Petr Kocmich portrait square
4 September 2024

From days to hours. AI acts as both a catalyst and a brake for ransomware attacks



Ransomware gangs are attacking faster than ever before. The time from victim reconnaissance, to device infiltration, to data exfiltration or encryption has been reduced from days to mere hours. This accelerating trend is being fuelled by a new “assistant” – artificial intelligence (AI). However, the power of AI can also be harnessed for defence.

Ransomware, a type of malware that encrypts a victim’s data and demands a ransom to decrypt it again, is becoming more sophisticated and dangerous. “One of the most disturbing trends in ransomware attacks is the shortening of the time from victim reconnaissance, to device infiltration, to data exfiltration and encryption. Whereas previously this process took days, nowadays it can happen within a few hours,” says Petr Kocmich, Global Cyber Security Delivery Manager.

This gives companies less time to respond and increases the likelihood that they will pay a ransom to restore access to their data. In many cases, data is encrypted within 24 hours of the initial breach. In 2022, according to Petr Kocmich, the same process took at least five days giving companies’ security mechanisms much more time to detect and report suspicious activities or attacks.

Manual work is a thing of the past

It is almost paradoxical, but the reason for such rapid development is the increasing level of corporate cybersecurity. Attackers know they must act in shorter time frames to avoid detection. Many companies use MDR and EDR protection (Managed or Endpoint Detection and Response) and are thus better prepared for an attack.

MDR and EDR are cybersecurity technologies that enable companies to monitor and respond to cyber threats at endpoints such as laptops, desktops, mobile devices and servers. EDR systems collect and analyse data from these endpoints in real time to identify suspicious activity that could indicate a cyber attack. Attackers are trying to adapt to this trend, which is why they are conducting their malicious activities more quickly and efficiently. “In the past, ransomware attackers had to do a lot of manual work. For example, they had to manually run commands and scripts, analyse network settings, and look for vulnerabilities. This was a time-consuming process that risked exposure. Thanks to automation, various tools, online communities, and artificial intelligence, attackers now have unprecedented opportunities,” explains Petr Kocmich.

The trend is to automate attack tasks

Attackers can use AI to automate tasks, both in scanning networks for vulnerabilities and in performing brute-force attacks, allowing them to execute more attacks in less time and with less effort.

Moreover, artificial intelligence can analyse large volumes of data to identify the most suitable targets for ransomware attacks. It can also be used to develop malware that is better at bypassing security systems. Additionally, AI can be employed to create personalised phishing emails or social engineering tools. They are then used to launch attacks that are more likely to overcome victims’ vigilance leading to the disclosure of sensitive information or the installation of malware.

Using AI for protection

While artificial intelligence acts as a catalyst for ransomware attacks, it can also help prevent them. Modern anomaly detection solutions use artificial intelligence to analyse network traffic and user behaviour and to detect deviations from normal patterns that could indicate an attack. This technology enables early detection of suspicious activity, even when attackers use sophisticated methods to bypass traditional security systems.

AI can also be used to encrypt and protect data against unauthorised access, even when attackers manage to penetrate the network. AI-powered data management systems can automatically identify and classify sensitive data and implement appropriate security measures. “Cyber attack simulation solutions allow organisations to test their defence systems and identify vulnerabilities in a real-world environment,” adds Petr Kocmich.

Artificial intelligence can be used to simulate complex and sophisticated attacks, allowing companies to be better prepared for real threats. In the event of a ransomware attack, AI can be used to analyse the data and identify the sources of the attack and the methods used. This helps companies better understand the threat and take steps to prevent future attacks.

A good servant, a bad master

The misuse of artificial intelligence by ransomware gangs is a complex and dynamic threat that requires constant improvement and the adaptation of security strategies. “Artificial intelligence is a tool that can be used for both beneficial and harmful goals and purposes. The future of cybersecurity, therefore, depends on AI being developed and used responsibly,” concludes Petr Kocmich.

Related articles