29","modified_gmt":"2023-08-03T22:25:29","slug":"improving-ai-based-defenses-to-disrupt-human-operated-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/","title":{"rendered":"Improving AI-based defenses to disrupt human-operated ransomware"},"content":{"rendered":"\n<p>Microsoft\u2019s deep understanding of human-operated ransomware attacks, which are powered by a thriving <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">cybercrime gig economy<\/a>, continuously informs the solutions we deliver to protect customers. Our expert monitoring of threat actors, investigations into real-world ransomware attacks, and the intelligence we gather from the trillions of signals that the Microsoft cloud processes every day provide a unique insight into these threats. For example, we track human-operated ransomware attacks not only as distinct ransomware payloads, but more importantly, as a series of malicious activities that culminate in the deployment of ransomware. Detecting and stopping ransomware attacks as early as possible is critical for limiting the impact of these attacks on target organizations, including business interruption and extortion.<\/p>\n\n\n\n<p>To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that find and swiftly incriminate \u2013 that is, determine malicious intent with high confidence \u2013 malicious files, processes, or behavior observed during active attacks.<\/p>\n\n\n\n<p>The early incrimination of entities \u2013 files, user accounts, and devices \u2013 represents a sophisticated mitigation approach that requires an examination of both the attack context as well as related events on either the targeted device or within the organization. Defender for Endpoint combines three tiers of AI-informed inputs, each of which generates a risk score, to determine whether an entity is associated with an active ransomware attack:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A time-series and statistical analysis of alerts to look for anomalies at the organization level<\/li><li>Graph-based aggregation of suspicious events across devices within the organization to identify malicious activity across a set of devices<\/li><li>Device-level monitoring to identify suspicious activity with high confidence<\/li><\/ul>\n\n\n\n<p>Aggregating intelligence from these sources enables Defender for Endpoint to draw connections between different entities across devices within the same network. This correlation facilitates the detection of threats that might otherwise go unnoticed. When there\u2019s enough confidence that a sophisticated attack is taking place on a single device, the related processes and files are immediately blocked and remediated to disrupt the attack.<\/p>\n\n\n\n<p>Disrupting attacks in their early stages is critical for all sophisticated attacks but especially human-operated ransomware, where human threat actors seek to gain privileged access to an organization\u2019s network, move laterally, and deploy the ransomware payload on as many devices in the network as possible. For example, with its enhanced AI-driven detection capabilities, Defender for Endpoint managed to detect and incriminate a ransomware attack early in its encryption stage, when the attackers had encrypted files on fewer than four percent (4%) of the organization\u2019s devices, demonstrating improved ability to disrupt an attack and protect the remaining devices in the organization. This instance illustrates the importance of the rapid incrimination of suspicious entities and the prompt disruption of a human-operated ransomware attack.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"584\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig1-correlation-between-time-passed-and-infection-percentage.png\" alt=\"Line chart illustrating how Defender for Endpoint detected and incriminated a ransomware attack when attackers had encrypted files on 3.9% of the organization\u2019s devices.\" class=\"wp-image-116385\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig1-correlation-between-time-passed-and-infection-percentage.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig1-correlation-between-time-passed-and-infection-percentage-300x219.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig1-correlation-between-time-passed-and-infection-percentage-768x561.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 1: Chart showing Microsoft Defender for Endpoint incriminating a ransomware attack when attackers had encrypted files on 3.9% of the organization\u2019s devices<\/figcaption><\/figure>\n\n\n\n<p>As this incident shows, the swift incrimination of suspicious files and processes mitigates the impact of ransomware attacks within an organization. After incriminating an entity, Microsoft Defender for Endpoint stops the attack via <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/feedback-loop-blocking?view=o365-worldwide\">feedback-loop blocking<\/a>, which uses Microsoft Defender Antivirus to block the threat on endpoints in the organization. Defender for Endpoint then uses the threat intelligence gathered during the ransomware attack to protect other organizations.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"451\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig2-alert-logic-and-incrimination-engine.png\" alt=\"Diagram with icons and lines depicting the incrimination and protection process.\" class=\"wp-image-116388\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig2-alert-logic-and-incrimination-engine.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig2-alert-logic-and-incrimination-engine-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig2-alert-logic-and-incrimination-engine-768x434.