Ransomware-as-a-Service (Raas) is a relatively new mode of cybercrime that is becoming increasingly sophisticated, challenging the security measures adopted by organizations. This discussion examines the associated risk factors and steps to mitigate ransomware attacks.
Ransomware-as-a-Service (RaaS) is a new and more threatening method of deploying ransomware and is on the rise. Ransomware developers offer the tools to both individuals and entire criminal organizations looking to carry out ransomware attacks. With offenders using advanced methods to gain access to and encrypt restricted data, ransomware is becoming more common and increasingly sophisticated. Consequently, it is becoming more difficult for organizations and individuals to protect themselves from such attacks. Most are unaware that evolution of cybercrime has rapidly progressed from isolated nefarious individuals, to destructive criminal organizations who are mass-developing ransomware packages for sale. In this article, I want to look deeper into into the increasing sophistication of ransomware attacks, especially in the form of RaaS. But this isn’t all about what they are doing, it’s also about what we can do by implementing preventive measures and best practices to protect against them and maintain the confidentiality, integrity, and availability of critical our data assets.
What is Ransomware-as-a-Service?
Ransomware is malicious software (also called malware) that blocks access to an information system, network, or device until a ransom is paid. It is typically spread through malicious websites or phishing emails and installed on a machine without the user’s knowledge or consent.
Ransomware encrypts information or files, making it impossible for users to access their data unless the ransom is paid. It is a particularly threatening form of malware that can result in permanent data loss or require a high financial cost to regain access to data. The offender behind ransomware typically demands payment in cryptocurrency, or other untraceable digital payment methods, making it nearly impossible to recover the funds or hold the perpetrator accountable.
Some Eye-Opening Ransomware Statistics
- Sophos 2023 Threat Report suggests ransomware-as-a-service attacks (RaaS attacks) have become more popular in the past 18 months.
- As per the Cost of a data breach 2022 report from IBM, the average cost of a ransomware attack was USD 4.54 million.
- According to the “The True Cost to Business 2022 report from Cybereason“, around 73% of organizations admitted being the target of at least one ransomware attack over the past 24 months (a significant increase of 33% from the 2021 survey).
- According to the 2022 Unit 42 Ransomware Threat Report, ransomware has significantly increased as a cyber threat. The average ransom demand on ransomware cases climbed 144% to $2.2 million.
What are the Different Types of Ransomware?
Ransomware comes in different types; however, the two most common categories are crypto-ransomware and locker ransomware.
Crypto Ransomware
Encryption-based ransomware, also known as crypto-ransomware, operates by encrypting the user’s data, making it impossible to access it unless the user pays a ransom to the attacker in exchange for the decryption key. Victims are presented with a ransom note, which demands payment to decrypt the files. As the encryption algorithm employed by the ransomware is often robust. Usually, the only way to recover the files is to pay a ransom. This type of ransomware is particularly harmful as it can encrypt files on local and networked drives and is often spread through malicious links or emails.
Locker Ransomware
Locker ransomware blocks access to an information system or its data until a ransom is paid. It is usually spread through malicious links, websites, and email attachments. Once a system is infected, the ransomware locks the files and folders, making them inaccessible and demanding payment in exchange for unlocking the data.
What is RaaS (Ransomware-as-a-Service)?
RaaS, or Ransomware-as-a-Service, is an increasingly popular form of cybercrime and is a type of pay-for-use malware. In this model, ransomware developers provide software and services to attackers to launch ransomware attacks and typically earn a percentage of the ransom paid. The services provided by RaaS typically include malware development, encryption, hosting, and ransomware delivery.
Those who most commonly purchase RaaS services have the limited technical knowledge and find the ready-to-use RaaS package helpful in launching ransomware attacks with minimal effort. RaaS is particularly attractive to them because it allows them to deploy ransomware with little cost, effort, or risk. Furthermore, with the advancement of technology for the remote workforce, attackers are more easily made anonymous, allowing them to launch attacks without fear of being identified or apprehended.
How Does RaaS (Ransomware-as-a-Service) Work?
The concept of RaaS is simple. The malicious developers produce ransomware and offer it to attackers who want to launch ransomware campaigns. These campaigns can take the form of malicious email attachments, links, or malware. Once a victim has been infected, their data is encrypted or locked, and a ransom is demanded for it to be accessible.
The concept of ransomware has been around for some time. However, the introduction of RaaS has made it much more accessible to an offender with little to no programming knowledge. Now, it is easier for willing attackers who may not have the technical expertise to exploit the vulnerabilities of the unprepared person or organization.
The core components of RaaS include a ransomware kit, a payment portal, and a distribution system. The ransomware kit consists of the malicious code and the encryption key, while the payment portal is used to facilitate the ransom payment.
The production of these RaaS packages are highly lucrative for the developers, with little to no exposure of risk for the fact they are simply the merchant. They will have a platform to manage ransomware distribution, customer support, and payments.
