Leveraging Artificial Intelligence to Prevent RansomOps Attacks

Ransomware attacks increased dramatically in both volume and sophistication throughout 2021, and Cybersecurity Ventures estimates that ransomware is a $6 trillion business.

As reported by Help Net Security, researchers observed a 148% increase in global ransomware attacks through the third quarter (Q3) of 2021. This brought the total volume of ransomware infections up to 470 million for the year’s first nine months. 

In Q3 2021 alone, security analysts detected 190.4 million ransomware attempts—nearly the same number of attacks as the 195.7 million ransomware infections that made news in the first three quarters of 2020. Security researchers went on to predict that ransomware totals would reach 714 million by the end of the year, constituting a 134% year-over-year increase.

Some ransomware gangs also began using additional layers of extortion to pressure victims into paying. As an example, some attackers threatened to sell or make public victims’ stolen data or to sell it to rivals as a means of ensuring that they could get paid. Other ransomware gangs promised to leak or destroy their victims’ data if those entities contacted law enforcement, data recovery experts, and/or other professional negotiators following an attack.

Understanding the Costs of a Ransomware Attack

The changes described above help explain the growing costs of a ransomware attack. The Cost of a Data Breach Study 2021 found that the average cost of a ransomware infection had climbed to $4.62 million. The price tag was more expensive than the $4.24 million that organizations paid out following a data breach. It included escalation, notification, lost business, and response costs, but it did not consist of the cost of paying the ransom.

Let’s put these costs into perspective using the findings of the Cybereason global research report, Ransomware: The True Cost to Business:

  • Two-thirds of organizations suffered a significant loss in revenue following a ransomware attack
  • More than half (53%) of organizations experienced damage to their brand and their reputation after a ransomware infection
  • Approximately three in 10 ransomware victims said that they lost C-Level talent and laid off some employees as a direct result of a successful ransomware attack
  • One-quarter of organizations said that they suffered disruption to operations following a ransomware attack

What Do These Risks Mean for Organizations?

Organizations must understand what they’re up against. First, they need to realize that the very nature of today's complex, highly targeted ransomware attacks, or RansomOps, renders traditional prevention approaches largely ineffective. That’s because ransomware is no longer traditional. 

RansomOps are a different level of threat compared to the commodity ransomware attacks of the past that used spray and pray tactics, target single victims for small ransom demands, and primarily used phishing attacks that rely on "tricking" a target into clicking a malicious link or opening a tainted document as the primary infection vector. 

RansomOps campaigns are low-and-slow attacks more akin to an APT operation where malicious actors first gain access to as much of the target network as possible before detonating the ransomware payload for maximum effect and the potential for multi-million-dollar ransom payouts.

The reason why traditional ransomware prevention approaches are not effective against RansomOps attacks is that there’s too much focus on the tail-end of attacks—the detonation of the ransomware payload. 

Yet, little to no attention is paid to the weeks and even months of detectable activity by the threat actors, such as initial ingress, lateral movement, the compromise of credentials, privilege escalation, and establishing command and control that come long before the actual ransomware ever enters the equation.

Acknowledging this reality, the only way for organizations to defeat complex ransomware attacks is to have more than just malware prevention capabilities for known ransomware strains or to try to “roll back” the encryption after the payload detonates. They require the ability to detect the earliest stages of the attack and/or at multiple stages of the kill chain to prevent the network activities discussed above. 

Leveraging Artificial Intelligence to Defeat RansomOps

Organizations are turning to Extended Detection and Response (XDR) solutions powered by Artificial Intelligence (AI) and Machine Learning (ML) to enable their security teams to automate triage, investigation, and remediation efforts at scale to detect RansomOps at the earliest stages of an attack.

AI/ML-driven XDR can enable security teams to cut through the noise introduced by a constant flood of threat alerts, allowing security professionals to spend less time sifting through alerts and chasing false positives and more time working to improve the organization's overall security posture.

An AI-driven XDR solution can analyze large telemetry data sets with a high degree of accuracy to identify the most subtle Indicators of Behavior (IOBs) at a scale that manual human analysis can never match. The advantage here is in automating the detection of events that usually require human analysis and relieving security teams of the inefficient task of sorting the signal from the noise on the network.

The application of AI is not a silver bullet, and for the foreseeable future, there will undoubtedly need to be a blend of humans and AI working together. Still, AI will enhance the efficiency of every member of the security team and amplify the efficacy of the entire security stack.

Finding one component of an attack from a single alert lets Defenders know more investigation is needed. Still, even the most skilled human analysts are incapable of quickly and efficiently querying all available telemetry in real-time to uncover meaningful attack indicators from the root cause. 

This is where Artificial Intelligence and Machine Learning are critical to automating correlations by analyzing data at a rate of millions of events per second, so instead of manually querying data, analysts can spend more time acting on the insights produced by AI/ML across disparate assets on the network.

AI-driven XDR allows analysts to quickly identify malicious chains of behavior, never before seen malware variants, and detect complex RansomOps attack sequences earlier to swiftly remediate known and unknown threats regardless of where they occur in an organization’s environment. Such visibility enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers.

Early Detection Requires All Available Telemetry

Competing offerings like those from Crowdstrike and SentinelOne cannot provide effective behavioral conviction of RansomOps attacks because their platforms cannot analyze events at scale and are forced to filter out critical telemetry. They try to pawn it off as a feature by calling it Smart Filtering, but eliminating critical telemetry required to detect and stop an attack at the earliest stages undermines the ability to truly automate the detection and response of complex RansomOps attacks.

But organizations can leverage the power of AI-driven Cybereason XDR, which combines the industry-leading MalOp™ Detection Engine, which analyzes more than 23 trillion security-related events per week with Google Cloud’s analytics engine that ingests and normalizes petabytes of telemetry from across the entire IT environment. 

The combination of Cybereason and Google capabilities means absolutely no telemetry is filtered out, which allows the AI/ML predictive analytics to identify RanomOps attack activity earlier and remediate the threat faster.


Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed