In 2023, artificial intelligence and generative AI have dominated headlines, and their impact is starting to make its mark on ransomware attacks ― for example with AI-enhanced phishing attacks to gain access to target networks and AI-powered automation for greater reach. Over the last 12 months, that helped drive ransomware to new heights as the frequency of ransomware attacks continues to climb with no sign of slowing down. We believe that despite the enduring success of traditional attack methods throughout 2023 and beyond, attackers will look to generative AI to craft increasingly effective attacks.
Our researchers analyzed 175 publicly reported successful ransomware attacks across the world between August 2022 and July 2023, and in the primary categories we have been tracking — municipalities, healthcare and education — the number of reported attacks have all doubled since last year and more than quadrupled since 2021.
The proportion of ransomware attacks increased year over year across all five focus industries except financial organizations. Attacks on municipalities increased from 12% to 21%; attacks on healthcare increased from 12% to 18%; attacks on education went up from 15% to 18%; and infrastructure went from 8% to 10%. In comparison, attacks on financial institutions dropped from 6% to 1%, perhaps a sign these organizations are getting better at protecting themselves.
Our analysis of ransomware attacks on other industries showed similar patterns of escalation over the past two years, even though the volume of publicly reported attacks is lower than the top three sectors.
The impact of generative AI tactics on ransomware attacks
Another important development in the past year is the rise of generative AI, which you can bet attackers are using to create well-crafted phishing emails. Using generative AI’s writing capabilities, cyberattackers, including those looking to launch ransomware, can now strike faster with better accuracy, as the spelling errors and grammar issues in phishing emails are more easily eliminated, making attacks more evasive and convincing.
For years, everyone has been trained to spot email attacks by looking for bad grammar and spelling mistakes, a deficiency that is likely nonexistent today given what attackers can create using generative pretrained language models, and in some cases, in different spoken languages, even using automated scans of social media to make attacks more customized.
Security researchers are already showing how attackers can use the code-generation capabilities of generative AI to write malicious code for exploiting software vulnerabilities.
With these changes, the skill required to start a ransomware attack could be reduced to constructing a malicious AI prompt and having access to ransomware-as-a-service tools, leading to a whole new wave of attacks.
Insights from the Barracuda SOC
While the volume of publicly reported ransomware attacks has doubled in some industries, you can be sure the volume of unreported attacks has also increased dramatically. Looking at cyberattacks overall through the lens of Barracuda’s SOC-as-a-service, in the last 12 months, we have observed the following types of incidents: business email compromise (BEC), ransomware, malware infection, insider threat, identity theft, and data leakage. The sample size is small because the overwhelming majority of attacks are stopped before they become incidents, there are still some interesting insights about how attacks progress.
BEC was the most common incident type. However, BEC can lead to identity theft and malware infection, which then leads to ransomware and ultimately data leakage as bad actors find ways to exfiltrate data.
So, what the chart is really telling us is where the attacks have been caught, and it’s encouraging to see steps have been taken to detect and block attacks at the BEC phase of the incident. If you are unable to detect and prevent an attack before it breaches the network, then responding early in the cyber kill chain will lead to reduced exposure and damage. Looking at the chart, one can spot the relationships between these incidents. Let’s take a closer look.
BEC usually draws victims to respond and leak more data or take actions that will advance the attack to the right side of MITRE ATT&CK framework. If undetected, the next phase of the attack could be malware infection or identity theft where attackers may be quietly and laterally moving within the victim’s network, taking data and planting seeds for the next wave of attacks.
Therefore, we continue to emphasize the need to use tools like XDR to eliminate and eradicate attackers as soon as you have email security signals, especially BEC and account takeover events. Barracuda is a major contributor to the Open Cybersecurity Schema Framework for that reason. We are publishing our email threat signals in OCSF format, so our customers and partners can instrument responses to short-circuit the cyber kill chain.
