Ransomware Needs AI Cybersecurity

Ransomware—a leading cyber attack across all industries

In mid-November 2022, the Federal Bureau of Investigation (FBI) reported that the infamous Hive Ransomware-as-a-Service (RaaS) gang had earned about $100 million from over 1,300 organizations since June 2021.

As if that weren’t enough, the FBI also claims that the gang will continue to deploy or reinfect with ransomware attacks on victim networks that fail to pay the ransom. The brunt of the attacks has been felt across all industries and critical infrastructure sectors such as government, IT, telecommunications, and healthcare, to name a few.

Those affected have supplied over 850 samples since the beginning of 2022, many of them prompted by a dramatic spike in cyber attack activity between March and mid-April. Paying ransom often encourages other cybercriminals to join the ransomware warfare, which is why the FBI is urging organizations to report Hive attacks as soon as possible to collect vital information to track and hopefully contain the attack.

Unfortunately, Hive is only one head of the many-headed ransomware monster. Early in 2022, the now-nearly defunct Conti ransomware group, through its affiliate BlackByte, made headlines for exposing the San Francisco 49er's sensitive financial documents for extortion. At first glance, this attack highlights the next phase of ransomware evolution where affiliate groups assemble to create major cybercrime syndicates.

Growing interconnectedness makes it harder to detect ransomware on time before it causes harm. Whether your data is processed locally or in the cloud, the risk of a breach is the same. But edge computing also makes it easier for hackers to break in because sensitive data is stored and processed on a wider range of systems. Because the footprint gets too big, it gets harder to protect large-scale environments where computers are everywhere, and it may even become impossible.

The fast proliferation of IoT devices and the expansion of Edge networks are changing how Chief Information Security Officers (CISOs) and IT security professionals strategize for and secure their Edge and IoT infrastructures. Clearly, data and analysis have moved further out to the Edge with a wide range of sensors and monitoring devices collecting data for almost any purpose one can think of, from smart buildings and electrical grids to factories and retail stores.

Ransomware in Edge

Edge security is used to protect users and apps at the Edge layer of a company's network, where sensitive data is highly vulnerable to security threats. The stakes are high with Edge devices, and as such, CISOs and business leaders need to make sure that Edge environments are protected. This includes encrypting data while it is at rest and while it is in transit, network monitoring, and keeping control through a centralized management dashboard that controls how devices interact with the computing environment.

IT security models that have been used in the past won't work for the modern nature of Edge and IoT infrastructures. As computing moves to the Edge, these traditional models risk putting corporate data assets in danger or slowing down digital transformation, or both.

One way that Edge computing makes environments riskier is a distributed network. If there are more devices in more places, there is a greater chance of physical interference or other damage. Physical threats could include tampering with devices to introduce malware through physical access or unintentional actions that damage the device and data. To control physical security risks to Edge devices such as ransomware, company premises should ensure real-time threat detection.

There are also more virtual security risks because there are more Edge devices that can store and process data. By connecting to these devices from a distance, hackers could steal data, stop operations, get into corporate systems, and execute ransomware. In short, if an attacker gets into one device, they can use it to get into the entire organizational network.

Another vulnerability exposing organizations to ransomware is the fact that devices need to be configured correctly. This means doing a vulnerability assessment, turning off any features that aren't needed, shutting down devices behaving abnormally, and applying patches to all systems before deployment. As such, it’s crucial for companies to adopt endpoint monitoring, device authentication with certificates, and multi-factor authentication. A lot of organizations lack complete visibility, so one cannot protect a device that one is not aware of.

Organizations might think that cybercriminals wouldn't be interested in a lot of their data. But when it comes to ransomware, many bad actors don't necessarily want data they can use. Instead, they want data that agencies can't afford to lose or have publicized. This is called "double extortion."

Double extortion began in 2020, when dark web leak sites grew in popularity. Cybercriminals used these sites to find ransomware victims and threaten to leak sensitive corporate data if the victims didn't pay. In 2021, ransomware gangs took these methods to a new level by using multi-extortion techniques. These techniques were made to make the threat more expensive and urgent. For example, we've seen gangs threaten employees and customers over the phone and use denial of service attacks to shut down a victim's website in order to get them to pay.

We also saw the number of people who offer RaaS grow. RaaS providers offer a wide range of simple tools and services that make it almost as easy to launch ransomware attacks as it is to use an online auction site. In the past few years, these operators have spent money to improve their businesses. They have improved their malware, made marketing plans to get more affiliates, and even set up technical support to help victims get back online after they pay their ransoms.

As cyber criminals find new ways to override technical cybersecurity measures, weaponize Edge/IoT vulnerabilities, and increase their attack sophistication, no company or industry is immune to ransomware attacks.

How can CISOs advance Edge security with AI solutions

Today's ransomware attacks often use a two-pronged strategy that takes advantage of application and operating system bugs to get in and then uses malware to do reconnaissance, steal, destroy, or encrypt data, and launch distributed denial of service (DDoS) attacks. To protect against ransomware, malware, and DDoS attacks effectively, CISOs and security professionals need to strategize for the use of a variety of methods, such as behavior analysis, threat intelligence software, Zero-Trust access control, and automation.

