Cybersecurity is a constant battle, with threat actors continuously evolving their methods. The emergence of AI-powered ransomware represents a significant leap forward in this arms race, posing a new challenge for defenders. A recent proof-of-concept (POC) developed by the University of New York (NYU) highlights just how dangerous this threat could become.

The researchers at NYU developed a polymorphic AI-powered ransomware in a controlled lab environment. This sophisticated malware was able to change its code with each new execution, making it incredibly difficult to detect. Alarmingly, tests against major Endpoint Detection and Response (EDR) and anti-virus vendors on VirusTotal showed that the AI-powered threat was not picked up by any of the leading vendors. The details of this study were published in an article from The Register.

 

If AI-powered Ransomware takes hold, is it over for cyber defenders?

The answer is not necessarily. While AI-powered ransomware is likely to be highly evasive, it is not going to be omnipotent. In order to be successful, any ransomware actor, whether human or AI, needs to be able to exploit key functions of the targeted operating systems, be it Windows, Linux, or Mac.

By understanding what functions are likely to be exploited, it is still possible to restrict or prevent these kinds of attacks from being successful. This is where the MITRE ATT&CK framework becomes an invaluable tool. MITRE ATT&CK provides a comprehensive list of adversarial tactics and techniques based on real-world observations. It provides a blueprint for understanding and mapping the behaviour of cyber attackers.

The key to defending against AI-powered ransomware lies in targeting these adversarial behaviours rather than the malware’s constantly changing code.

How to Prepare for the Threat of AI-Powered Ransomware

A good place to start would be to understand what MITRE ATT&CK techniques are most commonly exploited by ransomware threat actors and then to simulate these functions being exploited and manipulated.

Commonly manipulated MITRE ATT&CK techniques include:

  • Valid Accounts (T1078): Using legitimate credentials to gain access to a system.
  • PowerShell (T1059.001): Executing malicious commands using the Windows scripting tool.
  • Windows Command Shell (T1059.003): Using the command line to perform actions.
  • Scheduled Task/Job (T1053): Creating persistent access by scheduling malicious tasks to run.
  • Remote Desktop Protocol (RDP) (T1021.001): Gaining remote control of a machine.

Adversarial Exposure Validation tools, like Validato (www.validato.io), are designed to safely simulate how ransomware threat actors manipulate these MITRE ATT&CK techniques. The platform shows where an organisation may be exposed and then provides detailed information on how to restrict and harden environments so they cannot be exploited.

By focusing on adversarial behaviours and proactively hardening your systems, organisations can build resilience against the new and evolving threat of AI-powered ransomware.