Over the past year, 66% of organizations experienced at least one ransomware attack, with many suffering repeated breaches. According to Deloitte’s Annual Cyber Threat Trends report, ransomware, identity-based attacks, and sophisticated attack methods like zero-day exploits and AI-driven cyber espionage dominate a rapidly changing threat landscape.

Ransomware attackers specialize in making chaos pay

Attackers are using ransomware as a smash-and-grab strategy, often to finance other illegal operations. Cybercrime gangs, including those that are state-funded, rely on ransomware as a primary source of revenue as well.

Ransomware attackers aim to create widespread chaos across supply chains, amplifying the impact of their attacks. For example, United Healthcare paid a $22 million ransom in Bitcoin, demonstrating how greater disruption often leads to higher payouts.

“Sophisticated ransomware operators are increasingly using zero-day exploits as their initial access vector, with 36 percent of victims ransomed in this way. Valid credential compromise was the second most common entry point for ransomware attacks,” says Deloitte in the report.

“Phishing, remote attacks on public-facing infrastructure, and unauthorized remote desktop connections continue to be the primary sources of infiltration for ransomware,” writes Paul Furtado, Gartner vice president analyst, in a recent research report, How to Prepare for Ransomware Attacks.

Furtado notes that “bad actors are mining exfiltrated data to identify other potential sources of revenue,” further increasing the urgency to harden cyberdefenses against ransomware attacks. The following is a typical ransomware attack pattern as defined in the Gartner report.

CrowdStrike’s threat intelligence teams regularly monitor every known ransomware variant. “RaaS kits are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web,” writes Kurt Baker in a blog post explaining RaaS. The post continues, “a RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features identical to those offered by legitimate SaaS providers.”

The 2024 Annual Threat Assessment of the U.S. Intelligence Community found that “transnational organized criminals involved in ransomware operations are improving their attacks, extorting funds, disrupting critical services, and exposing sensitive data. Important U.S. services and critical infrastructure such as health care, schools, and manufacturing continue to experience ransomware attacks.”

Adversarial AI’s growing tradecraft

Deloitte’s research uncovered the growing use of adversarial AI for cyber espionage, finding it’s driving new forms of tradecraft in influence operations, social engineering, underground services, and collaboration.

Adversarial AI’s goal is to deliberately mislead AI and machine learning (ML) systems so they are ineffective for the use cases they’re being designed for. Adversarial AI refers to “the use of artificial intelligence techniques to manipulate or deceive AI systems. It’s like a cunning chess player who exploits the vulnerabilities of their opponent. These intelligent adversaries can bypass traditional cyber defense systems, using sophisticated algorithms and techniques to evade detection and launch targeted attacks.”

Influence operations are the most active threat vector of the three Deloitte is tracking. AI image deception and deepfake accuracy are accelerating faster than many existing detection technologies can keep up with.

Telesign’s 2024 Trust Index found just how wide the trust gap is becoming due to deep fakes and broader influence operations. 87% of Americans hold businesses accountable for digital privacy, yet only 34% trust them to use AI effectively to protect against fraud. Deepfakes and misinformation are driving a wedge of distrust between companies, the customers they serve, and citizens participating in elections this year.

Deloitte found that social engineering-based attacks are becoming more challenging to identify and stop. Nation-states are weaponizing LLMs and using genAI to improve their ability to launch large-scale social engineering attacks aimed at harvesting privileged access credentials and gaining control of thousands of identities in an enterprise at once.

The rapid growth of Voice Cloning-as-a-Service (VCaaS) tools powered by AI, which is used for vishing attacks to clone voices for financial fraud and unauthorized access, continues to defy easy detection. Cybercriminals and nation-state adversaries are quick to invest in new technologies that yield tradecraft that existing cybersecurity systems can’t decipher, and deepfakes are among the most undetectable today.

Preventing a ransomware attack

Start with a zero-trust mindset. Any trust-based connections in a network are a liability—a ransomware attack waiting to happen. Furtado advises, “Build and execute on a zero-trust strategy that reduces the risk of attackers abusing implicit trust in environments to achieve lateral movement, employ available exploits, and gain privilege escalation to deploy ransomware.”

Furtado’s recommendations reflect a strong zero-trust mindset that seeks to eliminate lateral movement, enforce least privilege access, and monitor all network activity while hardening identity and access management (IAM) security. In short, he’s advising having as strong of a zero-trust framework as possible in place to withstand a ransomware attack.

One of the core concepts of zero trust is to assume an attack has already penetrated the network. Furtado’s key takeaways from his recent report on ransomware include the following:

• Have a complete preincident prevention strategy that includes workspace and endpoint protection, data protection, immutable backup, asset management, end-user awareness training, and strong identity and access management.

• Implement a reliable asset management process to identify what needs to be protected and who is responsible, paying particular attention to legacy systems.

• Establish a risk-based vulnerability management process that includes threat intelligence (TI) to address unpatched systems.

• Implement both macro and micro network segmentation to minimize the blast radius of ransomware attacks.

• Build and execute a zero-trust strategy to reduce the risk of attackers abusing implicit trust in environments.

• Implement compliance scanning, penetration testing, and breach attack simulation (BAS) tools.

• Remove local administrative privileges on endpoints and limit access to sensitive applications, including email, to prevent account compromise.

• Prevent access to the command prompt and block the execution of PowerShell scripts on all user endpoints.

• Implement strong authentication for privileged users, such as database and infrastructure administrators and service accounts, and log and monitor their activity.