Putting Ransomware Gangs Out of Business With AI – DARKReading

Ransomware has become a multibillion-dollar industry, and roughly 15% of its business goes through a single group called Wizard Spider. This group who are thought to work closely with the Russian government and remain under investigation by the FBI and Interpol have used the Conti ransomware strain in more than 400 known attacks. While the media refers to the group as the "Conti Ransomware Gang," the group doesnt view itself as a gang. The group would rather be viewed as a business.

A Booming BusinessAs they become larger and more profitable, criminal groups such as Wizard Spider often mimic legitimate business practices. Victim organizations are rebranded as "customers," extortion attempts become "negotiations," and criminal peers are called "affiliates." Their dedicated site on the Dark Web even has a collection of "press releases."

The groups "business model" involves training independent affiliates in how to deploy the ransomware and then taking a 30% cut of the profits themselves. However, because exact profits are revealed to Wizard Spider and not their affiliates, this percentage is normally much higher.

One underpaid affiliate caught wind of the gangs practices in August 2021 and began leaking their resources, declaring in protest, they recruit suckers and divide the money among themselves.

Meanwhile, the US government has taken measures to obstruct groups like Wizard Spider; beginning this year it will impose sanctions on cryptocurrency exchanges facilitating ransomware transactions.

However, these setbacks havent perturbed Wizard Spider, whose profits have continued to soar. Conventional cyber defenses have consistently failed to keep up with the groups innovations in attack techniques and so the organizations that employ them remain firmly in Wizard Spiders target market.

How Wizard Spider Gets InOne of the groups recent targets was a transportation company in the US. It took a single missed Microsoft patch and resulting ProxyShell vulnerabilities to leave the company open to attack. This is a relatively new exploit for Wizard Spider, who previously relied on phishing attacks and firewall exploits.

Two weeks after the initial breach, rare connections were made to an unusual endpoint in Finland using an SSL client that appeared innocuous. The endpoint was not known to threat intelligence tools at the time, meaning rules and signature-based security tools didnt know what to detect.

Going Public With Conti NewsIf you refuse to pay its ransom, Wizard Spider will not only take your most important files from you, but the group will also exfiltrate and publish them using its dedicated "Conti News" website or sell them directly to your competitors. This is double extortion ransomware, and its the Conti gangs favorite new sales tactic.

In the transportation company's case, three terabytes of company data was uploaded over four days, and then rapidly encrypted. Encryption began at almost midnight, meaning human security teams werent available to organize a response the ransomware "business" never respects business hours. The next morning, the company was met with a ransom note.

The company was able to investigate and connect the dots of the attack using Darktraces security AI tool. The security tools natural-language report brings disparate events into a cohesive attack narrative

How Ransomware Attackers Evade Cyber IntelligenceIts all too easy for threat actors to alter the infrastructure of their attacks, and in this case something as simple as a new endpoint was enough to beat threat intelligence. This is how Wizard Spider continues to thrive, and its a problem that governmental sanctions and defecting insiders are fundamentally unable to address.

Organizations need to take matters into their own hands with a new approach. By using AI that learns what normal business operations look like, anomalous behavior that inevitably arises from a ransomware attack can be identified at every stage, even when its using never-before-seen attack methods.

And in an era of fast-moving cyberattacks and threat actors deliberately striking when security teams are out of the office, AI technologieshave become essential in taking targeted action to contain threats, without interrupting normal business.

If leaks or legislation were to bring down Wizard Spider, other groups would simply rise up to fill the gap in the market. Ultimately, ransomware must be made unprofitable if its to be stopped. One way to do that is to use AI to stopransomware attacks at every stage of their attacks, weeks before human analysts can.

Read more from the original source:

Putting Ransomware Gangs Out of Business With AI - DARKReading