February 17th, we can imagine a scenario where when you go to court and see a notice on the door that says “system failure”; when the police are on the scene, they find it impossible to access the information on their laptops in their car; and when the doctor is going to operate on a patient, the medical device is in a state of down. What are the terrible consequences of these anomalies? However, this is what can happen to a city, police station or hospital in a ransomware attack.
Ransomware is malware that encrypts or controls computer systems. Criminals who carry out these attacks can refuse to return access until they receive a ransom. By 2019, ransomware will mostly target businesses and individuals. In recent years, however, attacks on oil and gas companies such as Travelex and Maersk, as well as industrial control systems, have resulted in hundreds of millions of dollars in losses.
But a growing number of cities, power supplies and public-facing institutions have also been targeted. As attacks increase, more and more security experts are using artificial intelligence (AI) to improve the effectiveness of defense against malware attacks. But there are also concerns that criminals will also start using AI to weaponize ransomware and plan more effective attacks.
An analysis by security firm EMSIsofoft found that in 2019 alone, about 85 U.S. schools, 100 U.S. local and state governments, and more than 700 healthcare providers were exposed to ransomware attacks. This does not include the recent attacks on the Texas school district, which cost $2.3 million, or the attacks that led to the declaration of a state of emergency in New Orleans. New Orleans Mayor LaToya Cantrell said the ransomware attack cost more than the city’s $3 million limit on online insurance policies.
Ransomware attacks targeting public-facing institutions are of particular concern because, unlike individuals or businesses, cities, schools and hospitals provide basic public safety and services to the public. In 2019, the ransomware disrupted 911 services, delayed the procedure and made it difficult for emergency officials to access medical documents, scan employee badges and view outstanding arrest warrants, Emsisoft’s report said.
Even without AI’s escalation of ransomware, cybercriminals are wreaking havoc, with attackfrequency and damage on the rise. Baltimore spent $18 million to deal with the damage caused by the 2019 ransomware attack. This followed an attack in Atlanta that cost about $17 million. According to analysis by Barracuda Networks, small cities are particularly vulnerable because nearly half of the cities that will be attacked will have a population of less than 50,000 in 2019. The analysis also found that two-thirds of ransomware attacks in 2019 targeted government organizations.
Looking back, ransomware attacks on cities sometimes seem to come from where they came from, but Adam Kujawa, director of Malwarebytes Labs, says the trend dates back to the end of 2017, when WannaCry, Petya and NotPetya redefine malware. These attacks, which encrypt data and spread it to networks around the world, have given cybercriminals new possibilities. A worm targeting a Ukrainian power company has spread like a digital dirty bomb around the world, costing up to $10 billion.
Then, in late 2018, Malwarebytes Labs discovered an attack involving EmoTet, which steals credentials, spreads malware through spam modules, and then uses malware such as TrickBot to move horizontally and infect the network. “Since then, we’ve seen more and more specific attack methods, and then we’ve seen improvements in that method, and then we’ve evolved to the point where we are now,” Kujava said. “
Baracuda Networks says e-mail is the most common way for attackers to access city systems, followed by PDF and Microsoft Office documents. Phishing e-mail messages and documents are sometimes designed to suit the type of e-mail and document that cities typically receive, such as invoices or shipping notifications.
Mr Kujawa said the evolution of these tools and the higher returnons of investment from other attacks had led to more criminal activity diverting to government agencies. He points out that urban services and hospitals are becoming bigger targets because they contain so much personally identifiable information (PII) that they need to always be effective to serve society. Cities are known for adopting new technologies at a slower-than-average rate, including software updates designed to fix the latest vulnerabilities. They are also less likely to have cybersecurity experts, and their culture may not take cybersecurity seriously.
Criminal methods also appear to be escalating. Attackers have threatened not only encrypted files and restrict access, they are now threatening to post files online. “The beginning of the threat of leaking internal files and customer information into an open network is likely to be a standard operating procedure that would turn a ransomware attack into a full-blown data breach,” Kujawa said. This will cause more problems for attacked organizations. “
The ransom demands of criminals, usually in bitcoin, are also on the rise. Malwarebytes Labs found that in 2019 the ransom demands demanded by attackers from the government and schools soared from an initial $1,000 to more than $40,000 by the end of the year. Security firm Coveware estimates that the average ransom ransom in the fourth quarter of 2019 will be more than $80,000.
Another concern is that organizations that carry out ransomware attacks are selling ransomware, allowing less knowledgeable criminals to launch their own attacks, a model Kujawa calls “ransomware for service”, which almost forms an independent economic model.
The mistakes of paying the ransom for the city
Baltimore has suffered two ransomware attacks in more than a decade, the most compelling, expensive and lasting example of what could have gotten so bad. The second attack took place in May 2019, and by the end of the day, the city had lost nearly $18 million.
There is much debate about whether cities should pay ransoms. Kujava said Baltimore’s failure to pay the ransom was a mistake and the city did not have an overall policy. The attacks in the summer of 2019 have intensified their differences over whether to pay the ransom. Last June, Lake City and Riviera Beach in Florida paid ransoms of about $500,000 and $600,000, respectively. By contrast, nearly 20 cities in Texas were attacked in a collective attack in August 2019, but none paid ransoms.
