....
RANSOMWARE ATTACKS LEVERAGING AI/ML
The security community might begin seeing ransomware attacks that incorporate Artificial Intelligence (AI) and/or Machine Learning (ML) in the attack flow. This would involve ransomware operations using AI/ML to streamline their reconnaissance of the target and as part of their infection chains to optimize payloads to the targeted network.
“Some researchers have done lab tests and created in-house AI malware. It’s certainly a possible thing, but how we’re going to actually see it, how often we see it, is really what concerns me the most,” reported
VentureBeat.
“I really do see AI and machine learning being used for grabbing data from leaks, or from social media or from anywhere else to create profiles of particular users or your ideal victim profile. You can use all that information to create far more efficient spear-phishing against businesses or anybody else you want.”
Additionally, threat actors can use AI/ML to discover paths for spreading malware by scouring the web for known exploit channels. They can then apply that knowledge with the help of AI/ML tools once they’ve established a foothold on a target’s network to propagate their malware.
RANSOMWARE ATTACKS: COMPLEX AND PERVASIVE
It’s important to note that the security community hasn’t necessarily confirmed that AI/ML capabilities have been used in ransomware attacks just yet, but that doesn’t mean ransomware infections today aren’t already more sophisticated than in recent years in a way that challenges traditional security approaches. The most significant indicator of this is that many malware gangs don’t distribute ransomware by way of mass spam email campaigns or unfocused watering-hole and drive-by attacks anymore.
Instead, they are increasingly engaged in more complex, low-and-slow attacks designed to compromise as much of the targeted network as possible to exact the highest ransom demand from the victims in what’s known as
RansomOps attacks.
RansomOps are different from commodity ransomware attacks of the past, where malicious actors use “spray and pray” tactics to pressure single victims into paying small ransom demands. By contrast, RansomOps are highly targeted, complex attacks more akin to an APT operation.
RansomOps also typically involve multiple threat actors from the larger
Ransomware Economy. This includes threat actors like
Initial Access Brokers (IABs) who penetrate the network,
Ransomware-as-a-Service (RaaS) providers who provide the attack infrastructure and malicious code, the RaaS associates who carry out the attack, and more.
RansomOps use an array of advanced techniques to complicate detection and response. In March 2021, for example,
Threatpost reported on a new
Ryuk ransomware variant that came with the ability to self-propagate as a worm. Ryuk’s operators accomplished this by scanning for network shares and copying a version of their ransomware executable wherever they found those assets using the Server Message Block (SMB) Windows function.
Some RansomOps also use evasion tactics to fly under the radar of traditional security solutions. For example, a
Conti ransomware variant back in February 2021 used “API-by-hash” to apply two layers of encryption over its functions, thus making the work of a reverse engineer more difficult. It was nearly a year later when researchers wrote about White Rabbit’s use of a specific command-line password to conceal its internal configuration. The list goes on.
....