For example, several conversation hijacking attacks our researchers have seen that lead to BEC are due to large quantities of emails that were stolen in 2021 attributing to the ProxyLogon vulnerability, CVE-2021-26855 in Exchange. Attackers are now reviving those conversations and mounting new impersonation attacks by replying to the parties involved. Taking advantage of misconfigured DMARC settings or simply using typo-squatted domains that look like the actual domain, attackers can send spear-phishing emails to the recipients of those stolen email conversations from two years ago. This exploits the weakness in human behavior where we trust the conversation instead of revalidating the email’s origin, and it can lead to getting hit with ransomware and a data breach at the organizational level.
Our researchers are also seeing many incidents where under-resourced organizations seem to fall victim to ransomware multiple times because their business continuity and disaster recovery plans are far behind. We have seen attackers going after backup systems especially if they are hosted in the same domain and run as virtual systems. As we know, many hypervisors or container hosts have vulnerabilities that expose the resources, so attackers can bring them down. The technique in MITRE is called “Escape to Host,” and it’s been used by cybercriminals to disrupt victims’ ability to recover without paying the ransom.
Best practices that can build resilience against unrelenting ransomware attacks
Detection and prevention
The priority should be to have measures and tools in place to detect and prevent a successful attack in the first place.
In today’s rapidly evolving threat landscape, this means implementing deep, multilayered security technologies, including AI-powered email protection and Zero Trust access measures, application security, threat hunting, XDR capabilities, and effective incident response to spot intruders and close gaps so that attackers cannot easily find their way in to install backdoors, steal, or encrypt data.
But according to our 2023 ransomware insights market report earlier this year, 73% of organizations have experienced a successful ransomware attack, so it’s just as important to be resilient and able to recover from an attack.
Resilience and recovery
Even with limited resources, you can still achieve effectiveness in recovering from ransomware attacks. First, you should expect the attackers to go after business continuity and disaster recovery-related infrastructure — including backup systems. We have seen many incidents where the attacker will not demand a ransom until they are fully assured the victim has limited capability for recovery. Here are some tips on how to be prepared for these attacks.
1. The main attack surfaces for the backup solution are the UI and the storage, so you should:
- Segment and isolate backup systems
- Use a different user store (e.g. separate Active Directory and or Lightweight Directory Access Protocol), preferably with zero social network presence
- Use stronger multifactor authentication (MFA) mechanisms instead of push notifications where attackers can implement volumetric attempts causing MFA fatigue. Move to Zero-Trust-based authentication with passwordless capabilities, such as biometrics on authorized devices for user interface authentication
- Use encryption and do not use shared storage with any other workload
2. If backup policies and recovery process documentation are exposed, attackers will use them against the victims to make sure that recovery is impossible without paying the ransom.
- Protect the policies and documentation with encryption and only allow privileged access
- Keep your policies and disaster recovery process documentation in another formfactor including printed and physically distributed versions
3. Separate your storage from your admin’s typical operational environment and create an air gap if you can do it safely. Cloud is the best option in this case, but you must consider the fact that the internet gets congested, and disaster recovery runs will not be fast. Other ways to secure your backups worth mentioning:
- Use Zero Trust for access to your backup solution
- Reduce access using role-based access control
- Implement immutable file storage
- Avoid “network sharing” for your backup environment
- Use a purpose-built, fully integrated solution so software/hardware are together
4. Virtual machine hypervisors, unfortunately, are additional attack surfaces that bad actors can use to infiltrate the backup solution, so we still recommend using a designated backup appliance solution when the recovery time objective (RTO) is aggressive. DIY is a terrible idea when it comes to disaster and recovery tooling.
5. Don’t forget about secure backup for data stored in the cloud. For example through your Microsoft 365 accounts and other registered SaaS applications under Azure AD, you will find essential data assets that require continuous data classification, access control, and strategy for true data protection.
Photo: Gorodenkoff / Shutterstock