Ransomware is big business and getting even bigger. More than $1 billion was paid out in ransoms in 2023, with 2024 already looking to exceed that record in light of the $75 million payment to the Dark Angels gang in July 2024. As ransomware has become more profitable, more gangs adopt the attack methods of encrypting data and exfiltrating it to blackmail targets for greater profits.
The greater availability of artificial intelligence and machine learning tools has led to these gangs adopting AI capabilities in greater numbers. By leveraging artificial intelligence and machine learning capabilities, cybercriminals can develop increasingly sophisticated and damaging ransomware that can evade detection, spread more effectively, and maximize financial gains. This post examines the alarming potential of AI-enhanced ransomware and what it means for cybersecurity.
The Evolution of Ransomware
Ransomware has come a long way since its early days. Long a niche strategy because of payment challenges, the invention and popularization of cryptocurrency in the 2000s meant that ransomware gangs could finally receive payment easily and anonymously. This empowered criminals to move large sums of money across national borders in seconds. Even though technically traceable, prosecuting criminals often requires international collaboration that may be sorely lacking between governments.
Ransomware has also evolved technically from its earliest days. Originally, threat actors would only encrypt data and provide the decryption key once payment was received. Now, there are double and triple extortion attacks that include threats to expose stolen information on data leak sites in exchange for larger ransoms.
But even these more advanced forms of ransomware have limitations. They regularly use predictable patterns that can be detected, and their propagation methods can be blocked. Moreover, many of the most recent ransomware attacks are evolutions of older attacks instead of net-new threats. This means that understanding ransomware families empowers defenders to at least understand which gangs are attacking and improve defenses accordingly.
This is where AI comes in.
How AI Enhances Ransomware Capabilities
Artificial intelligence and machine learning has long been used in a cyber defensive concept to improve detection and response to novel attacks. The ready availability of large language models (LLMs) in generative AI as well as the explosion in machine learning models in the open source community, however, has now empowered ransomware developers as well with powerful new capabilities:
- Evasion of Security Controls – AI-powered ransomware can use machine learning algorithms to analyze and mimic normal system behavior. This allows it to blend in with legitimate processes and evade detection by security software. The malware can also automatically mutate its code to stay ahead of antivirus signatures.
- Intelligent Targeting – Instead of indiscriminately encrypting files, AI ransomware can use natural language processing to scan documents and identify the most valuable data to target. It can also analyze network traffic and user behavior to determine optimal times to strike and which systems to prioritize.
- Adaptive Encryption – Machine learning models allow ransomware to dynamically adjust encryption methods based on system resources and data types. This optimization makes decryption even more challenging.
- Automated Exploitation – AI can rapidly probe networks for vulnerabilities and automatically exploit them to propagate. It can also generate convincing phishing lures customized for each target.
- Negotiation Bots – Some ransomware groups are developing AI-powered chatbots to handle ransom negotiations. These bots can engage victims 24/7 and use psychological tactics to maximize payments.
As AI capabilities advance, we may soon see scenarios like:
- Ransomware that uses voice cloning to make convincing ransom calls to executives.
- Malware that learns organization charts to strategically target key personnel.
- Attacks that analyze financial data to set optimal ransom amounts for each victim.
Already, governments worldwide like the NCSC in the United Kingdom are warning about the rise of AI-powered ransomware. As more threat actors and more ransomware-as-a-service providers integrate machine learning functionality, the likelihood of advanced encryption and extortion attacks using these capabilities is likely to increase.
compliance.
Challenges in Defending Against AI Ransomware
Protecting against AI-powered ransomware poses significant challenges:
- Unpredictable Behavior – The adaptive nature of AI-powered ransomware makes its actions less predictable and harder to model. Traditional signature-based detection becomes largely ineffective.
- Speed of Attack – AI can enable ransomware to spread and encrypt at speeds that outpace human response times. By the time an attack is detected, it may be too late.
- Intelligent Evasion – As defenders deploy AI-based security tools, attackers will use adversarial machine learning techniques to evade them, leading to an AI vs. AI arms race.
- Resource Intensity – Effectively defending against AI ransomware may require substantial computing resources to run advanced threat detection models in real-time.
Defending Against AI-Powered Ransomware
AI-powered ransomware is a major threat to organizations far and above older attack tactics. Despite this, organizations aren’t entirely helpless in the face of these advanced attacks. Basic defensive methods such as ensuring critical vulnerabilities are patched as soon as possible, network traffic is monitored, and implementing offline backups apply in this context.
More advanced defensive techniques include encrypting data at rest, in use, and in transit, ensuring that even if ransomware gangs exfiltrate data it is useless to them. By implementing both encryption at rest and in transit, you create a layered defense against ransomware. Threat actors would need to either steal the decryption key in addition to your data, or find a way to decrypt the information themselves. This makes it more complicated to make your data valuable to them, and could reduce the possibility of you experiencing a data breach.
Threat actors are generally opportunistic, especially the financially motivated ones, and any sort of additional difficulty added into their workflow makes them look for a different target. Using both encryption at rest and in use means that you’ve made your systems a more complex target and thus less attractive.
You also need anomaly detection and behavior analysis to track how systems behave and whether there is unusual access or not. Ransomware gangs in general make systems and assets behave inaccurately and, if they’re using compromised credentials, try to access unusual systems. The ability to detect that sort of behavior and access ensures you can track where attacks are in progress and defend against them.
How Sotero Helps Defend Against AI-Powered Ransomware
Sotero offers a cloud-specific solution for ransomware protection, focusing on safeguarding cloud resources and preventing the spread of connected internal resources. It utilizes behavior-based anomaly detection instead of traditional signature-based methods. By employing advanced machine learning, Sotero establishes usage and access baselines within cloud infrastructures, enabling it to monitor and identify suspicious activities effectively. This approach allows for early detection and response to malware threats, including access termination, logging, and alert generation, thereby reducing the risk of data exfiltration and potential breach-related fines.
Learn more about how Sotero can prevent ransomware in your cloud environment. Get your free eBook today.