By Christian Borst, EMEA CTO at Vectra AI

The threat of ransom attacks for manufacturers is nothing new, the explosion of new devices and data through Industry 4.0 has created larger attack surface for cyber attackers. In fact, manufacturing was the most targeted industry by ransomware in 2021. Last year we witnessed German manufacturer Knauf and Toyota fall victim to ransomware attacks.

When it comes to defending against ransomware, one of the main problems for manufacturers is that ransomware has evolved and diversified in recent years. Attackers have moved on from simple, fully-automated tactics that are quite straight-forward to prevent, to using more targeted and sophisticated tactics. At the same time, most security teams using the same old tactics to try to prevent ransomware – an approach that is now broken.

It’s time for manufacturers to evolve – and that means looking beyond a preventative approach that tries to stop a ransomware attacker from breaching the walls, and instead focus on arming themselves with the tools that can detect and stop an attack in its tracks. One thing is for sure, in the sprawling IT landscapes of today, artificial intelligence (AI) will play a decisive role in the war against ransomware.

A diversifying threat

Early forms of ransomware operated on autopilot and followed a simple business model: infect as many computers as possible, because at least some proportion of the victims will surely pay to recover their files. This so-called commodity ransomware soon evolved to search out and encrypt entire network drives – the rationale being that you’re increasingly the likelihood of locking something the victim can’t live without. This initial evolution also saw attackers start to target organisations such as manufacturing companies, rather than individual people; as businesses are more likely to pay bigger ransoms to recover critical files.

From here, commodity ransomware was combined with worms – so it could now land on a single system but then rapidly infect neighbouring systems too. This was an important step forward for attackers, as only one victim needed to fall foul of the phishing email so attackers could quickly spread to potentially thousands of other machines. Despite being around for many years, such commodity ransomware does remain a genuine threat. An example of this was the WannaCry attack in 2017 which locked down hundreds of thousands of computers, while in February last year, commodity ransomware shut down a US natural gas facility for two days.

Attackers have continued to step up their game and diversify, replacing automated tactics for more sophisticated and targeted methods. These attacks often take weeks of planning and, after gaining an initial foothold, attackers manually adapt their movements to the specifics of the environment they have broken into. Such tactics were employed in the successful ransomware attack targeting JBS Foods, which was conducted by one of “the most specialised and sophisticated cybercriminal groups in the world”, according to the FBI.

Alongside diversification of the attack itself, the ransomware business model has also branched into a franchise model. The franchiser supplies the tools, playbooks and other necessary attack infrastructure, while franchisees use these services to carry out attacks, sending a percentage of the ransom back to the franchiser. For all intents and purposes, ransomware has become a fully-fledged industry; it’s hardly surprising that the sophisticated human-operated variants have been identified by Microsoft as “one of the most impactful trends in cyberattacks today”.

AI to reinforce the ranks

Well-known commodity ransomware variants can generally be blocked on entry if security teams have access to timely indicators of compromise. Even newer types of commodity ransomware that successfully bypass preventative measures are typically quite limited in scope, and can be overcome with a good backup and restore process. Containing more fast-moving commodity ransomware variants can be more difficult, although in these cases, zero trust and other policy-driven controls are a decent armoury to contain outbreaks.

When it comes to the most targeted, human-operated ransomware attacks, success is no longer reliant on prescriptive policies, or hardened security configurations that are focused on prevention. While useful to a point, a sufficiently motivated attacker will eventually overcome these. In this case, focus must shift from trying to prevent the inevitable, to instead detecting and halting successful attacks at the earliest possible point – and this is where AI comes in.

With estimates indicating the average dwell time in a ransomware attack is 43 days, AI should play a decisive role within the security team to help flush out the threat. While a team of analysts may need days or even weeks, AI can rapidly – if not immediately – detect when attackers are moving through systems before the ransomware deploy button is hit. This is because AI can contextualise and consolidate the wide variety of signals and markers left by attackers as they move through systems to reach their intended goal. AI can pull all this disparate information together into one clear picture, meaning security teams can efficiently respond to the most critical threats.

Conquering the ransomware battlefield

Ransomware continues to be a serious threat to manufacturers, and as demonstrated by some of this year’s high-profile incidents, it’s not going away any time soon. Security teams in manufacturing companies should take note of these high-profile ransomware incidents and view them as a case study of what can happen if they are not ready to deal with the wide variety of threats.

If you’re the target of a human operated attack, it’s simply not realistic to expect security analysts to have all angles covered. As ransomware operators continue to diversify, manufacturers should look at adding AI-powered means of detecting ransomware to their arsenal, so they can significantly reduce the time taken to spot the threat.