What is it about?
Ransomware attacks have become more dangerous in recent years, especially those controlled by human attackers who break into systems, move around quietly, and then launch a major attack. These “human-operated ransomware” attacks can shut down hospitals, companies, and government services for days or weeks. In our study, we looked at how these attackers behave during the early stages of an attack. Instead of focusing on the final moment when ransomware encrypts data, we examined the steps the attackers take before that happens—such as getting into the system, gaining higher permissions, hiding their activity, and moving between devices. We built a new dataset that captures the behaviors of 15 major ransomware families seen in 2023–2024. Using this data, we trained computer models to learn the order in which attackers perform different actions. These models act like pattern-recognition tools: when early steps of an attack appear, the system can warn defenders before the ransomware causes damage. Our results showed that these learning models can identify ransomware families with strong accuracy—even when they only see the first few actions of the attack. This means organizations could potentially detect and stop a ransomware attack long before files get encrypted, reducing or even preventing damage.
Featured Image
Photo by Riku Lu on Unsplash
Why is it important?
This work helps move cybersecurity from “fixing the damage after it happens” to spotting threats early, giving defenders more time to respond.
Perspectives
From my point of view, the most meaningful aspect of this work is its shift toward understanding ransomware as a human-driven process, not just a piece of malicious software. While many existing solutions focus on the final moments of an attack—when files are already being encrypted—I believe real protection comes from recognizing the behavior of attackers much earlier. Building this dataset and modeling the progression of attacker actions gave me a deeper appreciation of how predictable these behaviors can be, even when the attackers themselves constantly evolve. To me, the real value of this research lies in empowering defenders with the ability to intervene sooner, turning ransomware response from a desperate recovery effort into a proactive defense strategy. I see this as an important step toward making cybersecurity more anticipatory and less reactive.
AKRAM ALGAOLAHI
King Fahd University of Petroleum and Minerals
Read the Original
This page is a summary of: Sequence Learning over Behavioral Attack Patterns for Early Detection of Human-Operated Ransomware, Digital Threats Research and Practice, December 2025, ACM (Association for Computing Machinery),
DOI: 10.1145/3786772.
You can read the full text:
Resources
Contributors
The following have contributed to this page
