Safeguarding Your Clients from Ransomware and BEC Attacks in the GenAI Era

The rapid advancement of technology has brought unprecedented benefits to businesses, but it has also given rise to new cybersecurity threats. Two of the most significant threats today are ransomware and business email compromise (BEC) attacks. With the advent of generative AI (GenAI), the ease and speed of attacks have increased, making it essential for MSPs to adopt robust strategies to safeguard their clients.

Ransomware Is Down, But Not Out

In the first quarter of 2024, Comparitech logged 142 ransomware attacks affecting 17.6 million records, a significant drop from the same period in 2023, which saw 336 attacks. Despite this decrease, the combination of ransomware with pure-play extortion attacks, which is exfiltration without the ransomware and other forms of extortion, means ransomware is still very much a credible threat. There is an alarming rise in cyber extortion attacks, so even though ransomware is allegedly on a "slow decline," you wouldn't know it.

Furthermore, more of these attacks are being targeted at small and medium-size businesses. And, according to Accenture's Cost of Cybercrime Study, while 43% of cyberattacks target small businesses, only 14% are considered prepared, aware and capable of defending their networks and data.

Related:Sophos CEO Joe Levy on Lessons Learned from CrowdStrike-Microsoft Outage

The New Threat Actors On the Block

In 2023, nearly one-fifth (17%) of ransomware attacks used variants that did not exist in the previous year, according to the SANS Institute. Further, according to recent data released by Mandiant, "the proportion of new ransomware variants compared to new families has steadily increased, with around one-third of new families observed in 2023 being variants of previously identified ransomware families."

These emerging threats highlight a rapid turnover in the ransomware landscape. While LockBit, Cl0p and BlackCat continue to dominate victim counts, there is a fast cycle of newcomers becoming highly productive and seeking to lure affiliates away from established ransomware operators in hopes to gain a higher percentage of victim market share and cybercrime profits.

Affiliates seeking more low-profile ransomware operators due to law enforcement action helps give rise to new competition in the ransomware space, as can be observed by new entrants like Akira and Hunters, the latter being a rebranded version of the previously successful Hive ransomware.

Exit, Pursued by Malware

Meanwhile, ransomware operator exit scams, such as the recent BlackCat exit scam, are driving rapid change in the ransomware landscape in parallel.

Related:Cynomi vCISO Platform: 'Proof Is in the Pudding'

Exit scams occur when a ransomware operator deceives its affiliates by keeping the full ransom payments and ceasing operations. Such practices are driving ransomware affiliates to innovate and put contingency plans in place by seeking alternate ransomware operators to partner with and testing multiple ransomware variants. Prime examples of such evolution can be observed with well-known ransomware affiliates Scattered Spider (MGM Resorts) and Notchy (Change Healthcare) migrating to a new ransomware operator known as RansomHub. RansomHub's business model allows its affiliates to collect the full ransom payment directly and then remit the required operator fee directly.

MSPs Need to Step Up Their Patch Game

With new threat actors coming on stage, introducing never-seen-before ransomware variants, MSPs must pay close attention to lists of known exploitable vulnerabilities (KEV), such as those published by the Cybersecurity and Infrastructure Security Agency (CISA).

According to the 2024 Verizon Data Breach Investigation Report, the time from a vulnerability being listed to its active exploitation is approximately five days, highlighting the urgency of addressing these vulnerabilities. Since most organizations run patching cycles every 30-60 days, and 85% of the vulnerabilities in CISA's KEV catalog remain unmediated after 30 days, there's a significant risk exposure and a substantial attack surface.

Related:Fortinet Engage Partner Program Evolves to Services Model

To level up their patch management program, MSPs must prioritize patches or configuration changes related to KEV catalog vulnerabilities every week, if not sooner, as traditional patch management practices are proving inadequate against the evolving threat landscape and exposing you to material risks, including ransomware attacks.

The Rise in Business Email Compromise (BEC)

BEC attacks remain a significant threat, especially for SMBs, which, according to one study, saw a 145% increase in malicious emails targeting SMBs from 2022-2023. Additionally, the losses from such attacks, when they do happen, are increasing. In 2023, individuals in the United States lost more than $2.94 billion in BEC scams. This figure represents a notable increase since 2021, when the reported losses totaled approximately $2.4 billion.

Phishing Scams Have Met Their Match

There was a time in the not-too-distant past when traditional phishing scams were the "it" attack vector. Today, while phishing is still thriving, we are seeing this once-digital attack darling losing market share to a similar, but more difficult to technologically detect attack vector: pretexting.

Less sophisticated than phishing, pretexting doesn't contain malware-laced documents or tricky URLs, and instead consists of a simple social engineering note in plain text. Over the past two years, we have seen BEC incidents involving pretexting accounting for one-quarter of financially motivated attacks. In both years, the median transaction amount of a BEC was around $50,000, also according to the FBI IC3 dataset.

A substantial portion of BEC attacks are executed through compromised vendor emails. A recent Abnormal Security Study, in fact, uncovered a 50% increase in these types of attacks from 2022 to 2023. Stolen credentials also remain a significant concern, especially in web application attacks targeting platforms like Microsoft 365. Seventy percent of attacks on basic web applications are still attributed to stolen credentials. A dual-focus approach to credential security and vulnerability management, as well as awareness and training, is necessary for a better cybersecurity posture.

The Role of AI and LLM in Cybersecurity

Threat actors use GenAI and large language models (LLM) much like your employees do. They input prompts and get their results. They also employ tactics like attempted misuse of LLM and fraud to refine phishing emails, turn off antivirus software through registry keys and improve their overall attack scripts.

Furthermore, employees' unauthorized use of AI tools, or "shadow AI," poses a significant security risk, especially as AI becomes more integrated into everyday devices like smartphones. This concern underscores the need for updated detection methods and policy enforcement against unauthorized AI use.

Emerging Threats and Future Outlook

The evolving threat landscape facilitated by AI and LLM technologies highlights that detailed, targeted attacks are becoming more efficient. In addition, AI has lowered the barrier to creating other types of attacks, such as convincing deep fakes, making it easier for individuals with minimal technical skills to generate them.

Hybrid attacks that blend various techniques, including voice calls, are becoming more prevalent, necessitating improved detection methods. Furthermore, advances in AI, such as GPT-4, show potential for autonomous hacking capabilities. This suggests that defensive and offensive cybersecurity tools may increasingly incorporate AI to improve efficiency and effectiveness.

Technically, AI and LLM are just productivity tools. But we're nearing an inflection point where the models are getting good enough that we will need a unified way of expressing how threat actors are using them and thinking about how their tactics might impact us down the road. This is how GenAI has largely impacted ransomware and BEC. MSPs must stay abreast of what's happening in the AI and LLM space and proactively monitor the stack they already have.

In light of these advancements, MSPs must adopt more agile and responsive security practices, focusing on credential security and vulnerability management, including AI-enhanced cyber risk solutions, to stay ahead of these evolving threats.

The use of AI for attack surface protection and management is anticipated to grow, offering opportunities and challenges in cybersecurity. As AI evolves, its impact on cybersecurity will likely become more pronounced, necessitating a proactive and informed approach to threat management.