What is self-learning AI and how does it tackle ransomware?

Paid Feature There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

"Since 2017, ransomware has exploded," he explains, adding that the rise of cryptocurrency has been a big contributing factor. "Cryptocurrencies have become mainstream and much more accessible, making it much easier for ransomware actors to cash out on ransoms."

Criminal groups have piled in to take advantage. While high-profile attacks on large companies like Colonial and JBS Meats might capture the public's imagination, they're just the tip of the iceberg. Many don't see the thousands of lower-profile attacks that target smaller organisations. Ransomware recovery company Coveware reports that the median number of employees among ransomware victims stood at 200 in Q2 2021, and has actually dropped since the end of 2020.

The threat actors are also more diverse than people think, warns Heinemeyer.

"Attacks sometimes come from sophisticated groups like REvil or BlackMatter that we see in the news, but they're often from unknown groups that don't declare themselves," he says. These are just opportunistic ransomware actors."

The diversity of groups makes it difficult to spot clear attack trends anymore, he adds. Techniques vary between groups that often switch tools over time. Their targets are also diverse.

As an example, the ransomware group FIN12 spent the pandemic attacking healthcare organisations, bucking a trend that saw other ransomware groups swear off these vulnerable targets. It also switched from using TrickBot as a post-breach exploitation tool to other software including Cobalt Strike Beacon.

Monetisation tactics have also evolved, Heinemeyer warns. "They've professionalised tremendously across the board. If encryption of data is not enough to extort money, they use a double threat, exfiltrating data beforehand to apply a second point of pressure," he says.

If that is not enough, some are starting to apply distributed denial of service (DDoS) as a third pressure point to extort money. And some of the ransomware actors have spoken about trying to innovate with newer ways of extorting money by doxing their targets.

Some groups spend lots of time in their targets' networks exfiltrating data to squeeze the maximum revenue from victims. Others, like FIN12, opt for high-velocity attacks, just encrypting data but hitting multiple targets quickly.

The need for speed when fighting ransomware

This range of tactics, techniques, and procedures (TTPs) make ransomware unpredictable. Darktrace believes the problem is so bad that it is no longer possible to manage at human scale. The novelty and speed of modern ransomware requires an AI approach, it says.

"Unfortunately most companies are still not very good at defending themselves in 2021," Heinemeyer says. "Even if you're a major company with all the budget in the world, it might not be enough to defend against ransomware actors."

A more complex ransomware landscape isn't the only problem for defenders. The other issue is complexity in IT, thanks to the dissolution of the network perimeter. With assets now located in the cloud and in remote offices and homes, the traditional ring of iron that used to define the network's edge is becoming less relevant. Instead, companies must protect everything, everywhere.

The other problem is a lack of resources. Attackers often hit out of hours or just before a major holiday, as was the case with the ransomware attack on remote monitoring service provider Kaseya. The attack, by the REvil group, surfaced on July 2, just before the July 4 long weekend when many people would have been away.

It's difficult enough to respond to ransomware quickly, and even more so when you're running your security operations centre (SOC) on a skeleton crew. Wait - you do have a SOC, right? Colin in IT isn't handling this all on his own?

AI that teaches itself to fight ransomware

These weaknesses in human defences are a primary reason for the introduction of AI into cybersecurity defences. Darktrace fights ransomware using what it calls 'Self-Learning AI'.

The company likens its Antigena AI product to a digital immune system, which works like the human body. Like the antibodies in your bloodstream, it recognises what's normal, and works constantly to maintain that state. To do that, it detects behaviour on your network that deviates from a normal baseline and addresses it.

Heinemeyer explains why this is useful in a ransomware scenario. With an attack landscape that is so chaotic, fast-moving, and volatile, it's difficult to rely just on known software signatures and network traffic patterns to spot likely attacks. Similarly, responding to these static patterns with predefined rules is ineffective because it doesn't address new, evolving TTPs. He says that the company's AI enables companies to spot novel, never-before-seen strains of ransomware.

Fighting ransomware in practice

So, what does it look like in practice? How does AI interrupt a ransomware attack in the real world?

"The only thing you can do to stop ransomware actors from being successful is detect them early when they're trying to get a foothold," he says. Ideally, this happens before the ransomware infection happens. Darktrace scans emails - one of the most popular delivery channels for ransomware - to detect abnormal patterns.

If companies opted not to use Darktrace for pre-infection detection, then the next-best approach is to detect existing compromise as quickly as possible. The product will pick up unusual communications that normally occur when a compromised endpoint beacons for other computers to infect.

This is what happened when ransomware attackers targeted a Darktrace client in the electronics manufacturing industry. Antigena, which was not using the product to detect the initial stages of an attack, still spotted the infected client beaconing abnormally over SMB. That meant an encryption attack was in progress.

Autonomous response

In this case, the company had chosen to activate Darktrace's autonomous response capability. Heinemeyer distinguishes this from automated responses, which rely on predefined actions and are always based on human input.

"The autonomous response will take action by integrating with existing controls like firewalls or network access controls, or using methods native to Darktrace, or take an EDR-related action," he says. "But the logic behind the action, the decision making about what action to take, all comes from Darktrace."

Those AI-powered decisions focus on restoring normality to the system. They will escalate over time based on behaviour that the software sees, all the way up to quarantining a device. This allows the software to take appropriately aggressive action at machine speed without affecting the user experience any more than necessary, he adds.

In the electronics manufacturer's case, Antigena immediately blocked anomalous connections from the infected device, stopping it from encrypting most of the files on the network. It then quarantined the rogue device for 24 hours, containing the attack and giving the security team the chance to take further action.

Fighting future ransomware

Unfortunately, cybersecurity is a game of constant catch-up. If defenders are using automation, then you can be sure that attackers will follow. Those attacks might begin with automated rules-based attacks but are likely to expand into AI-based attacks as sophisticated attack groups gain those capabilities. That could include everything from using AI to write more effective phishing emails for ransomware delivery, through to supervised learning algorithms to identify defence mechanisms on a network and route around them.

"Is it the most pressing priority for cyber defenders right now? Probably not. But it is something that they should think about because it will be a paradigm shift in the future," warns Heinemeyer. "Once attackers start to embrace even more automation than they do already, there's almost no way around using defensive AI."

Ransomware will eventually give way to some new form of cybercrime that attackers haven't thought of yet, but there's still plenty of life in this criminal model yet. Companies are not prepared for it, and attackers are constantly innovating. Heinemeyer hopes that more companies will explore Darktrace's AI capabilities, and ideally before attackers come calling rather than afterwards.

This article is sponsored by Darktrace.