No stone unturned: defending against AI-enhanced ransomware

The rapid development of artificial intelligence (AI) has transformed the technology landscape forever. This disruptive technology has significantly impacted the landscape of modern cyber threats, shaping cyber security trends. With AI’s ability to automate tasks, personalise customer interactions, and provide valuable insights from data analysis, companies can benefit from increased efficiency, improved decision-making, enhanced customer experiences, and cost reductions. However, cybercriminals are among the first to leverage the advanced capabilities of generative AI solutions to empower their tools and malware. Evolving and escalating AI-powered ransomware threats are a separate menace category deserving special attention. 

The frequency and impact of ransomware attacks have already increased due to AI enhancements. Q1 2024 saw a 21% growth in ransomware incidents compared to Q1 2023. The average ransom demand per attack reached $2.73 million in 2024, about $1 million more than in 2023. The actual situation might be even more severe, as many organisations and individuals fail to notify officials about ransomware incidents when they occur.  

AI-enhanced ransomware capabilities 

At first glance, AI-enhanced ransomware appears as regular ransomware. This malware infiltrates IT environments and encrypts the data it reaches. After that, the victim receives a demand for ransom payment in exchange for decryption keys to regain data access. The hallmark is embedded artificial intelligence to provide ransomware with additional capabilities, increasing its sophistication. AI ransomware becomes more effective at every stage of the cyberattack, from reconnaissance to exfiltration. 

Cybercriminals leverage AI in ways other than for directly modifying their malware. For example, AI solutions such as Large Language Models (LLM) or advanced deepfake content generators can simplify and amplify ransomware injection tactics that rely on human error and social engineering. These include spear phishing emails composed with AI assistance and the use of deepfakes for voice and face cloning during calls or video meetings. 

Additionally, cybercriminals can utilise AI to analyse data and prepare attacks with exceptional thoroughness. For example, artificial intelligence tools enable hackers to quickly collect publicly available information about the target organisation’s executives and staff members. The results are then used to craft a specific, personalised phishing email to make their target click that malicious link, which triggers a cyberattack. 

However, the most dangerous enhancements are inside AI-enhanced ransomware. New malware capabilities, include: 

Elevated scanning and exploitation – AI ransomware can autonomously scan security perimeters of target infrastructures to reveal vulnerabilities. Then, it can pick precise tools to exploit the detected weaknesses. Human operators are unnecessary at this stage enabling ransomware to quickly spread across IT environments, scaling attacks and multiplying their impact. 

Advanced encryption techniques for data lockdown – With integrated MLM (Machine Learning Models), AI-powered ransomware is capable of ‘understanding’ the data types and available system resources inside the target environment. After analysing this data, malware can modify encryption algorithms to complicate data decryption. 

Automated targeting for strategic impact – AI ransomware is able to prioritise specific targets for malicious encryption. For example, NLP (Natural Language Processing) tools enable ransomware to analyse and process text in the documents and files it reaches. By doing this after infiltration and before execution, ransomware can create a surprise effect to guarantee a hit on the most sensitive data first. 

Adaptive evasion tactics – The combination of advanced scanning and self-adjustment capabilities helps ransomware confound security solutions. Should its injection prove successful, empowered ransomware can stay aware of the protection measures applied by the target organisation. Thus enabling the malware to appropriately modify its code and behavior to remain undetected while operating. 

Defending against AI-driven ransomware: the challenges 

Protecting IT environments from AI ransomware can be more challenging than traditional approaches for various reasons. 

Firstly, traditional cybersecurity instruments are mostly reactive: an antivirus, for instance, can detect a potential threat and then alert IT specialists to take action. AI integrations make cyberattacks faster, deeply customised and more accurate, leaving security experts little to no time to react before considerable damage is done. 

In addition, malware detection itself becomes a challenge. AI-powered ransomware is capable of continuously morphing the code autonomously, so early detection is not guaranteed. Daily, hourly and even minute-fast signature database updates are insufficient to keep up with this ever-evolving threat. Furthermore, AI ransomware can mimic regular software behavior, tracking user presence upon injection, followed by activation of the malicious encryption during off-peak hours. 

Growing precision, adaptability and automation of AI-empowered cyber threats make organisations look for security solutions with comparable capabilities. AI-driven cybersecurity strategies can help with vulnerability assessment and threat intelligence, user behavior analytics, incident response and protection automation, among other improvements. However, the shift towards AI-enhanced cyber protection requires significant resources and expertise that not every organisation has. 

