Ransomware continues to be a scourge for organizations worldwide, with the number of attacks increasing by 64% in 2021, according to one of our studies, heavily targeting municipalities, health care, education, and other businesses. These attacks can cripple day-to-day operations, sow chaos and result in financial losses from downtime, ransom payments, and recovery costs — unbudgeted and unanticipated expenses that can bring down large organizations.
Ransomware even has the power to take down entire countries. The government of Costa Rica is locked in a struggle with Conti, a ransomware gang with ties to Russia that is demanding a $20 million payout. And Lincoln College — a 157-year-old institution in Illinois — had to shut its doors earlier this year because of the devastating impact of a ransomware attack.
Not all is lost, however. As ransomware becomes even more disruptive and pervasive, advances in machine learning (ML) and artificial intelligence (AI) may hold the key to more effective ransomware defense.
Ransomware protection starts with email
While ransomware can be delivered through just about any threat vector, most attacks are conducted through email. This is understandable, as email is the most commonly-used communication method for connecting with entities outside the organization, such as customers and partners. Coupled with the fact that users are typically an organization’s weakest link in the security chain, it is easy to see how email presents an enticing back door for threat actors to gain initial access and control over the corporate network. A single click by a single user can be enough to compromise the network and deliver a devastating ransomware payload.
It is true that email platforms such as Microsoft 365 and Gmail offer a wide set of security capabilities. But recent attacks have shown that native security features in these email gateway solutions are ripe with vulnerabilities that malicious actors will exploit. Using highly-evasive techniques such as brand impersonation, Legacy URL Reputation Evasion (LURE), HTML smuggling, and code obfuscation, attackers can trick security filters into thinking malicious links and compromised files are legitimate business communications.
If increased sophistication was not enough, ransomware-as-a-service attacks have led to the outsourced development of ransomware payloads. This allows anyone with a credit card and a bone to pick to purchase malicious code on the dark web that will allow them to access and take over a remote system. And that is not all. Payouts continue to grow exponentially, posing an increasingly destructive impact on organizations’ finances. The average ransom demand per incident is now more than $10 million, while 30% of demands in 2021 were more than $30 million, according to our study mentioned above.
AI/ML provides an intriguing solution
Plenty of security tools can help clean up a ransomware attack after the damage has been done. Given the financial and reputation risks caused by ransomware attacks, organizations need a solution that can stop ransomware attacks before they occur. Fortunately, AI/ML-powered solutions can identify and intercept various forms of ransomware attacks before they reach the end user. Continuously trained in real-time as new threats are discovered, these solutions identify email messages based on a fraudulent domain or anomalous communication attempting to spoof a legitimate sender. Once identified, the message is moved into a quarantine folder for further inspection.
But not all ransomware prevention solutions are created equal. Here are three things security teams should look for in email security solutions powered by AI/ML:
1. API integration into your email provider
Understandably, email providers are focused on email, not security. It is their core business, after all. Keeping up with the latest security threats, MITRE ATT@CK Framework techniques, and ransomware trends is time-consuming and expensive. Make sure you rely on a third-party email security solution built and maintained by developers who are 100 percent focused on protecting your business. Seamless API integration between your email provider and email security solution provides visibility into internal, external, and historical email communication for every individual in the organization. This is critical data that AI can use to learn communication patterns within the company, between employees, and with known and unknown outside entities.
2. Intelligent identification of impersonation attempts
Complete protection depends on your solution’s ability to identify people who aren’t who they say they are. Your AI/ML-powered solution should be able to use metadata from internal, external, and historical emails to create an identity graph for each use. Made up of email addresses, document types, names used, natural language analysis (NLP), and other characteristics that define the unique communication patterns of an individual, these learned patterns allow solutions to identify behavioral, content, and link-forwarding anomalies.
3. Real-time remediation before users interact
When it comes to ransomware, speed is crucial. Your email security solution must identify and quarantine threats before it is too late. AI/ML allows you to act faster than humans, removing threats from the inbox before the user can interact with the message. Remediation should be done in real-time with notification alerts sent to both users and IT administrators.
Proactive, preventative email security is the key to stopping ransomware
Ransomware is growing more sophisticated, more common, and less expensive to launch while payouts continue to soar. Stopping these evasive threats requires proactive, preventative email security powered by AI/ML. Seamlessly integrated with your email provider, these solutions automatically identify impersonation attempts based on real-time behavioral analytics and remove even the most sophisticated and evasive ransomware attempts before unsuspecting users have a chance to interact with the emails. Automation powered by AI/ML can prevent these attacks at scale before they gain initial access and control over your most critical business systems.
This article first appeared on Spiceworks.com.
Fleming Shi is Chief Technology Officer at Barracuda, where he leads the company’s threat research and innovation engineering teams in building future technology platforms. He has more than 20 patents granted or pending in network and content security. Connect with him on LinkedIn.