Cybereason Blog | Cybersecurity News and Analysis

Ransomware vs. AI: The Battle Between Machines

Written by Anthony M. Freed | Apr 5, 2022 1:15:06 PM

According to recent reporting, the majority of respondents said their organizations were targeted by a ransomware attack in 2021. In an independent global study covered by Forbes, 80% of IT and security professionals indicated that ransomware attacks had hit their organizations during the year. 

Of those who did experience a ransomware infection, 60% revealed that their organization paid a ransom. But the ransom payment is just one of many costs borne by organizations who are the victims of a ransomware attack. 

In our recent ransomware report, titled Ransomware Attacks and the True Cost to Business, two-thirds of organizations stated that they suffered significant revenue losses following a ransomware attack. Slightly less than that (53%) indicated that the ransomware infection had damaged their organization’s brand and reputation. 

Organizations also lost C-Level talent (32%), were forced to lay off employees due to financial pressures (29%), and even suspended operations temporarily or completely (26%). These findings raise an important question: Where is the ransomware threat landscape moving? 

Ransomware Attacks Leveraging AI/ML

The security community might begin seeing ransomware attacks that incorporate Artificial Intelligence (AI) and/or Machine Learning (ML) in the attack flow. This would involve ransomware operations using AI/ML to streamline their reconnaissance of the target and as part of their infection chains to optimize payloads to the targeted network.

“Some researchers have done lab tests and created in-house AI malware. It’s certainly a possible thing, but how we’re going to actually see it, how often we see it, is really what concerns me the most,” reported VentureBeat

“I really do see AI and machine learning being used for grabbing data from leaks, or from social media or from anywhere else to create profiles of particular users or your ideal victim profile. You can use all that information to create far more efficient spear-phishing against businesses or anybody else you want.” 

Additionally, threat actors can use AI/ML to discover paths for spreading malware by scouring the web for known exploit channels. They can then apply that knowledge with the help of AI/ML tools once they’ve established a foothold on a target’s network to propagate their malware.

Ransomware Attacks: Complex and Pervasive

It’s important to note that the security community hasn’t necessarily confirmed that AI/ML capabilities have been used in ransomware attacks just yet, but that doesn’t mean ransomware infections today aren’t already more sophisticated than in recent years in a way that challenges traditional security approaches. The most significant indicator of this is that many malware gangs don’t distribute ransomware by way of mass spam email campaigns or unfocused watering-hole and drive-by attacks anymore. 

Instead, they are increasingly engaged in more complex, low-and-slow attacks designed to compromise as much of the targeted network as possible to exact the highest ransom demand from the victims in what’s known as RansomOps attacks. 

RansomOps are different from commodity ransomware attacks of the past, where malicious actors use “spray and pray” tactics to pressure single victims into paying small ransom demands. By contrast, RansomOps are highly targeted, complex attacks more akin to an APT operation. 

RansomOps also typically involve multiple threat actors from the larger Ransomware Economy. This includes threat actors like Initial Access Brokers (IABs) who penetrate the network, Ransomware-as-a-Service (RaaS) providers who provide the attack infrastructure and malicious code, the RaaS associates who carry out the attack, and more.

RansomOps use an array of advanced techniques to complicate detection and response. In March 2021, for example, Threatpost reported on a new Ryuk ransomware variant that came with the ability to self-propagate as a worm. Ryuk’s operators accomplished this by scanning for network shares and copying a version of their ransomware executable wherever they found those assets using the Server Message Block (SMB) Windows function. 

Some RansomOps also use evasion tactics to fly under the radar of traditional security solutions. For example, a Conti ransomware variant back in February 2021 used “API-by-hash” to apply two layers of encryption over its functions, thus making the work of a reverse engineer more difficult. It was nearly a year later when researchers wrote about White Rabbit’s use of a specific command-line password to conceal its internal configuration. The list goes on.

Fighting RansomOps with AI/ML

Organizations need all the help they can get to defend against these threats—even before ransomware actors begin leveraging AI/ML–by leveraging AI/ML-powered solutions as a force multiplier for their already overtasked security teams.

The reason why traditional ransomware prevention approaches are not effective against RansomOps attacks is that there’s too much focus on the tail-end of attacks—the detonation of the ransomware payload. 

Yet, little to no attention is paid to the weeks and even months of detectable activity by the threat actors, such as initial ingress, lateral movement, the compromise of credentials, privilege escalation, and establishing command and control that come long before the actual ransomware ever enters the equation.

Organizations are turning to Extended Detection and Response (XDR) solutions powered by AI/ML to enable their security teams to automate triage, investigation, and remediation efforts at scale to detect RansomOps at the earliest stages of an attack. 

AI/ML-driven XDR can enable security teams to cut through the noise introduced by a constant flood of threat alerts, allowing security professionals to spend less time sifting through alerts and chasing false positives and more time working to improve the organization's overall security posture.

An AI-driven XDR solution can analyze large telemetry data sets with a high degree of accuracy to identify the most subtle Indicators of Behavior (IOBs) at a scale that manual human analysis can never match. The advantage here is in automating the detection of events that usually require human analysis and relieving security teams of the inefficient task of sorting the signal from the noise on the network.

AI/ML are critical to automating correlations by analyzing data at a rate of millions of events per second, so instead of manually querying data, analysts can spend more time acting on the insights produced by AI/ML across disparate assets on the network.

AI-driven XDR allows analysts to quickly identify malicious chains of behavior, never before seen malware variants, and detect complex RansomOps attack sequences earlier to swiftly remediate known and unknown threats regardless of where they occur in an organization’s environment.

Such visibility enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers.



Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.