Assessing and Prioritizing Ransomware Risk Based on Historical Victim Data

TL;DR

This paper introduces a machine learning approach that leverages public disclosures and a large language model to predict which ransomware adversaries are likely to target specific entities, aiding in better cybersecurity defense prioritization.

Contribution

It presents a novel LLM-based methodology for defining adversary profiles and predicting targeted ransomware threats using public victim data and synthetic profile generation.

Findings

Successfully predicts likely ransomware adversaries for specific entities.

Enables organizations to prioritize defenses based on predicted threat profiles.

Demonstrates the effectiveness of LLMs in cybersecurity risk assessment.

Abstract

We present an approach to identifying which ransomware adversaries are most likely to target specific entities, thereby assisting these entities in formulating better protection strategies. Ransomware poses a formidable cybersecurity threat characterized by profit-driven motives, a complex underlying economy supporting criminal syndicates, and the overt nature of its attacks. This type of malware has consistently ranked among the most prevalent, with a rapid escalation in activity observed. Recent estimates indicate that approximately two-thirds of organizations experienced ransomware attacks in 2023 \cite{Sophos2023Ransomware}. A central tactic in ransomware campaigns is publicizing attacks to coerce victims into paying ransoms. Our study utilizes public disclosures from ransomware victims to predict the likelihood of an entity being targeted by a specific ransomware variant. We employ a Large Language Model (LLM) architecture that uses a unique chain-of-thought, multi-shot prompt methodology to define adversary SKRAM (Skills, Knowledge, Resources, Authorities, and Motivation) profiles from ransomware bulletins, threat reports, and news items. This analysis is enriched with publicly available victim data and is further enhanced by a heuristic for generating synthetic data that reflects victim profiles. Our work culminates in the development of a machine learning model that assists organizations in prioritizing ransomware threats and formulating defenses based on the tactics, techniques, and procedures (TTP) of the most likely attackers.