Reported ransomware attacks double as AI tactics take hold
In 2023, artificial intelligence and generative AI have dominated headlines, and their impact is starting to make its mark on ransomware attacks ― for example with AI-enhanced phishing attacks to gain access to target networks and AI-powered automation for greater reach.
According to Fleming Shi, Chief Technology Officer at Barracuda, over the last 12 months, that helped drive ransomware to new heights as the frequency of ransomware attacks continues to climb with no sign of slowing down.
"We believe that despite the enduring success of traditional attack methods throughout 2023 and beyond, attackers will look to generative AI to craft increasingly effective attacks," Shi says.
"Our researchers analysed 175 publicly reported successful ransomware attacks across the world between August 2022 and July 2023, and in the primary categories we have been tracking — municipalities, healthcare and education — the number of reported attacks have all doubled since last year and more than quadrupled since 2021," he says.
Ransomware attacks by focused industry 2021 to 2023
While attacks targeting infrastructure-related industries are lower in volume compared to the top three sectors, this sector also experienced more than twice the number of attacks compared to last year.
Municipalities and education continue to be soft targets because they are resource constrained, and successful healthcare and infrastructure attacks have an immediate and potentially severe impact on human lives, which cybercriminals try to exploit to increase the likelihood of getting paid.
In many countries, one or more of these sectors may be legally obligated to report cybersecurity incidents, which makes the impact more visible as well.
Ransomware attacks by focused industry
The proportion of ransomware attacks increased year over year across all five focus industries except financial organisations.
Attacks on municipalities increased from 12% to 21%; attacks on healthcare increased from 12% to 18%; attacks on education went up from 15% to 18%; and infrastructure went from 8% to 10%.
In comparison, attacks on financial institutions dropped from 6% to 1%, perhaps a sign these organisations are getting better at protecting themselves.
"Our analysis of ransomware attacks on other industries showed similar patterns of escalation over the past two years, even though the volume of publicly reported attacks is lower than the top three sectors," says Shi.
Ransomware attacks in other industries 2021 to 2023
In particular, ransomware attacks on software businesses have increased, and because software runs most businesses, such software-supply chain attacks could be the source for attacks in other industries. Manufacturing, media, and retail have also gone up year over year.
Ransomware attacks in other industries
The impact of generative AI tactics on ransomware attacks
"Another important development in the past year is the rise of generative AI, which you can bet attackers are using to create well-crafted phishing emails," Shi says.
"Using generative AI's writing capabilities, cyber attackers, including those looking to launch ransomware, can now strike faster with better accuracy, as the spelling errors and grammar issues in phishing emails are more easily eliminated, making attacks more evasive and convincing," he says.
"For years, everyone has been trained to spot email attacks by looking for bad grammar and spelling mistakes, a deficiency that is likely nonexistent today given what attackers can create using generative pre-trained language models, and in some cases, in different spoken languages, even using automated scans of social media to make attacks more customised."
Shi says security researchers are already showing how attackers can use the code-generation capabilities of generative AI to write malicious code for exploiting software vulnerabilities.
"With these changes, the skill required to start a ransomware attack could be reduced to constructing a malicious AI prompt and having access to ransomware-as-a-service tools, leading to a whole new wave of attacks."
Insights from the Barracuda SOC
"While the volume of publicly reported ransomware attacks has doubled in some industries, you can be sure the volume of unreported attacks has also increased dramatically," Shi says.
"Looking at cyberattacks overall through the lens of Barracuda's SOC-as-a-service, in the last 12 months, we have observed the following types of incidents: business email compromise (BEC), ransomware, malware infection, insider threat, identity theft, and data leakage.
"The sample size is small because the overwhelming majority of attacks are stopped before they become incidents, there are still some interesting insights about how attacks progress."
Shi says BEC was the most common incident type.
"However, BEC can lead to identity theft and malware infection, which then leads to ransomware and ultimately data leakage as bad actors find ways to exfiltrate data," he says.
Barracuda SOC incident response by attack type
"So, what the chart is really telling us is where the attacks have been caught, and it's encouraging to see steps have been taken to detect and block attacks at the BEC phase of the incident," Shi says.
"If you are unable to detect and prevent an attack before it breaches the network, then responding early in the cyber kill chain will lead to reduced exposure and damage."
According to Shi, BEC usually draws victims to respond and leak more data or take actions that will advance the attack to the right side of MITRE ATT&CK framework.
If undetected, the next phase of the attack could be malware infection or identity theft where attackers may be quietly and laterally moving within the victim's network, taking data and planting seeds for the next wave of attacks.
"Therefore, we continue to emphasise the need to use tools like XDR to eliminate and eradicate attackers as soon as you have email security signals, especially BEC and account takeover events," he says.
"Barracuda is a major contributor to the Open Cybersecurity Schema Framework for that reason. We are publishing our email threat signals in OCSF format, so our customers and partners can instrument responses to short-circuit the cyber kill chain."
For example, several conversation hijacking attacks researchers have seen that lead to BEC are due to large quantities of emails that were stolen in 2021 attributing to the ProxyLogon vulnerability, CVE-2021-26855 in Exchange.
Shi says attackers are now reviving those conversations and mounting new impersonation attacks by replying to the parties involved.
"Taking advantage of misconfigured DMARC settings or simply using typo-squatted domains that look like the actual domain, attackers can send spear-phishing emails to the recipients of those stolen email conversations from two years ago," he says.
"This exploits the weakness in human behaviour where we trust the conversation instead of revalidating the email's origin, and it can lead to getting hit with ransomware and a data breach at the organisational level.
"Our researchers are also seeing many incidents where under-resourced organisations seem to fall victim to ransomware multiple times because their business continuity and disaster recovery plans are far behind," Shi says.
"We have seen attackers going after backup systems especially if they are hosted in the same domain and run as virtual systems. As we know, many hypervisors or container hosts have vulnerabilities that expose the resources, so attackers can bring them down. The technique in MITRE is called "Escape to Host," and it's been used by cybercriminals to disrupt victims' ability to recover without paying the ransom."