The buyers of the ransomware will be responsible for the actual deployment of the malware. Typically, they buy the ransomware, customize it as needed, and launch it through phishing or other malicious attacks targeting the victims. These acts can commonly target an employee’s personal computer, tablet, or phone and remain dormant until the device is used to access a corporate server via email, shared folders or by obtaining the login credentials for the employee.
Ransomware vs. Ransomware-as-a-Service
Ransomware and ransomware-as-a-service (RaaS) are two distinct but related concepts in cyber security. Ransomware is malware that encrypts users’ data and demands a ransom payment to decrypt it. RaaS is a scandalous and illegitimate business model in which offenders create and distribute ransomware tools and services. Parties buying them can customize them to target specific victims.
RaaS is usually distributed through underground networks. Its providers may offer additional services, such as technical support and customer service, further increasing the attack scale and impact.
Increasing Sophistication of Ransomware Attacks
In recent years, ransomware attacks’ sophistication has unfortunately been on the rise in significant progression. As attackers become more technologically advanced, the methods to launch these attacks become increasingly deceptive and difficult to detect and prevent. For instance, ransomware attacks now often use concealment techniques to hide the malicious code, making it difficult for traditional cybersecurity systems to detect and counter the attack.
Another way that attackers increase the sophistication of their ransomware is by using exploit kits, which bundle together various exploits to increase the chances of a successful attack. Furthermore, attackers have also been using specific techniques to target multiple types of businesses or individuals, making it even more difficult for simple common defense mechanisms to protect against these attacks.
Examples of Ransomware-as-a-Service
Ransomware-as-a-Service is a profitable industry. In 2020, it generated approximately $20 billion in revenue, representing an increase of more than $8.5 billion from the prior year. Some of the major operators in the business are:
Conti
Conti ransomware-as-a-service is a malware distribution model where a perpetrator or their affiliates are supplied with ransomware that they can use to conduct attacks. It is one of the most prominent forms of ransomware distribution today. It has become increasingly popular among the criminal element as it is easy to use and offers a high return on investment.
The model works by allowing affiliates to purchase access to Conti ransomware kits, which contain the malicious code and instructions on how to deploy it. The affiliates can customize the ransomware according to their preferences and launch it against the targets upon purchase. The ransomware then encrypts the files and data of the target, prompting them to pay the ransom to recover their data.
DarkSide
DarkSide’s RaaS model enables its owners to generate profit by sharing extortion proceeds with affiliates responsible for intruding on information systems and deploying the ransomware. Each affiliate employs its approach to intrusion and will negotiate the ransom terms with the victim.
Dharma
A financially motivated Iranian threat group has said to be linked to Dharma ransomware attacks since 2016, when the Ransomware-as-a-Service model first became available on the dark web. These attackers typically employ remote desktop protocol (RDP) attacks and demand 1-5 bitcoins from victims across various industries. Unlike REvil and other Ransomware-as-a-Service kits, Dharma is not centrally controlled.
Ransomware Prevention
The following are some of the best practices individuals and organizations must follow to deter the threat of ransomware and maintain their security stature intact.
Employ Effective Backup Strategies
One of the most effective ransomware prevention strategies is employing effective backup strategies. It involves regularly and consistently backing up data, systems, and networks to ensure the organization can restore its data from the most recent backup if a ransomware attack occurs. The method is significant for critical systems, as a ransomware attack can easily corrupt them.
It is also essential to keep backups in multiple locations, such as onsite, offsite, and in the cloud, to ensure that copies of the data are not compromised during an attack. Furthermore, organizations should also ensure that their backups are encrypted, as it will further protect them from being compromised in a ransomware attack.
Keep Your Information Systems and Software Updated
One of the best practices for preventing ransomware is to keep all systems and software updated. That is because ransomware is typically spread through malicious files looking for vulnerabilities. By keeping systems and software up to date, organizations can ensure that any vulnerabilities are patched, and malicious programs are blocked from entering their networks.
Organizations should also ensure that their firewalls and antivirus programs are configured correctly and updated regularly. It will help prevent ransomware from spreading and minimize the risk of an attack. Organizations should also implement safe password practices, such as employing strong passwords and enabling multi-factor authentication (MFA) whenever possible.
Create Awareness Among Employees
Educating employees is one of the most critical steps in this process. Instilling the necessary knowledge and understanding of the risks of ransomware and other malicious software in the employees is essential. To begin with, the organization should provide training on cybersecurity and data security basics, such as recognizing and avoiding phishing emails, password management’s importance, and storing sensitive data properly. Additionally, one should advise employees to be vigilant when opening attachments or clicking on links and always ensure that the websites they visit are secure before entering any personal information.
