The Evolving Threat of Ransomware — A Call to Action for Cybersecurity

In the ever-evolving landscape of cybersecurity, the specter of ransomware looms larger than ever before. Once considered merely an IT issue, ransomware has since evolved into a pervasive threat, affecting individuals, businesses and governments alike. The sophistication of ransomware actors continues to grow, posing significant challenges for defenders.

As a senior consulting director of Unit 42, the threat intelligence and incident response division of Palo Alto Networks, I have a unique perspective into the myriad ways in which our daily lives are affected by malicious cyber attacks and ransomware. Just yesterday, I had the opportunity to testify before the House Financial Services Subcommittee on National Security, Illicit Finance and International Financial Institutions, and bring that insight to bear. I outlined key steps for lawmakers that any organization can, and should, take to harden their defenses today.

Rising Sophistication of Ransomware Actors

The ransomware landscape is characterized by a constant arms race between attackers and defenders. Adversaries are not only enhancing their techniques but also diversifying their tactics to maximize the effectiveness of their attacks. In 2023, Unit 42 observed an average ransom demand of $4 million per attack, with peaks reaching as high as $35 million. A recent Ransomware and Extortion Report from Unit 42 shed light on alarming trends, including an increase in harassment activity, multi-extortion techniques and the evolution of attack vectors for initial compromise.

Not surprisingly, we are seeing the integration of artificial intelligence (AI) into ransomware operations. Cybercriminals are leveraging AI to amplify social engineering attacks, making phishing emails and voice calls more convincing and harder to detect. Moreover, AI enables attackers to accelerate and scale their assaults, identifying vulnerabilities and critical assets with unprecedented speed and efficiency.

The Multi-Faceted Nature of Ransomware Extortion & Attack Surface Vulnerabilities

Ransomware actors are no longer satisfied by simply encrypting data and demanding payments. They have adopted multi-extortion tactics, threatening to leak stolen data to the dark web if ransom demands are not met. This multifaceted approach significantly raises the stakes for victims, increasing the likelihood of payment and exacerbating the impact of attacks.

Despite the heightened threat, many organizations still remain vulnerable to ransomware attacks due to exposure on their internet-facing attack surfaces. We continue to observe a high prevalence of poor configurations around a remote access method called Remote Desktop Protocol (RDP), a prime target for ransomware attacks. While RDP provides the ability to work from anywhere, if not properly configured and controlled, this protocol can grant adversaries extensive access to administrative privileges within a network, thereby amplifying the potential impact of a network intrusion.

RDP misconfigurations make up 20% of all the exposures we observe on the public-facing internet, according to our annual attack surface threat report. Additionally, over 85% of organizations we observed with these exposures left them unaddressed for at least 25% of a typical month.

The Importance of Embracing AI for Cyber Resilience

In the face of a ransomware attack, rapid and effective incident response is paramount. Organizations must have the capability to detect intrusions promptly, contain the threat, and recover operations swiftly.

Giving defenders the upper hand requires a new approach that leverages AI-driven SOCs. Leveraging AI and automation can significantly enhance incident response efforts, enabling defenders to mitigate threats with unprecedented speed and accuracy. This technology will be a force multiplier for our cybersecurity professionals and substantially reduce detection and response times.

Early results from deploying this technology on our own company networks have been particularly promising. On average, we ingest 36 billion events daily and use AI-driven data analysis to automatically triage that number down to just eight that require manual analysis. In addition, we have reduced our Mean Time to Detect to just 10 seconds and our Mean Time to Respond to just one minute for high priority alerts.

Initial customer benefits have been similarly encouraging. We have already seen a reduction in mean response times from weeks and days to hours and minutes. Such a reduction is critical for minimizing the impact of an incident and to stopping ransomware threat actors before they can encrypt systems or steal sensitive information. This tool has dramatically improved incident close-out rates from 20% pre-deployment to 100% post-deployment.

A Unified Approach to Cyber Defense

On a tactical level, we recommend organizations focus on the following actions to increase their cyber resilience to ransomware attacks and other cyber threats:

1. Maintain an incident response plan.
2. Ensure complete visibility of attack surfaces.
3. Leverage the power of AI and automation to modernize security operations and reduce the burden on overworked analysts.
4. Implement enterprise-wide Zero Trust network architecture.
5. Protect cloud infrastructure and applications.

The fight against ransomware requires a collaborative approach, involving stakeholders from the public and private sectors. Partnerships between industry, government and civil society play a crucial role in sharing threat intelligence and fostering innovation in cybersecurity. That spirit of partnership in the cybersecurity community – the notion that we are all in this together – must remain in our collective DNA.

Helping organizations bounce back in times of need, to bolster the resilience of their digital infrastructure, is an extremely rewarding line of work. We appreciate the interest from the U.S. Congress in this critical issue.

Learn more about the ransomware hearing and view the full testimony.