By Adithya Nugraputra, Head of Consulting at Ensign InfoSecurity Indonesia
The Trend of Ransomware Attacks - one of the types of cyberattacks aimed at obtaining ransom has dramatically increased globally. Throughout 2023, several significant global organizations such as Toyota, the National Basketball Association (NBA), and AXA have been recorded as victims of ransomware attacks. According to the United States government, ransomware attacks have disrupted services and businesses, affecting banks, government offices, hospitals, energy companies, and various industries. In 2022, organizations worldwide detected 493.33 million cases of ransomware attacks, a significant increase from 304.64 million cases in 2020. There was a spike in 2021, with the number of ransomware attacks reaching 623.25 million cases, driven by factors such as the widespread adoption of remote work systems due to the pandemic, which created new opportunities for cybercriminals. Although it decreased slightly in 2022, reported cases of ransomware attacks remained significantly higher compared to 2020.
In Indonesia, ransomware has targeted various critical organizations, ranging from marketplaces and banking to the public sector. The Threat Landscape Report 2023, Fourth Edition by Ensign InfoSecurity, indicates the financial sector as one of the four favorite targets for cyberattacks in Indonesia. The National Cyber and Crypto Agency also mentioned ransomware as one of the three most frequent incidents of cyberattacks in Indonesia. At least 17 ransomware attacks with the publication of sensitive data occurred throughout 2023.
In the future, ransomware is predicted to continue as attack methods evolve. The World Economic Forum Global Risk Report states that around 85 percent of Cybersecurity Community Leaders emphasize that ransomware will become increasingly dangerous and pose a significant threat to cybersecurity. This is due, in part, to the collaboration between attackers to increase their chances of success. This situation is exacerbated by the phenomenon of RaaS (ransomware as a service), which allows individuals without hacking skills to carry out attacks by purchasing ransomware software to execute their intentions.
At the same time, ransomware attack schemes are also layered, where extortion continues even after the victim has paid the initial ransom. For example, in double extortion ransomware attacks, cybercriminals not only encrypt the target's data but also illegally obtain and transfer the data to threaten to distribute or sell it on the dark web to obtain additional ransom.
In the triple extortion attack scheme, attackers inject Distributed Denial-of-Service (DDoS) into the server, causing a dramatic surge in traffic that exceeds the server's capacity. This leads to the website's failure (downtime) and strategically creates additional pressure to prompt the victim to comply with the demands.
In a more complex phase, attackers can even directly contact parties related to the victim, such as customers, partners, and others, using voice over internet protocol (VoIP) calls to force the victim to pay the ransom. This approach is intended to simultaneously compel payment and lay the groundwork for a quadruple extortion scenario.
Inserting the power of generative Artificial Intelligence (AI) into this scenario creates a darker picture. With advanced AI systems, cyber attackers can generate synthetic voices and engage in conversations that convincingly mimic real people. This capability can be used to deceive affiliated parties by imitating the victim's voice or other key personnel. By integrating generative AI techniques, attackers can create highly realistic voice phishing schemes, intensify pressure on victims, and increase the likelihood of ransom payments.
The Power of Artificial Intelligence The rapidly evolving methods of ransomware attacks need to be effectively addressed by an organization's cybersecurity team. The use of AI technology plays a crucial role in strengthening cybersecurity. Combining traditional methods with AI-based behavioral analysis allows an organization's cybersecurity system to be more adaptive and responsive to emerging threats. Through behavior-based systems, cybersecurity teams can detect and thwart advanced attacks that breach traditional systems. They can also identify early intrusion attempts and effectively combat ransomware attacks.
Furthermore, AI-supported cyber analysis and behavior-based detection models enable cybersecurity teams to detect attacker activities across all stages of the ransomware cyber kill chain. Here are some specific examples of how AI-supported cybersecurity can combat ransomware attacks at various stages of the cyber kill chain.
First, the initial access stage: During this stage, cyber attackers often use phishing techniques to insert malicious payloads into the target system, manipulate sensitive information, or deceive employees into providing credentials through fake domains. These payloads often consist of links that redirect targets to malicious websites or domains.
Two common types of phishing are typosquatting and homoglyph. Typosquatting targets internet users who mistype website addresses, redirecting them to fake sites that closely resemble the genuine ones. For example, "twitterr.com" (fake) instead of "twitter.com" (genuine) or "goggle.com" (fake) replacing "google.com" (genuine).
On the other hand, homoglyph traps internet users when they inadvertently click on visually similar, but dangerous, hyperlinks. For example, "àpple.com" (fake due to the homoglyph character "à") versus "apple.com" (genuine, all in normal Latin letters). Both of these phishing techniques can be countered with detection methods that leverage AI capabilities to prevent attacks from escalating to more serious stages.
Secondly, the command and control (C2) stage: During this phase, malicious payloads have successfully entered the target system and employ Domain Generation Algorithm (DGA) techniques to avoid the need for static C2 IP addresses or domain names. DGA is a popular technique used by cybercriminals to generate unpredictable domain names to evade C2 communication detection.
Victims can utilize Domain Generation Algorithm (DGA) detection techniques to identify potentially compromised devices exhibiting DGA characteristics by analyzing domain names and their appearance times. As part of the C2 stage, attackers may also attempt to communicate with C2 servers through DNS channels after malware installation gains control of the target device or network. Cybersecurity teams can employ DNS tunneling detection methods to identify two-way DNS data transfer traffic within DNS query strings, particularly in scenarios where attackers take control of both the domain (website address) and the authoritative server (a specialized server that can be configured to direct website addresses to the correct IP address). AI-based cyber analysis can detect the dangerous use of DNS Tunneling techniques even by legitimate entities, reducing the false positive rate. Swift detection of malicious activities helps organizations respond effectively and promptly to eliminate threats before perpetrators transfer data and assume command and control.
Thirdly, the data exfiltration stage. This is typically the final stage in a ransomware attack where attackers transfer data from the victim's network, especially in layered attack scenarios. Cybersecurity teams can detect one-way DNS traffic by using AI-based cyber analysis when attackers take over an official server to extract critical information through sub-domains. They can also employ email theft detection models to analyze behavior in every email/mailbox within the organization. The goal is to detect anomalies and flag suspicious emails indicating potential signs of theft.
Cybersecurity Protocols So, what should organizations do to stay at the forefront of cybersecurity? First, organizations must enhance and strengthen their ability to detect early and break the cyber kill chain executed by attackers. Organizations should not solely rely on cybersecurity protection guarantees or ransom payments. Second, implement strict data protection and management rights to safeguard sensitive data. Regular and comprehensive reviews of critical data are necessary to ensure that ransomware attacks have minimal impact on business. Third, adopt the principle of zero-trust, which entails verifying all parties without exception before accessing systems and maintaining ongoing validation strategies beyond traditional defense processes. This is to limit the impact of ransomware attacks and ensure that systems are only accessed as needed and verified.
Lastly, leverage the power of AI-supported cyber analysis in the battle against ransomware attacks. By following all these steps, an organization's cybersecurity system will become stronger.
-End-
This article has been published on Kompas.com with the title "The Role of Artificial Intelligence in Combating Ransomware," Read more here:
Editor: Sandro Gatra