Install Antivirus Software and Firewalls
A fundamental method to prevent ransomware attacks is to ensure that your system is equipped with the latest antivirus software. Antivirus software is designed to detect and limit malware from entering your system, preventing ransomware from taking control of your files and data. Advanced antivirus software ensures your system is protected from the latest ransomware threats.
Additionally, antivirus software should be set to automatically update to ensure that it is always up to date and can detect and limit the newest ransomware threats. Furthermore, it is important to regularly scan your system to detect any malware that may have already infiltrated it.
Application Whitelisting
Application whitelisting is one of the most significant measures for preventing ransomware attacks. By ensuring that only authorized applications, software, and processes can run, whitelisting can help block malicious code from executing and prevent malicious actors from gaining control of an endpoint. Whitelisting also helps protect against insider threats, as it can control the execution of unauthorized programs and scripts, ensuring that attackers, including harmful insiders, cannot execute malicious code.
When deployed correctly, application whitelisting can be a powerful tool in the fight against ransomware, blocking malicious code and preventing these criminal enterprises and their syndicates from executing such code on an endpoint.
Endpoint Security
Endpoint security protects and monitors an organization’s digital assets, such as desktops, laptops, servers, and mobile devices. Organizations must deploy a comprehensive security solution to prevent ransomware attacks, including endpoint protection, threat intelligence, and data protection.
Endpoint protection provides a layer of defense against potential ransomware threats by leveraging behavior-based techniques to identify malicious software before it can cause any damage. Threat intelligence enables organizations to monitor their networks for suspicious activity and detect and respond to ransomware threats as effectively as possible.
In conclusion, ransomware-as-a-service or RaaS is a comparatively newer cybersecurity threat, quickly becoming more advanced and sophisticated. Organizations must implement appropriate preventive control measures such as employee training, data backups, and updated and robust security software to protect themselves from ransomware attacks. Furthermore, organizations should stay aware of cybercrime’s changing landscape to avoid potential threats and ensure critical data’s confidentiality, integrity, and availability.
Chris Luque
Identity & Access Management Practice Lead
References
- Baker, K. (2022, February 7). Ransomware as a Service (RaaS) explained. Retrieved January 2, 2023, from crowdstrike.com website: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/
- (2022, October 4). Conti ransomware: The history behind one of the world’s most aggressive RaaS groups. (2022, October 4). Retrieved January 2, 2023, from Flashpoint website: https://flashpoint.io/blog/history-of-conti-ransomware/
- United States Department of State. (2021, November 4). DarkSide Ransomware as a Service (RaaS). (2021, November 4). Retrieved January 2, 2023, from United States Department of State website: https://www.state.gov/darkside-ransomware-as-a-service-raas/
- Chin, K. (2022, October 23). How to prevent ransomware attacks: Top 10 best practices in 2022. (n.d.). Retrieved January 2, 2023, from Upguard.com website: https://www.upguard.com/blog/best-practices-to-prevent-ransomware-attacks
- (2021, July). Kerner, S. M. (2021, July 29). Ransomware as a service (RaaS). Retrieved January 2, 2023, from Whatis.com website: https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS
- Mukkamala, S. (2022, March 28). Ransomware attacks are growing in sophistication. What can stop them? Retrieved January 2, 2023, from Forkast News website: https://forkast.news/ransomware-attacks-growing-sophistication/
- (n.d.). Ransomware: 4 ways to protect and recover. Retrieved January 2, 2023, from Commvault – English – United States website: https://www.commvault.com/resources/ransomware-4-ways-to-protect-and-recover
- (2018, May 16). Ransomware-as-a-service (RaaS): How it works. (n.d.). Retrieved January 2, 2023, from Tripwire.com website: https://www.tripwire.com/state-of-security/ransomware-service-raas-works
- (n.d.). White paper: Five lessons learned from over 600 ransomware attacks. Retrieved January 2, 2023, from Riskrecon.com website: https://www.riskrecon.com/report-five-lessons-learned-from-ransomware-attacks
- Scroxton, A. (2022, February 9). Ransomware ever more sophisticated and impactful, warns NCSC. Retrieved January 2, 2023, from Computerweekly.com website: https://www.computerweekly.com/news/252513166/Ransomware-more-sophisticated-and-impactful-warns-NCSC
- Kost, E. (2022, September 9). What is ransomware as a service (RaaS)? The dangerous threat to world security. (n.d.). Retrieved January 2, 2023, from Upguard.com website: https://www.upguard.com/blog/what-is-ransomware-as-a-service
- X-Ops, S. (n.d.). Maturing criminal marketplaces present new challenges to defenders. Retrieved January 5, 2023, from Sophos.com website: https://assets.sophos.com/X24WTUEQ/at/b5n9ntjqmbkb8fg5rn25g4fc/sophos-2023-threat-report.pdf
- Cost of a data breach 2022. (2022, November 7). Retrieved January 5, 2023, from Ibm.com website: https://www.ibm.com/reports/data-breach