In the early days, identifying malicious programs such as viruses involved matching their code against a database of known malware. But this technique was only as good as the database; new malware variants could easily slip through.

So security companies started characterizing malware by its behavior. In the case of ransomware, software could look for repeated attempts to lock files by encrypting them. But that can flag ordinary computer behavior such as file compression.

Newer techniques involve looking for combinations of behaviors. For instance, a program that starts encrypting files without showing a progress bar on the screen could be flagged for surreptitious activity, said Fabian Wosar, chief technology officer at the New Zealand security company Emsisoft. But that also risks identifying harmful software too late, after some files have already been locked up.

An even better approach identifies malware using observable characteristics usually associated with malicious intent for instance, by quarantining a program disguised with a PDF icon to hide its true nature.

This sort of malware profiling wouldn't rely on exact code matches, so it couldn't be easily evaded. And such checks could be made well before potentially dangerous programs start running.

Read this article:

How artificial intelligence is taking on ransomware - CNBC