Some cities are trying to take positive steps to prevent potential ransomware losses by buying internet insurance. In the wake of the Attack in New Orleans, Cantrell said the city plans to increase its online coverage from $3 million to $10 million, while the Baltimore Budget Committee approved a $20 million cybersecurity policy in October 2019.
Mr. Kujawa said cyber insurance takes the problem out of the hands of people who have never encountered ransomware and hand it over to those who have always dealt with it. “Obviously there are a lot of scammers out there, and I absolutely think cyber security is very important in our society today, and it’s going to be more valuable in the future, as long as it doesn’t exist just to drive up the cost of remediation,” he said. “
In any case, it would be unwise for cities to declare that they have internet insurance, and Baltimore has made that mistake. This will only lead to criminals extorting larger ransoms and feeding the “beast” to some extent. The fact that few perpetrators of attacks on public-oriented institutions have been brought to justice may exacerbate the trend towards ransomware.
How AI Prevents Ransomware Attacks
To prevent the spread of ransomware, security software uses AI to detect, isolate, and delete infected files. Security software can use unsupervised machine learning to create AI models that are trained by datasets to identify differences between clean and malicious files. Natural language processing (NLP) and computer vision help detect abnormal behavior in e-mail messages or documents. Microsoft is using a monotony model running on top of a traditional classification model that captures 95% of malware. The technology was developed by AI researchers at the University of California, Berkeley.
In its report, Capgeini, a cybersecurity firm, found that AI is helping the industry grow faster and focus on solving the biggest problems. Three-quarters of security professionals surveyed said AI reduced the time it takes to detect malware. Two-thirds said AI reduced the cost of responding to intrusions. Anti-virus and security companies are increasingly adopting AI. By 2019, about one-fifth of security organizations will use AI, and two-thirds plan to adopt the technology by 2020.
How AI Fuels Ransomware Attacks
The fact that spear phishing is still the primary way to pass malware suggests that people are still vulnerable to the kind of fraud that sometimes appears in their email inboxes, says Mr Kujawa.
It also reflects the fact that today’s ransomware attack does not seem to require AI help. Malwarebytes Labs and Barracuda Networks have not yet seen AI’s application seeking ransomware outside the lab. Malwarebytes Labs’ analysis of the potential weaponization of malware predicts that ransomware with AI will not become popular for the next year or three.
Mr Kujawa says his main concern is the idea of AI joining, which describes the people best targeted in the organization. AI can also find paths that spread malware to a large number of machines around the world and become “ammunition” in the AI arms race. Such a method can exploit the vulnerability types of a specific security vendor to detect or train the model to detect soft areas of the attack.
“Some researchers have done laboratory tests and created internal AI malware,” Kujawa explains. That’s certainly possible, but in practice, how we see it appear and how often it happens is what I’m most worried about. I do see AI and machine learning being used to grab data from leaks, social media or anywhere else to create personal data for a specific user or the profile of an ideal victim. You can use all this information to create more efficient spear phishing attacks against businesses or anyone you want to deal with. “
Forecast of future trends
“Hopefully the lessons learned in 2018 and 2019 will bring greater security to these organizations, but we know that this may not be possible for all organizations,” said Fleming Shi, chief technology officer at security firm Barracuda Networks. Attacks can get worse. “
Fleming Schort predicts that small towns in the “swing states” of the U.S. election in 2020 may see more attacks by national state actors as a way to uncover loopholes ahead of November’s U.S. presidential election. “People who play an important role in election decisions are sometimes targeted,” he said. My view is that I don’t think we’re ready for an election year and we don’t have the right defenses. “
But Kujava believes that we are unlikely to see this type of attack in small cities in swing states because there are more subtle ways to test the system. However, he shared Fleming Sch, who is concerned that cities and public-facing institutions may see an increase in ransomware attacks by national state actors in the future, as their motivations are not just financial extortion.
WannaCry’ global losses, estimated at between $4 billion and $8 billion, were spread by Shadow Brokers, who are believed to have links to the Russian government. The vulnerability, Everon Blue, stolen from the U.S. National Security Agency hacking group, exposed vulnerabilities in the Windows operating system used by hackers in the WannaCry, Petya and NotPetya attacks.
The Trump administration called NotPetya the “most destructive and costly cyberattack in history” that led the U.S. Treasury Department to impose sanctions on the Russian government in 2018. The U.S. Treasury Department has announced sanctions against NotPetya, as well as sanctions for meddling in the 2016 presidential election.
Kujawa is encouraged to see that security experts now have a greater understanding of the capabilities of criminal groups and the popularity of ransomware. More and more cities are implementing best practices, putting PII behind another layer of protection technology and reacting immediately to an attack. He added that security companies such as Barracuda Networks and MalwareBytes were using AI to better detect ransomware such as Sam, Ryuk, RobbinHood and Locker Goga.
“We are moving in a better direction, and many sectors in the security sector are moving in that direction, ” mr Kujawa said. This must be a battle between AI and AI. If cybercriminals really start to take advantage of these things, we need to be able to stop threats before they attack, and we need to be able to stop threats without even knowing they exist. (From: Venturebeat Author: Khari Johnson Compilation: Netease Intelligence Engagement: Small)