The Evolving Threat of Ransomware

The threat of ransomware looms larger than ever before in the ever-evolving landscape of cybersecurity. Originally considered an IT issue, ransomware has since evolved into a threat that affects businesses, governments, and individuals alike. As ransomware actors become more sophisticated, defenders face significant challenges.

In my role as a senior consulting director at Unit 42, the threat intelligence and incident response division of Palo Alto Networks, I am able to provide valuable insight into the various impacts of malicious cyber attacks and ransomware on our daily lives. Recently, I had the chance to address the House Financial Services Subcommittee on National Security, Illicit Finance and International Financial Institutions and share my perspective. During my testimony, I highlighted essential actions that lawmakers and organizations alike can implement to bolster their defenses against these threats immediately.

In the ever-evolving world of ransomware, there is a continual battle between those who commit these attacks and those who defend against them. Not only are attackers refining their methods, but they are also expanding their approaches in order to make their assaults more impactful. In 2023, Unit 42 found that the average demand for ransom was $4 million per incident, with some incidents reaching staggering amounts of up to $35 million. The most recent Ransomware and Extortion Report from Unit 42 revealed concerning patterns, such as a rise in harassing actions, the use of multiple extortion techniques and the development of new ways to initially breach systems.

Consequently, artificial intelligence is becoming more and more integrated into ransomware operations. Cybercriminals are using artificial intelligence to amplify social engineering attacks, making phishing emails and voice calls more convincing and difficult to detect. Further, AI enables attackers to identify vulnerabilities and critical assets with unprecedented speed and efficiency, accelerating and scaling their attacks.

In addition to encrypting data and demanding payments, ransomware actors have adopted multi-extortion tactics, threatening to leak stolen data to the dark web if ransom demands aren’t met. As a result of this multifaceted approach, victims’ stakes are significantly raised, resulting in more likely payment and heightened attacks’ impact.

Despite the heightened threat, numerous organizations are still susceptible to ransomware attacks as a result of their internet-facing attack surfaces. There is a prevalent issue with poor configurations on Remote Desktop Protocol (RDP), which serves as a prime target for these attacks. Though RDP offers remote working capabilities, inadequate configuration and control can grant adversaries significant access to administrative privileges within a network, exacerbating the potential impact of a network intrusion.

In our annual attack surface threat report, we find that 20% of all exposures on the public internet are due to RDP misconfigurations. A majority of organizations we observed with these exposures left them unaddressed for at least 25% of the month.

Rapid and effective incident response is essential when faced with a ransomware attack. Organizations must be able to detect intrusions promptly, contain threats, and restore operations quickly.

In order to give defenders an edge, AI-driven SOCs need to be used. By leveraging AI and automation, defenders will be able to mitigate threats with unprecedented speed and accuracy, significantly enhancing incident response efforts. Using this technology, our cybersecurity professionals will have a force multiplier and will be able to detect and respond more quickly.

This technology has shown promising results in our own company networks so far. The average number of events we ingest each day is 36 billion, and we use AI-driven data analysis to automatically reduce that number to just eight which require manual attention. Further, our Mean Time to Detect has been reduced to just 10 seconds and our Mean Time to Respond has been reduced to just one minute for high-priority alerts.

It has been encouraging to see immediate customer benefits. We have already seen a reduction in mean response times from weeks to days to hours and minutes. In order to minimize the impact of an incident and prevent ransomware threat actors from encrypting systems or stealing sensitive data, such a reduction is essential. By using this tool, incident close-out rates have dramatically increased from 20% before deployment to 100% after deployment.

To increase their cyber resilience to ransomware attacks and other cyber threats, organizations should take the following actions:

1.       Establish a plan for responding to incidents.
2.       Ensure that all attack surfaces are visible.
3.       Utilize AI and automation to modernize security operations and relieve overworked analysts.
4.       Establish a Zero Trust network architecture across the enterprise.
5.       The infrastructure and applications of the cloud should be protected.

The fight against ransomware requires a collaborative approach, involving stakeholders from the public and private sectors. Sharing threat intelligence and fostering innovation in cybersecurity require partnerships between industry, government, and civil society. It is imperative that that spirit of partnership remains ingrained in the cybersecurity community – that we are all in this together.

We appreciate the U.S. Congress’ interest in this critical issue, as helping organizations bounce back in tough times is an extremely rewarding line of work.