Cybereason Blog | Cybersecurity News and Analysis

How AI-Driven XDR Defeats Ransomware

Written by Anthony M. Freed | Jun 15, 2022 3:46:03 PM

In June 2021, we detailed the ways that ransomware can end up costing organizations in our report, Ransomware: The True Cost to Business. The report revealed that two-thirds of ransomware victims report significant revenue loss following an attack.

More than half (53%) informed us that a ransomware infection had damaged their brand and reputation. This was followed by a loss of C-level talent (32%), employee layoffs (29%), and suspension of business operations (26%).

What’s Behind These Costs?

Perhaps the main reason for the adverse impact on businesses following a successful attack discussed above is the way ransomware operations have evolved over the years. 

Indeed, increasingly complex ransomware operations, or RansomOps, are the norm, as detailed in our report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy. These attacks are unlike commodity ransomware attacks of the past that relied on email phishing campaigns to target random individuals with small ransom demands. 

Instead, RansomOps are highly targeted attacks more akin to an APT operation. An attacker wants to access as much of the network as possible before detonating the ransomware payload. The motivation here is to inflict the maximum damage possible so that they can present victims with an even higher ransom demand.

This is evident in how much ransomware victims pay when they comply with a ransom demand. Our study discerned that more than a third (35%) of businesses had paid between $350,000 and $1.4 million to their attackers, while seven percent said that they had paid even more.

Of course, these high ransom payments don’t just reflect the fact that attackers are encrypting ever-larger swaths of victim environments; it’s also evidence of how ransomware actors are using additional levels of extortion to steal even more from organizations. 

This all began with attackers exfiltrating victims’ data before commencing the encryption routine and then threatening to leak or publish that information if the target doesn’t pay up. It’s expanded to include additional techniques, with some attackers threatening to leak stolen data to competitors or investors if they don’t fulfill a demand or deleting it outright if victims contact law enforcement, data recovery experts, or professional negotiators.

The Challenges in Ransomware Defense

The rise of RansomOps highlights the need for organizations to prioritize ransomware defense. Towards that end, they need to realize that traditional security technologies won’t help them defend themselves against modern ransomware threats. Let’s use a few examples to understand why this is the case.

We’ll begin with Security Information and Event Management (SIEM). This type of technology can help to centralize threat alert information across organizations’ environments. The problem is that SIEMs often swamp security professionals with a high volume of alerts, many of which are simply false positives, contributing to a prevailing feeling of “alert fatigue” where teams might choose to overlook alerts altogether. This could leave organizations more vulnerable to a ransomware attack.

Endpoint Detection and Response (EDR), while essential today, is also insufficient for ransomware defense. Sure, it’s a step up from traditional antivirus and antimalware endpoint security capabilities. Still, EDR works at the endpoint level only and only on certain devices that support the installation of an endpoint agent. 

Ransomware attacks can spread to and affect legacy systems, Internet of Things (IoT) devices, and other assets on which security teams can’t install an endpoint. They can spread beyond the endpoint level to affect other parts of organizations’ environments.

Artificial Intelligence and Machine Learning as Gamechangers

Organizations need something else beyond SIEM, EDR, and other traditional solutions. This is where Extended Detection and Response (XDR) powered by Artificial Intelligence (AI), and Machine Learning (ML) technology comes into play. These technologies can enable detection and remediation automation that correlates telemetry from endpoints, cloud workloads, applications, user identities, and other disparate assets to detect attacks. 

Security teams shouldn’t need to manually triage and investigate disparate alerts from an array of solutions–giving ransomware actors even more time to move laterally on the network or exfiltrate information in the process–they need to focus on shutting down a ransomware campaign as quickly as possible.

The AI-Driven XDR Advantage

An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility required to be confident in their security posture across all network assets and the automated responses required to halt attack progressions at the earliest stages. 

XDR optimizes an organization’s security stack in three ways:

  • Maximizing Integrations Across the Security Stack: XDR saves time and effort by automating the delivery of actionable, context-rich intelligence from telemetry ingested across the entire security stack without requiring analysts to do the heavy lifting required to triage every alert generated. Analysts can quickly understand the earliest signs of compromise and end malicious operations faster through native integrations with email, productivity suites, identity and access management, and cloud deployments. This is the power of the “X” in XDR.
  • Detecting the Entire Malicious Operation: The correlative power of XDR allows security teams to adopt an operation-centric approach to detection by revealing the entire MalOpTM (malicious operation) from root cause across every affected device, system, and user. With XDR, analysts can focus on ending attacks in progress rather than spending valuable time trying to manually piece together the attacker’s actions and activities by sorting through an unorganized and uncorrelated mass of alerts generated by disparate security tools, each designed only to reveal an isolated aspect of the entire attack. This is the power of the “D” in XDR.
  • Predictive Automated Response: Understanding the full intent of an attacker’s behaviors and how they are related across the different elements of an organization’s network through an operation-centric approach means analysts are empowered to predictively anticipate the attacker’s likely next moves and preemptively block the attack progression with automated or guided remediation, depending on the security policies in place. Only an operation-centric approach can reduce attacker dwell time from months to minutes, which is the power of the “R” in XDR.
  • Proactive Threat Hunting: Finally, XDR enables organizations to engage in proactive threat hunting. This activity is vital as it allows organizations to search for suspicious chains of behavior that can surface attacks sooner and minimize the damage that those operations might cause. WithXDR, security teams can pivot between events and hunt for threats without needing to craft complex queries. They can also incorporate lessons learned from successful hunts into custom detection rules and logic for future threat hunting engagements based on an operation-centric approach. This is the power of unifying all three aspects of XDR in one solution.

In addition, an AI-driven XDR solution should provide Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.


Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.