Blue Hexagon Blog

Ransomware Families and Variants are in Abundance

It’s all about time to detect, accuracy and explainability!

Ransomware is one of the more malevolent forms of malware. According to an industry report, a new organization fell victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021. As per Verizon DBIR 2020, Ransomware is the third most common malware breach variety and the second most common malware incident variety. Ransomware is a big problem that’s continuing to get bigger and can affect both individuals and organizations. The concept behind ransomware is simple: lock and encrypt a victim’s valuable data using an almost unbreakable encryption key, then demand a ransom–often in bitcoin or other forms of cryptocurrency–to restore access to that data.

BlueHexagon bridges the cybersecurity gap by applying real time deep learning to network traffic inspection (including both header-level information as well as payloads). BlueHexagon is able to identify both known and unknown threats with near 100% accuracy and in less than a second. Even when dealing with zero-day or variants of ransomware, BlueHexagon models trained months before have seen detection rates of over 99%.

  • Detects Threats, Not Just Anomalies

Unlike most AI-based security tools, BlueHexagon identifies and names specific threats. Instead of detecting anomalies or high-level patterns, BlueHexagon models can automatically analyze over 100,000 traits within payloads, protocols, or headers to conclusively identify the threat in question. Threats are classified down to the name of the malware family and categorized in terms of the type of threat. Another industry first innovation is AI-Explainability where Blue Hexagon provides AI verdict explanations that map the detected threats to MITRE ATT&CK framework behaviors in seconds. This effectively explains the decision to the security analyst teams and allows prioritization, escalation, or remediation automation. 

  • Unmatched Speed and Detection Rates

Shortening the time to verdict while simultaneously making an accurate verdict (low FPs/FNs) is a challenging technical problem. Our experience is that BlueHexagon real-time deep learning detection rates are consistently well over 99% with false positives less than 0.1%. Verdicts are rendered in less than a second and often in less than 50 milliseconds. BlueHexagon analyzes and correlates multiple events, phases, and payloads of malware across the lifecycle of an attack. This unique combination of accuracy and speed allows organizations to identify new threats and take action before damage is done. 

Ransomware threats can be devastating to organizations that get breached. In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever. And since the people responsible for the ransomware attack are threat actors, paying the demanded ransom doesn’t guarantee your data will be restored, or that you won’t be attacked again.

Ever since the broad success of the global outbreak of the Wannacry, Petya, and NotPetya variants, which affected millions of computers and caused billions of dollars in business losses (not counting the unknown total of ransom paid out), ransomware attacks have been growing in volume and complexity.  The surge is due to a combination of the high likelihood of revenue along with the malware’s relative ease of distribution. Ransomware is most often spread through phishing campaigns or “drive-by” attacks on infected web sites.

In this blog series, we endeavor to update our readers with timely and authentic research information on various Ransomware families including our perspective and experience on how deep learning technology is performing to contain these malicious threats.

We initiate this effort with initial research information on following ransomware families, detailing ransom demands, data exfiltration and more:


You may like to bookmark this blog link for future reference as we continue to add research about more Ransomware families. If you’d like us to analyze any specific ransomware that’s of interest to you please reach out to us by commenting below or filling out the contact us page and letting us know how to get in touch with you.