Preventing the next ransomware attack with help from AI

In this Help Net Security interview, Dr. Darren Williams, CEO at BlackFog, talks about how employee training plays a crucial role in preventing ransomware attacks. He points out that human error is often the biggest security risk and explains how AI tools, alongside gamification and real-time alerts, help employees identify advanced phishing threats.

What role does employee awareness training play in preventing ransomware attacks? What innovative approaches can make such training more effective?

Awareness training should not be underestimated when it comes to reducing the impact of ransomware within any organization. The weakest link is always a human in our experience and the sophistication of phishing attacks has reached a new zenith with the use of AI to craft impactful, targeted attacks. Ensuring users are well trained in identifying these types of techniques is critical as a first line of defense and for reducing human error. Many regulatory frameworks such as SOC 2 and ISO 27000 already mandate employees perform regular training to help foster a strong security culture with an organization.

Innovative methods to make this more interesting involve forms of gamification such as puzzles and other tests to see if users can be tricked, these often prove quite effective. Many systems also employ training with real time alerts warning them of the latest scams and techniques and when emails have been flagged, for example due to suspicious activity. Together these techniques can make training generally more engaging and more likely to be embraced as part of the company culture.

How significant is the triple extortion tactic, and what strategies can organizations use to counter this evolution in ransomware attacks?

Triple extortion represents a strategic escalation of traditional ransomware techniques. Initially, ransomware attackers focused on encrypting data to demand payment. They then moved to double extortion—threatening to leak sensitive data if ransom demands weren’t met. Now, with triple extortion, attackers target not only the initial victim but also customers, partners, regulators and even shareholders. In addition, they often employ additional techniques such as DDoS attacks to cripple an organizations ability to do business.

To counter these attacks involves building out a comprehensive strategy with training, backups, and adequate cybersecurity tools. To protect the entry point typically requires firewalls and EDR type products. To protect the exit points and stop data exfiltration requires anti data exfiltration products to prevent extortion in the first place.

What emerging technologies, such as AI or machine learning, are proving to be effective in ransomware prevention?

The only way to truly fight modern ransomware attacks is with AI based technologies. Ransomware has evolved rapidly in the last two years and is more effective than it has ever been. This year has seen unparalleled success with the highest number of successful attacks in five years. Existing technologies have simply failed to have any impact.

Newer solutions based around AI and zero day based attacks have proved very effective against these new variants, which are often combinations of other variants cobbled together. By leveraging AI, vendors are able to target vulnerabilities that haven’t even been identified in real time. The challenge is for these emerging vendors to break through the noise of a crowded cybersecurity market to get attention from organizations. Strong solutions do exist, and they are only getting better.

What are the first critical steps organizations should take once a ransomware attack is detected?

First of all, containment and identification are critical so the spread of ransomware can be stopped. Using anti data exfiltration will ensure there is no lateral movement or data extraction from a device. Following this, validate all backups that exist and ensure your organization has a data recovery plan for all affected systems. Next, it is important to understand WHO is affected and WHAT sort of data is involved, because this will dictate your next critical step, which is communication with the authorities, internally and with customers.

I would emphasize here that communication and reporting is critical, to assist the relevant agencies and to help mitigate you and others from further attacks. This will also ensure that any fines will be minimized, especially for public companies. Hiding the attack is not a valid approach and never works out well for victims in the long run. Finally, if you do not have adequate internal resources to mitigate the attack, engage professionals to evaluate and recover. This process will not be inexpensive, but it may ensure you can still operate your business with minimal downtime.

Managed Service Providers (MSPs) are frequently attacked due to their downstream access. What recommendations would you provide to MSPs to strengthen their defenses?

I would suggest that any MSP that you are involved with has some formal certification, including the products they have employed. This includes SOC 2 or ISO certification. These certifications are quite onerous and involve independent audits of security policies and procedures to ensure systems are based upon best practices. If an MSP cannot demonstrate adequate checks and balances, then they are probably out of their depth and should not be entrusted as custodians of your organizations’ endpoints and data.