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig2-alert-logic-and-incrimination-engine-539x303.png 539w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 2: Overview of incrimination using cloud-based machine learning classifiers and blocking by Microsoft Defender Antivirus<\/figcaption><\/figure>\n\n\n\n<p>In this blog, we discuss in detail how Microsoft Defender for Endpoint uses multiple innovative, AI-based protections to examine alerts at the organization level, events across devices, and suspicious activity on specific devices to create a unique aggregation of signals that can identify a human-operated ransomware attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detecting anomalies in alerts at the organization level<\/h2>\n\n\n\n<p>A human-operated ransomware attack generates a lot of noise in the system. During this phase, solutions like Defender for Endpoint raise many alerts upon detecting multiple malicious artifacts and behavior on many devices, resulting in an alert spike. Figure 3 shows an attack that occurred across a single organization.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"493\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig3-spike-in-alerts.png\" alt=\"Line chart depicting the spread of a human-operated ransomware in an organization.\" class=\"wp-image-116391\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig3-spike-in-alerts.png 801w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig3-spike-in-alerts-300x185.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig3-spike-in-alerts-768x473.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig3-spike-in-alerts-392x240.png 392w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><figcaption>Figure 3: Graph showing a spike in alerts during the ransomware phase of an attack<\/figcaption><\/figure>\n\n\n\n<p>Defender for Endpoint identifies an organization-level attack by using time-series analysis to monitor the aggregation of alerts and statistical analysis to detect any significant increase in alert volume. In the event of an alert spike, Defender for Endpoint analyzes the related alerts and uses a specialized machine learning model to distinguish between true ransomware attacks and spurious spikes of alerts.<\/p>\n\n\n\n<p>If the alerts involve activity characteristic of a ransomware attack, Defender for Endpoint searches for suspicious entities to incriminate based on attack relevance and spread across the organization. Figure 4 shows organization-level detection.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"802\" height=\"198\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig4-organization-level-anomaly-detection.png\" alt=\"Diagram with icons showing organization-level anomaly detection, including monitoring for alerts, anomaly detection based on alert counts, analysis of each alert, and incrimination of suspicious entities on individual devices.\" class=\"wp-image-116394\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig4-organization-level-anomaly-detection.png 802w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig4-organization-level-anomaly-detection-300x74.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig4-organization-level-anomaly-detection-768x190.png 768w\" sizes=\"auto, (max-width: 802px) 100vw, 802px\" \/><figcaption>Figure 4: Overview of organization-level anomaly detection<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Graph-based monitoring of connections between devices<\/h2>\n\n\n\n<p>Organization-level monitoring can pose challenges when attacks don\u2019t produce enough noise at the organization level. Aside from monitoring anomalous alert counts, Defender for Endpoint also adopts a graph-based approach for a more focused view of several connected devices to produce high-confidence detections, including an overall risk score. For this level of monitoring, Defender for Endpoint examines remote activity on a device to generate a connected graph. This activity can originate from popular admin tools such as <em>PsExec \/ wmi \/ WinRm<\/em> when another device in the organization connects to a device using admin credentials. This remote connection can also indicate previous credential theft by an attacker.<\/p>\n\n\n\n<p>As administrators often use such connectivity tools for legitimate purposes, Defender for Endpoint differentiates suspicious activity from the noise by searching specifically for suspicious processes executed during the connection timeframe.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"401\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig5-attack-pattern-command-line.png\" alt=\"Diagram with icons and arrows showing a typical attack pattern involving the command line as an initial attack vector via credential theft and compromised with tools such as psexec and wmi. The target then scans the network to connect to Active Directory and spread throughout the organization. \" class=\"wp-image-116397\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig5-attack-pattern-command-line.png 799w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig5-attack-pattern-command-line-300x151.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig5-attack-pattern-command-line-768x385.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 5: Diagram of a typical attack pattern from initial attack vector to scanning and lateral movement<\/figcaption><\/figure>\n\n\n\n<p>Figure 5 shows a typical attack pattern wherein a compromised device A is the initial attack vector, and the attacker uses remote desktop protocol (RDP) or a remote shell to take over the device and start scanning the network. If possible, the attackers move laterally to device B. At this point, the remote processes <em>wmic.exe<\/em> on the command line and <em>wmiprvse.exe<\/em> on the target can spawn a new process to perform remote activities.