Why AI is a critical weapon in the war on ransomware?

The threat of ransomware is nothing new, and yet it continues to be a prominent feature in the headlines. Surely recent ransomware victims such as meat producer JBS Foods, the U.S. Colonial Pipeline, chemical distributor Brenntag, and Ireland’s Health Service knew the dangers and had measures in place to protect themselves? The statistics certainly don’t imply that ransomware is  suffering from a lack of awareness; 46 per cent of CISOs recently stated that ransomware is their biggest cybersecurity concern. And yet it continues to be successful in causing financial and operational damage. 

Part of the problem is that ransomware has evolved and diversified in recent years – attackers have moved on from simple, fully-automated tactics that are quite straight-forward to prevent, to using more targeted and sophisticated tactics. At the same time, most security teams using the same old tactics to try to prevent ransomware – an approach that is now broken. 

It’s time for organisations to evolve – and that means looking beyond a preventative approach that tries to stop a ransomware attacker from breaching the walls, and instead focus on arming themselves with the tools that can detect and stop an attack in its tracks. One thing is for sure, in the sprawling IT landscapes of today, artificial intelligence (AI) will play a decisive role in this war against ransomware.

A diversifying threat

Early forms of ransomware operated on autopilot and followed a simple business model: infect as many computers as possible, because at least some proportion of the victims will surely pay to recover their files. This so-called commodity ransomware soon evolved to search out and encrypt entire network drives – the rationale being that you’re increasingly the likelihood of locking something the victim can’t live without. This initial evolution also saw attackers start to target organisations, rather than individual people; as businesses are more likely to pay bigger ransoms to recover critical files. 

From here, commodity ransomware was combined with worms – so it could now land on a single system but then rapidly infect neighbouring systems too. This was an important step forward for attackers, as only one victim needed to fall foul of the phishing email so attackers could quickly spread to potentially thousands of other machines. Despite being around for many years, such commodity ransomware does remain a genuine threat. Everyone remembers the damage WannaCry caused a few years ago when it locked down hundreds of thousands of computers, while in February last year, commodity ransomware shut down a US natural gas facility for two days.

Attackers have continued to step up their game and diversify, replacing automated tactics for more sophisticated and targeted methods. These attacks often take weeks of planning and, after gaining an initial foothold, attackers manually adapt their movements to the specifics of the environment they have broken into. Such tactics were employed in the successful ransomware attack targeting JBS Foods, which was conducted by one of “the most specialized and sophisticated cybercriminal groups in the world”, according to the FBI. 

Alongside diversification of the attack itself, the ransomware business model has also branched into a franchise model. The franchiser supplies the tools, playbooks and other necessary attack infrastructure, while franchisees use these services to carry out attacks, sending a percentage of the ransom back to the franchiser. For all intents and purposes, ransomware has become a fully-fledged industry; it’s hardly surprising that the sophisticated human-operated variants have been identified by Microsoft as “one of the most impactful trends in cyberattacks today”.

AI to reinforce the ranks

Well-known commodity ransomware variants can generally be blocked on entry if security teams have access to timely indicators of compromise delivered via threat-intel feeds. Even newer types of commodity ransomware that successfully bypass preventative measures are typically quite limited in scope, and can be overcome with a good backup and restore process. Containing more fast-moving commodity ransomware variants can be more difficult, although in these cases, micro-segmentation, zero trust, least privilege and other policy-driven controls are a decent armoury to contain outbreaks. 

When it comes to the most targeted, human-operated ransomware attacks, success is no longer reliant on prescriptive policies, or hardened security configurations that are focused on prevention. While useful to a point, a sufficiently motivated attacker will eventually overcome these. In this case, focus must shift from trying to prevent the inevitable, to instead detecting and halting successful attacks at the earliest possible point – and this is where AI comes in. 

With estimates indicating the average dwell time in a ransomware attack is 43 days, AI should play a decisive role within the security team to help flush out the threat. While a team of analysts may need days or even weeks, AI can rapidly – if not immediately – detect when attackers are moving through systems before the ransomware deploy button is hit. This is because AI can contextualise and consolidate the wide variety of signals and markers left by attackers as they move through systems to reach their intended goal. AI can pull all this disparate information together into one clear picture, meaning security teams can efficiently respond to the most critical threats. 

Conquering the ransomware battlefield

Ransomware continues to be a serious threat to organisations, and if 2021 is anything to go by, it’s not going away any time soon. Security teams should take note of the numerous recent high-profile ransomware incidents and view them as a case study of what can happen if they are not ready to deal with the wide variety of threats. 

If you’re the target of a human operated attack, it’s simply not realistic to expect security analysts to have all angles covered. As ransomware operators continue to diversify, organisations should look at adding AI-powered means of detecting ransomware to their arsenal, so they can significantly reduce the time taken to spot the threat.