An article by Lee Joon Sern, Lead Data Scientist, Ensign InfoSecurity
Ransomware attacks have been rising dramatically both in Singapore and globally. In 2021, we have witnessed many high-profile attacks that disrupted the operations of Toyota, the National Basketball Association (NBA), and AXA.
According to the US government, ransomware attackers have disrupted services and businesses, affecting banks, government offices, hospitals, energy companies, and various industries. The global economic losses from ransomware attacks are immense, exceeding $400 million in ransom in 2020 and topping $81 million in the first quarter of 2021.
The Evolution of Ransomware Attacks
As cyber perpetrators continue to form partnerships and share their expertise, it is raising their chances of success and fuelling the evolution of ransomware.
Today, ransomware attacks have become multi-layered to the point where extortion continues despite paying up. For instance, in a double extortion attack, cyber adversaries will not just encrypt the organisation’s files; they will also exfiltrate its data or carry out an unauthorised transfer of the files to a different location. These malicious actors will often threaten to expose the information to data leak sites or underground forums.
In a triple extortion ransomware attack, threat actors add Distributed Denial-of-Service (DDoS) attacks to data encryption and exposure threats. This can disrupt operations by overwhelming servers or networks. This serves as an additional way to pressure their victims into paying.
Cyber adversaries will also directly reach out to the victim’s customers, partners, and stakeholders through VoIP calls to coerce the organisations into paying the ransom in a quadruple extortion scenario.
Stopping Ransomware with Artificial Intelligence-Powered Cyber Defence
As ransomware attack methodologies continue to evolve, cyber defenders will need to leverage Artificial Intelligence (AI) to tip the scales in their favour. AI enables organisations to stay ahead of emerging threats by supplementing traditional rule-based controls with advanced detection that utilises scalable behavioural analytics.
Through behaviour-based security, cyber defenders can detect and stop advanced attacks that bypass traditional tools. They can also achieve early detection of intrusion attempts and combat evolving ransomware attacks more effectively. Furthermore, AI-powered cyber analytics and behaviour-based detection models allow cybersecurity teams to leverage intelligence to stop threat actors across the ransomware cyber kill chain.
Here are specific examples of how AI-powered cyber defences can tackle ransomware attacks at the different stages of the cyber kill chain:
1. Identify and Reconnaissance Stage
Threat actors primarily use phishing attacks to deliver the infected payload to organisations at this stage. However, organisations can readily detect phishing techniques specifically crafted to trick users into divulging sensitive information or clicking on malicious web links with machine-learning-enabled phishing detection models.
This includes typosquatting attacks, where users accidentally type incorrect website addresses similar to the original ones, and homoglyph attacks, where users click on visually indistinguishable hyperlinks created by exploiting similar-looking characters in the Unicode system.
2. Initial Attack Stage
This is the phase where the infected payload is delivered to the target. Affected organisations can leverage Domain Generation Algorithm (DGA) detection model to sieve through large traffic and detect bursts of random domains generated by malware. This allows cyber defenders to determine whether successful communications to malicious domains were made and identify the likely family of the DGA malware.
3. Command & Control Stage
Threat actors will attempt to use the malware to put the devices or networks under their control. With Domain Name System (DNS) tunnelling detection solutions, cybersecurity teams can discover two-way DNS tunnelling traffic where the attacker takes control of the domain and custom authoritative nameserver. Swift detection of these malicious activities will enable organisations to respond more effectively to remove the threats before the threat actors can conduct activities such as file transfer and command and control.
4. Extract & Exfiltrate Stage
This is usually the last stage of a ransomware attack where threat actors carry out the unauthorised data transfer, especially in double, triple, and quadruple extortion scenarios. Cyber defenders can detect one-way DNS traffic as attackers take control of the domain and custom authoritative nameserver to tunnel out important information via the subdomain with AI-powered cyber analytics.
Furthermore, organisations can use the email exfiltration detection model to apply behavioural analytics to each mailbox within the organisation. This enables the detection of behavioural anomalies and the flagging of suspicious emails that exhibit characteristics of exfiltration. This allows cybersecurity teams to mitigate or minimise the impact of the attack.
Preparing for the response and recovery of systems
Additionally, organisations should bolster their readiness to respond to and recover from ransomware attacks without relying on cyber insurance or ransom payments. This includes implementing rigorous data rights management to protect sensitive data.
Organisations should also conduct regular, thorough reviews of business-critical data and recovery plans to ensure that a successful ransomware attack will have minimal business impact.
Lastly, organisations should adopt zero-trust principles and strategies for continuous validation outside of the traditional network edge. This will help organisations limit the impact of ransomware attacks at the edge and ensure access is provided on a need-only basis.
Ransomware attacks can gravely affect your business operations
According to World Economic Forum’s Cybersecurity Leadership Community, 85% of the respondents stressed that ransomware is becoming a dangerously growing threat and presents a major concern for public safety. This comes as no surprise as threat actors are becoming smarter with their attacks and will turn to various tactics to pressure organisations to pay.
By leveraging a behaviour-based approach and AI-powered cyber defences, organisations can detect and stop advanced ransomware attacks with greater confidence and accuracy anywhere across the network. Organisations should also develop and implement a robust response and recovery plan. This will enable organisations to stay ahead of the evolving ransomware threats, mitigate their potential impact, and pursue their digital and business priorities with greater confidence.