<\/p>\n\n\n\n<p>Graph-based detection generates the entities in memory to produce a virtual graph of connected components to calculate a total risk score, wherein each component represents a device with suspicious activities. These activities might produce low-fidelity signals, such as scores from certain machine learning models or other suspicious signals on the device. The edges of the graph show suspicious network connections. Defender for Endpoint then analyzes this graph to produce a final risk score. Figure 6 highlights an example of graph-based aggregation activities and risk score generation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"438\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig6-aggregation-of-entities.png\" alt=\"Diagram with text and arrows showing the aggregation of signals to produce a risk score for multiple devices. A numerical algorithm is used to analyze the risk score of each device based on suspicious activity.\" class=\"wp-image-116400\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig6-aggregation-of-entities.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig6-aggregation-of-entities-300x164.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig6-aggregation-of-entities-768x420.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 6: Diagram showing the aggregation of signals to produce a risk score for multiple devices<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Identifying suspicious activity with high confidence on a single device<\/h2>\n\n\n\n<p>The final detection category is identifying suspicious activity on a single device. Sometimes, suspicious signals from only one device represent enough evidence to identify a ransomware attack, such as when an attack uses evasion techniques like spreading activity over a period of time and across processes unrelated to the attack chain. As a result, such an attack can fly under the radar, if defenses fail to recognize these processes as related. If the signals are not strong enough for each process chain, no alerts will generate.<\/p>\n\n\n\n<p>Figure 7 depicts a simplified version of evasion activity using the Startup folder and autostart extension points. After taking over a device, an attacker opens <em>cmd.<\/em>exe and writes a file to the Startup folder to carry out malicious activities. When the device restarts, the file in the Startup folder performs additional commands using the parent process ID <em>explorer.exe,<\/em> which is unrelated to the original <em>cmd.exe<\/em> that wrote the file. This behavior splits the activity into two separate process chains occurring at different times, which could prevent security solutions from correlating these commands. As a result, when neither individual process produces enough noise, an alert might not appear.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"391\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig7-evasion-activity.png\" alt=\"Diagram with icons and arrows depicting evasion activity using four different processes, wherein cmd.exe commands the device to restart and then open explorer.exe which appears as an entirely separate process.\" class=\"wp-image-116403\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig7-evasion-activity.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig7-evasion-activity-300x147.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig7-evasion-activity-768x375.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 7: Evasion activity split into two separate process chains occurring at different times<\/figcaption><\/figure>\n\n\n\n<p>The enhanced AI-based detections in Defender for Endpoint can help connect seemingly unrelated activity by assessing logs for processes that resemble DLL hijacking, autostart entries in the registry, creation of files in startup folder, and similar suspicious changes. The incrimination logic then maps out the initiation of the first process in relation to the files and tasks that follow.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Human-operated ransomware protection using AI<\/h2>\n\n\n\n<p>Attackers behind human-operated campaigns make decisions depending on what they discover in environments they compromise. The human aspect of these attacks results in varied attack patterns that evolve based on unique opportunities that attackers find for privilege escalation and lateral movement. AI and machine learning present innovative methods for surfacing sophisticated attacks known for using advanced tools and techniques to stay persistent and evasive.<\/p>\n\n\n\n<p>In this blog, we discussed enhancements to cloud-based AI-driven protections in Microsoft Defender for Endpoint that are especially designed to help disrupt human-operated ransomware attacks. These enhanced protections use AI to analyze threat data from multiple levels of advanced monitoring and correlate malicious activities to incriminate entities and stop attacks in their tracks. Today, these AI protections are triggered in the early stages of the ransomware phase, as the attack starts to encrypt data on devices. We\u2019re now working to expand these protections to trigger even earlier in the attack chain, before the ransomware deployment, and to expand the scope to incriminate and isolate compromised user accounts and devices to further limit the damage of attacks. &nbsp;<\/p>\n\n\n\n<p>This innovative approach to detection adds to existing protections that <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\">Microsoft 365 Defender<\/a> delivers against ransomware. This evolving attack disruption capability exemplifies Microsoft\u2019s commitment to harness the power of AI to explore novel ways of detecting threats and improve organizations\u2019 defenses against an increasingly complex threat landscape.