Artificial intelligence (AI) is becoming more common place, and many people have used things like ChatGPT, a popular generative AI (GenAI) that can answer questions, write essays and poems, or summarize a book. However, like most things, AI can also be turned to the dark side. And that’s exactly what a recent assessment from the UK’s National Cyber Security Centre (NCSC) has warned people about.
Ransomware attacks involve an organization’s data being copied by the hackers (in order to be sold on the dark web), and then encrypted, and finally ransom demands being sent to the organization, which they need to pay in order for them to obtain the appropriate key to decrypt their data.
According to the NCSC, AI is already being used for malicious cyber activities and is expected to increase the frequency and the severity of all types of cyberthreats, especially ransomware. Using generative AI, particularly GenAI-as-a-service, even the least knowledgeable bad actor can now launch a ransomware attack. As a consequence, the National Crime Agency (NCA) is warning that AI is likely to increase the ransomware threat to organizations.
Even before the NSCS assessment, the 2023 Cost of a Data Breach Report from IBM Security found that the average cost of a data breach is US$4.45 million. For companies in the healthcare sector, the average cost of a data breach was US$10.93 million.
The cost of a ransomware attack, on average, is US$ 5.13 million. Ransomware attacks made up 24% of all data breaches recorded in the survey. Destructive attacks that left systems inoperable accounted for 25% of attacks. Business partner and software supply chain attacks accounted for 15% and 12% of attacks, respectively.
The big question worrying many organizations is whether they are currently being hacked, and they haven’t realized yet. The survey found that the average length of time it takes to identify a breach is 204 days. Once a breach has been identified, the survey found that on average it takes organizations 73 days to recover.
The Royal United Services Institute (RUSI), the UK’s leading defence and security think tank, has looked at the impact of ransomware, including harm it causes to physical and mental health in its latest paper. They suggest that there are three orders of harm from an attack, which are:
- First-order harms – the harms done to organizations and their staff. Examples include data loss, reputational harm, and heart attacks.
- Second-order harms – the indirect harms to organizations and individuals. Examples include clients and customers in supply chains might be targeted, and patients’ cancer treatments are disrupted.
- Third-order harms – the harms to the wider society, economy, and national security. An example includes citizens losing trust in a state’s ability to provide basic services.
Their first and second order harms include infrastructure harm (loss of data and its encryption), financial harm (cost of ransom, cost of recovering the system, cost of fines, cost of employing external experts), reputational harm, and physical and psychological harm.
They suggest that the psychological harm of ransomware attacks on staff is intense and is often overlooked. The considerable stress for the individuals involved in responding to a ransomware attack can result in organizations employing a post-traumatic stress disorder support team. The report suggests that senior staff suffer from stress due to financial concerns, while middle management suffers from stress caused by extremely long working days, including particularly stressful communications with the threat actor. Not surprisingly, IT teams are the main victims because they suffer from extreme workday conditions and feel a direct responsibility for protecting the organization’s systems. IT teams also have a very detailed understanding of the gravity of the situation from a technical point of view.
The report goes on to suggest that other employees can feel confusion and loss of orientation because they are not familiar with the technical details or do not have enough information to have a full picture of the situation. In addition, IT staff or other employees may feel angry at the attackers, or they may feel anxious following the attack.
Perhaps most worryingly is the fact that employees may experience physical harm following a ransomware attack. What’s being suggested are things like weight change (gaining or losing weight), sleep deprivation, mental exhaustion, physical burnout, heart attacks, or stroke.
The report suggests that second-order harm includes forcing hospitals to postpone surgeries or disrupting patients’ cancer treatments. These, in turn, result in patients experiencing stress and anxiety.
So, what can organizations do to not only prevent successful ransomware attacks on their mainframes, but also to ensure that any attack doesn’t impact on the health and mental wellbeing of their staff? One solution is to ensure that they are using software on their mainframe that will provide an early warning of a cyber-attack in order to stop it before any ransom is issued.
At the very early stage of an attack, the bad actors will be searching data and program files – what’s often called the reconnaissance phase. This early-warning software needs to identify unusual activity – eg unusually high access rates or access patterns. The software should also monitor user read accesses to configuration datasets (PARMLIBs, PROCLIBs, VTAMLST, TCPPARMS, etc), and read accesses to unauthorized data sets. The accesses could be collected for an interval, and if the access level exceeds customer-defined thresholds or historical levels, an alert should be sent to the IT security team.
Hackers may cripple day-to-day operations by deleting a large number of data sets. The software needs to recognize when more than a customer-defined threshold number of files have delete operations, whether that’s from TSO or batch, and suspend the job and alert the security team.
Files may also be overwritten with zeros or any other character, making them as useless to an organization as ones that have been deleted. The software needs to identify when more than a customer-defined threshold of files are being overwritten, suspend the job and alert the security team.
Because bad actors are unfamiliar with the data that resides on any mainframe, they will have to spend some time looking round to see what sensitive information there is and where it’s stored. The early-warning software should monitor dataset read activity, and if the number of read operations exceeds a customer-defined threshold, it could raise an alert.
Most importantly, if encryption of an organization’s data is taking place, the software should identify it quickly and suspend the job, preventing more of the data being encrypted. It should also alert the security team.
For organizations and individuals employed by those organizations, the growing worry must be that their health will be more at risk as bad actors use generative AI to simplify the process of conducting a ransomware attack on an organization. Software like FIM+ from MainTegrity has the kinds of early warning mechanisms (mentioned above) in place. It could be all you need to protect your mainframe and the health of your staff from the predicted growing use of GenAI-as-a-service attacks.
Regular Planet Mainframe Blog Contributor
Trevor Eddolls is CEO at iTech-Ed Ltd, and an IBM Champion since 2009. He is probably best known for chairing the Virtual IMS, Virtual CICS, and Virtual Db2 user groups, and is featured in many blogs. He has been editorial director for the Arcati Mainframe Yearbook for many years.