Are we putting machine learning and AI to good use in the ongoing battle against ransomware? Take a refresher now…

Ransomware has been around for quite a while now, and we may fall into the trap of thinking we know all we need to know about it – its payload, the TTPs, don’t pay the ransom, data backup and recovery etc.

Knowing isn’t ever enough, as recent ransomware attacks have shown. For instance, are you able to identify and protect your organization from UNC3944 (aka Scattered Spider), an ALPHV (aka Black Cat) affiliate?

MGM couldn’t, and the loss due to downtime and reputation is enormous!

To get all our memories and awareness refreshed, and what to look out for, CybersecAsia called on Chris Thomas, Senior Security Advisor, APJ, ExtraHop:

What are the potential consequences of ransomware, both in terms of financial and reputational costs?

Thomas: Ransomware can have severe financial and reputational consequences for organizations:

    • Financially, companies may incur significant costs related to ransom payments, forensic investigations, systems recovery, and legal expenses.
    • Additionally, downtime and disrupted operations can result in revenue loss and diminished productivity, and tarnish a company’s reputation long-term.
    • At ExtraHop, we recently released our 2nd edition of the Global Cybersecurity Confidence Index, where we found that over half (52%) of IT decision-makers from the US, Europe and Asia Pacific pay the ransom for an attack on their cyber systems most or all the time – a 10 percentage point increase from 2021. The average ransom paid was USD925,000. But more often than not, not all the data will be released back by the threat actors and a backdoor is often left behind, allowing them to come back again and again.
    • Two reputable Singapore luxury watch and jewellery retailers recently had their customers’ data stolen. This will certainly have an impact on their reputation, eroding customer trust and confidence.

How have recent developments in technology redefined how companies can manage ransomware?

Thomas: The field of cybersecurity has undergone significant changes in the past decade, rendering a mere firewall inadequate in warding off hackers. The pivotal aspect of thwarting threat actors, particularly in the case of ransomware, lies in the emerging realm of network detection and response (NDR).

There are three points I would like to highlight:

    1. Enhanced detection and prevention: Recent technological developments have enabled companies to strengthen their ransomware detection and prevention capabilities. Advanced threat intelligence tools, machine learning (ML) algorithms, and behavior-based analytics can now identify potential ransomware threats more effectively, enabling proactive measures to mitigate risks.
    2. Improved incident response: Technology has revolutionized incident response processes for managing ransomware attacks. Automated incident response platforms and sophisticated cybersecurity orchestration tools streamline response workflows, enabling faster containment, isolation, and eradication of ransomware infections. These help facilitate real-time collaboration among security teams and provide actionable insights to enhance future incident handling.
    3. Data protection and recovery: Advancements in technology have transformed data protection and recovery strategies for companies affected by ransomware. The integration of secure backup solutions, including cloud-based and offline storage, enables regular and encrypted data backups, reducing the impact of ransomware attacks. Moreover, innovative data recovery tools and techniques have emerged, allowing organizations to restore their systems and minimize downtime, reducing the leverage attackers have in demanding ransom payments.

What are some practical steps businesses can take to mitigate their ransomware risk and stay ahead of threats?

Thomas: Modern ransomware attacks nowadays are so lucrative, criminal organizations such as BlackByte, Conti, and REvil are always coming up with novel and inventive ways to systematically target businesses while also making it harder to identify and prevent them. These strategies have included the use of encrypted protocols to conceal activities such as data collection, exploitation, and exfiltration for extortion.

Early ransomware attacks concentrated on targets of opportunity, whereas modern ransomware attacks deploy intricate playbooks that quickly exploit new vulnerabilities to get access to their victims’ networks. The significance of midgame detection tactics is highlighted by these criminal organizations’ versatility and capacity to get past conventional perimeter defences.

I would like to suggest six practical steps:

    1. Invest in security tools such as network detection and response (NDR), endpoint detection and response (EDR), firewalls, and security information and event management (SIEM), in addition to good operational security practices and procedures. Each of these tools gives visibility into different parts of an organization and, when used together, can provide a robust view of all company traffic, helping mitigate any external or internal threat. It is imperative to constantly evaluate the security posture with an eye toward the changing threat landscape and evolving attacker and defender toolkits.
    2. Extend visibility and security practices to include the midgame, as that is where attackers have the most freedom of action and security teams have traditionally had the least visibility. NDR empowers defenders with the ability to interrupt intruders during the midgame—before they can do real damage. NDR solutions with decryption capabilities provide in-depth monitoring with the historical data needed for businesses to detect abuse of protocols such as Windows New Technology LAN Manager (NTLM) and Kerberos. These greatly improve the ability of defenders to detect and respond to the malicious activity starting at initial access, through the midgame, and into the extortion phase of the attack.
    3. Employ advanced endpoint protection solutions, intrusion detection systems, and encryption technologies to add additional layers of security.
    4. Conduct regular employee training on phishing awareness and safe browsing practices to help prevent initial infection vectors.
    5. Back up data regularly, either offline or in the cloud, to provide a means for data recovery without having to resort to paying ransom. If the attacker compromises one set of backups, cold storage backups are available to restore from.
    6. Maintain an up-to-date incident response plan and conduct periodic vulnerability assessments and penetration testing to ensure readiness to respond and adapt to evolving threats.

How can ransomware be managed over the long term, and what role does ongoing education and training play in mitigating the risks?

Thomas: Long-term ransomware management requires a holistic approach, where ongoing education and training play a vital role in mitigating risks.

Regular cybersecurity awareness programs can educate employees on the latest threats, attack methods, and prevention practices, enabling them to promptly identify and report suspicious activities.

Also, adopt a zero-trust approach, where employees and devices must be dynamically and continuously authenticated and verified, with access to resources restricted according to least privilege principles.

What are some emerging trends in cybersecurity that businesses should be aware of, and how can they prepare for these future risks?

Thomas: First, the rise of AI-powered cyberattacks and deepfake technology demand increased vigilance. We’ve seen instances of how Large Language Models (LLMs) like ChatGPT can help in writing malicious code, but there are even newer AI tools designed for cybercrime such as WormGPT and FraudGPT being brought to light in recent weeks.

This is a worrying trend leaders must remain aware of. Implementing advanced AI-based threat detection systems and investing in robust authentication mechanisms can help mitigate these risks.

Second, the Internet of Things (IoT) presents a growing attack surface. Businesses should prioritize IoT security by implementing strong device authentication, encryption, and continuous monitoring. Additionally, the increased adoption of cloud services requires organizations to strengthen cloud security with robust access controls, encryption, and regular audits.

Third, the growing sophistication of social engineering attacks calls for ongoing employee education and awareness training to recognize and prevent phishing and other social engineering techniques. By staying informed about these trends and implementing appropriate security measures, businesses can proactively prepare for future cybersecurity risks.

Fourth, I have heard of worrying concerns from companies about their employees sharing trade secrets or other confidential business information with ChatGPT and similar AI tools. Companies need to carry out proper employee education on using such AI tools ethically, without breaching confidentiality or breaking any Non-Disclosure Agreements (NDAs). Companies must also consider adopting technology that can provide visibility into how employees are using AI tools, in addition to any policies around the governance of these tools.