CISOs may think they have a card up their sleeve that will stop attackers from going deeper if someone falls for a phishing email or an endpoint is compromised. But what if the organization is not using Zero Trust or any other form of access control to stop attacks from spreading if an employee brings it in?

If a single endpoint is hacked, that's one thing. Organizations can stop the attack by removing the device from the network in case they detect the threat in time before it spreads. But, when more than one device is involved, it's a lot harder to contain the attack, rendering organizations virtually helpless and at the mercy of cybercriminals.

As Edge networks get more complicated, AI-powered tools like behavior analytics systems and intelligent detection and response platforms are used more and more to improve network security. These are tools that add to or supplement what CISOs and security practitioners are already doing. They make it easier to spot anomalies and respond autonomously to isolate them, so security staff can focus on higher-level work.

The business case for CISOs to develop and budget for advanced cybersecurity solutions is made, as the costs of incidents are incredibly high. Data shows that global ransomware costs including research, remediation, and recovery will reach $265 billion by 2031. This number doesn't include other possible costs, such as costs for downtime, losing the trust of the public, and, in the worst case, losing a life.

A traditional cybersecurity approach suggests that CISOs need a lot of human resources to analyze and respond to threats or hire outside experts and security providers which is expensive and resource-intensive. Using traditional cybersecurity approaches is not only costly and slow, but it’s downright ineffective given the scale, volume, and speed at which attacks like ransomware come in.

Thus, CISOs must configure an effective and smart defense against ransomware with automated, AI-based detection and response cybersecurity solutions that can stop attacks from reaching an organization’s digital environment.

AI, machine learning, and automation are the most useful ways to improve the way organizations stop, detect, and remediate ransomware attacks. When these technologies are part of a set of tools of an advanced security solution, they automatically find and block malicious assets and strange behavior from all attack vectors (including at-home endpoints, the Edge networks, and IoT devices). They also help security teams quickly match up alerts, find real threats, and use contextualized threat intelligence to prioritize risks and protect the whole enterprise.

As the number of ransomware attacks around the world keeps going up, being ready is the best way to stop them. Since double extortion and leak sites are now the norm for new ransomware families, the stakes have been raised. It's no longer just access to data that's at risk, no matter how important that can be. Now, a victim's reputation and a customer's trust in an organization are also at risk. Even though keeping up with good cyber hygiene and putting in place security training is a good place to start, AI EdgeLabs suggests the following best practices:

Keep up with risks and possible impact

The ransomware threat landscape will definitely keep changing as threat actors come up with new ways to stop businesses from running. Keep your security team and key executives better informed about the current state of ransomware threats, how they could affect your business, and what your company can do to stop attacks. CISOs must educate other C-level stakeholders and the board by speaking the language of the business and using threat briefings to strategically inform about risk profiles and security strategies. Technical security teams must also be up to date with the latest ransomware threats, such as attack vectors, TTPs, ransom demands, and the best ways to stop attacks.

Check how ready you are on the inside and outside

If you don't regularly check your security, you increase the chance that a ransomware attack will work and cause a lot of damage. Assess the most important ransomware risks you face based on your unique mix of people, processes, technology, and governance skills. You will also need to look at the whole business to see if there are any third-party, partner, or supply chain parts that could pose a risk.

Implement Zero Trust

Zero Trust is a strategy for securing an organization's cybersecurity that gets rid of implicit trust and checks every step of a digital interaction over and over again. CISOs who need to keep up with digital transformation and adapt to a constantly changing security landscape are thinking more and more about the Zero Trust model.

Find Your Vulnerable Assets

Set up a way to keep track of all of your assets, systems, and services that are on the public internet. For example, Remote Desktop Protocol (RDP) is one of the most common ways for ransomware to get into a computer. This is because most people now work from home, which makes it easy for attackers to find this protocol.

An advanced network visibility platform can provide a complete and accurate inventory of an organization's global internet-facing assets and configurations. This can be used to continuously find, evaluate, and fix security issues on an attack surface, flag risky communications, and more.

Stop threats both known and unknown

To keep known threats from getting into your network, you need to stop known exploits, malware, and unauthorized traffic from getting in. Once these have been stopped, the cost of launching an attack goes up, which makes it less likely because attackers have to make new malware variants and launch new exploits against vulnerabilities that aren't as well known.

You also need to block known malicious and phishing URLs so that users can't accidentally download a malicious payload or have their credentials stolen. By stopping these threats, they are taken out of the picture completely. Once these known threats have been blocked, you need to check your SaaS-based apps for known malware, since these apps are being used more and more to spread threats. Malware and exploits that are found during the scan should be blocked. The same should be done on the endpoint for known malware and exploits.

As attackers continue to use new zero-day exploits and make new types of ransomware, it is important to find and block any unknown threats once the known ones have been stopped. Identify all traffic on the network and block unknown, potentially high-risk traffic (like macros downloaded from the internet) at the Edge, making sure to cover both web and non-web traffic.

Automate as much as you can

Consider putting in place tools that can automatically fix problems caused by events using AI-based algorithms and models. Automated AI for cybersecurity allows CISOs and security teams to automate processes such as early threat detection, endpoint isolation, notifications, reporting, and threat hunting by orchestrating across security information and event management (SIEM), firewalls, endpoint security, and threat intelligence sources. This allows response teams to quickly shut down ransomware, minimize the risk of losing data, and limit the financial impact of ransom demands.