<\/p>\n\n\n\n<p><a href=\"https:\/\/microsoft.sharepoint-df.com\/teams\/DeRansom\/Shared%20Documents\/General\/Blogs\/aka.ms\/ransomware\">Learn how Microsoft helps you defend against ransomware.<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/research\/group\/m365-defender-research\/\">Learn how machine learning and AI drives innovation at Microsoft security research.<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em><strong>Arie Agranonik, Charles-Edouard Bettan, Sriram Iyer, Amir Rubin, Yair Tsarfaty<\/strong><br>Microsoft 365 Defender Research Team<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that swiftly identify and block malicious files, processes, or behavior observed during active attacks.<\/p>\n","protected":false},"author":150,"featured_media":116406,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_force_push":false,"ms_queue_id":"","ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3727,3735],"tags":[3896,3776],"coauthors":[3380],"class_list":["post-116382","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-ransomware","tag-credential-theft","tag-human-operated-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Improving AI-based defenses to disrupt human-operated ransomware | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Improving AI-based defenses to disrupt human-operated ransomware | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that swiftly identify and block malicious files, processes, or behavior observed during active attacks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-21T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-03T22:25:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-social-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1890\" \/>\n\t<meta property=\"og:image:height\" content=\"1016\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-social-2.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Improving AI-based defenses to disrupt human-operated ransomware\",\"datePublished\":\"2022-06-21T16:00:00+00:00\",\"dateModified\":\"2023-08-03T22:25:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\"},\"wordCount\":1660,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg\",\"keywords\":[\"Credential theft\",\"Human-operated ransomware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\",\"name\":\"Improving AI-based defenses to disrupt human-operated ransomware | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg\",\"datePublished\":\"2022-06-21T16:00:00+00:00\",\"dateModified\":\"2023-08-03T22:25:29+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg\",\"width\":1200,\"height\":813,\"caption\":\"Photo of Microsoft Cyber Defense Operations Center with the word \\\"Protect\\\" in the foreground.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Improving AI-based defenses to disrupt human-operated ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Improving AI-based defenses to disrupt human-operated ransomware | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"Improving AI-based defenses to disrupt human-operated ransomware | Microsoft Security Blog","og_description":"To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that swiftly identify and block malicious files, processes, or behavior observed during active attacks.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-06-21T16:00:00+00:00","article_modified_time":"2023-08-03T22:25:29+00:00","og_image":[{"width":1890,"height":1016,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-social-2.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-social-2.png","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Improving AI-based defenses to disrupt human-operated ransomware","datePublished":"2022-06-21T16:00:00+00:00","dateModified":"2023-08-03T22:25:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/"},"wordCount":1660,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg","keywords":["Credential theft","Human-operated ransomware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/","name":"Improving AI-based defenses to disrupt human-operated ransomware | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg","datePublished":"2022-06-21T16:00:00+00:00","dateModified":"2023-08-03T22:25:29+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/ai-based-defenses-featured-image.jpg","width":1200,"height":813,"caption":"Photo of Microsoft Cyber Defense Operations Center with the word \"Protect\" in the foreground."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/21\/improving-ai-based-defenses-to-disrupt-human-operated-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Improving AI-based defenses to disrupt human-operated ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/116382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=116382"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/116382\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/116406"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=116382"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=116382"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=116382"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=116382"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=116382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=116382"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=116382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}