Achieving AI-enhanced ransomware resilience 

AI-powered ransomware will not quit evolving until it can bypass the latest protection systems. With hundreds of millions of ransomware attacks happening every year, a security failure resulting in data encryption is just a matter of time for most organisations. When protection measures are ineffective and the data is already lost, the only solution to restore operations is a relevant backup. 

Modern data protection solutions can be deployed to create backups of critical data, workloads or entire infrastructures. When the main site is down and ransomware has already encrypted the original data, backups can help restore operations and ensure compliance without paying hackers for the decryption key. 

However, a single and simple copy of data is insufficient, as cybercriminals target backups along with main systems. Nowadays, a backup is more than just an additional data copy, and backup workflows require thorough setup. Advanced backup solutions should have anti-ransomware capabilities and data management features to help build a resilient backup system for the IT infrastructure. 

As with regular ransomware, AI-powered ransomware has encryption and deletion capabilities. To prevent this malicious intrusion, effective modern data protection solutions enable the set up of immutability periods for backups. When backups are immutable, they are unable to be altered or tampered with. Ransomware encryption algorithms cannot be applied to data in immutable backups, which means that backup copies can safely be utilised for recovery even after successful cyberattacks. 

Backup tiering is another anti-ransomware approach in backup workflows. Backups can be sent to multiple locations while having a spare uninfected data copy at reach in any scenario. Modern solutions enable storing backups in different on-premise repositories or cloud storage, as well as applying hybrid approaches to keep up with the 3-2-1 backup rule. This rule refers to a tried-and-tested approach to data retention and storage: at least three (3) copies of data are kept; two (2) backup copies are stored on different media; one (1) backup copy is stored offsite. By applying this rule, it is ensured that data can be recovered in almost any failure scenario. One of the most common practices is to keep one copy of production data, one backup on a local repository, and one backup copy in offsite storage or in the cloud. Rather than being about choosing one medium over another, this method is about finding the right combination of storage media and locations in terms of cost-efficiency, security and flexibility. 

AI-enhanced ransomware resilience: best practice 

Creating an effective backup strategy against AI-enhanced ransomware resilience and other cyber threats doesn’t stop with immutability and backup tiering. Further tactics are required, with the final configuration of the backup system depending on the amount of data to back up, the recovery objectives and available resources. Meeting certain guidelines can help make the backup strategy more effective: 

Data prioritisation  –  As it is usually not necessary to back up every single file in the environment, data and workloads that are critical for production should be defined, with those backups created first. This means that should a cyberattack occur, the data from those backups will be first to be restored. Records subject to regulatory compliance (for example, credit card information or client personal data) also require special attention. Ensuring the availability of this data can help organisations avoid regulatory issues and severe compliance fines. 

Regular and automated backup scheduling – The volume of data to protect and the complexity and size of production infrastructures can make manual backups obsolete. Setting up a backup schedule enables automated updates of the backup data. The recovery point objective (RPO) should be defined, and schedules configured accordingly. With this approach, relevant backups can always be recovered, and production restored without critical data loss. 

Additionally, scheduling can streamline data management across the environment. Scheduled workflows need only to be configured once, and then they can run automatically. IT specialists can then have more time to work on production tasks. 

Testing backups to check recoverability  – Having backups and recovery plans in place will not be enough to ensure swift recovery after an AI-enhanced ransomware attack or any other emergency. The moment the data is already encrypted is the worst time to find out that backups are unrecoverable. To avoid such scenarios, regular backup testing should be implemented. Full-scale tests can help employees understand their actions and roles in mitigating IT disaster outcomes. AI ransomware will not allow much time to react during the attack, and every second saved by conducting testing drills in advance will be advantageous. Modern data protection solutions enable recoverability tests with no impact on production, so they can be run more frequently without reducing business performance. 

Combining backup with real-time monitoring and AI detection tools  

A regularly updated and properly enhanced backup is the main solution to defend against AI-enhanced ransomware. However, this line of defense should not be the only one. The combination of backup with AI-driven protection tools can substantially help reduce cyber security risks. 

Real-time monitoring solutions can highlight system resource consumption anomalies and unusual user activities. AI detection tools can help reveal AI-powered ransomware by constantly scanning the environment and network traffic to detect possible intrusions. These and other tools can be utilised to strengthen IT infrastructure security and mitigate the outcomes even if an AI-enhanced ransomware attack is successful.  

Traditional protection, detection and prevention systems are falling behind the fast-paced adaptations of malware. Creating a relevant and ransomware-resilient backup strategy with a ‘no-stone unturned’ approach is a must for the most effective solution in support of production continuity after a cyberattack without needing to pay the ransom.