Today’s subscription economy makes accessing almost any service as easy as pressing enter. The same model has now arrived on the dark web. The same Netflix-style instant access menu is now a staple of online criminals’ lifestyles. Ransomware-as-a-Service (RAAS) opens up the hacker talent pool and gives amateurs access to sophisticated ransomware toolkits — a plug-and-play option that hackers have embraced widely.
Previously perpetrated ad hoc by hackers using simple phishing attacks to gain access, they have now become complex and targeted using the latest commercially available “toolkits”. RaaS models now offer sophisticated options for amateur hackers, allowing any dark actor to get a piece of the highly profitable ransomware pie simply by subscribing to a ransomware toolkit.
A growing proportion of ransomware attacks are carried out via the RaaS model. While it’s impossible to quantify the number of such attacks or their cost, it’s clear that the toolkit creators and their customers benefit from it. So what can organizations do to ensure they don’t fall victim to these cookie-cutter attacks? ?
Sophisticated criminal service providers
RaaS providers sell their services with sophisticated business models and marketing strategies to appeal to hackers who want maximum returns for minimum effort. These providers operate in the gray area between legal and illegal and market themselves on the Dark Web; They target criminal customers interested in purchasing a single attack or even maintaining a retainer relationship for ongoing attacks. The client can pay a monthly fee for advice and support, usually in cryptocurrency. As with the best subscription providers, this can even include 24/7 support covering technical aspects of an attack and matters like negotiating with a victim. The customer can also share part of a payment deducted from a victim with the RaaS provider.
The RaaS model makes attribution difficult, but not impossible. In some cases, there are elements such as malicious code snippets that can help authorities trace an attack back to a perpetrator known to be running a RaaS operation, and if caught, attackers can divulge relevant details. From the victims’ perspective, ransomware crimes appear the same regardless of the underlying organizational structure that underlies them.
However, the RaaS model allows minimally experienced attackers to launch more sophisticated attacks – much like modern audio processing tools like Autotune can make deaf singers sound like stars.
RaaS providers sell expertise and prefer to keep the customer at a distance to avoid detection and prosecution. In fact, RaaS can be more difficult to track than traditional ransomware attacks because there are more moving parts and they can move across multiple jurisdictions governed by competing laws and agencies. The emergence of RaaS and ransomware in general has increased the momentum to harmonize laws and encourage law enforcement cooperation in this area.
Cloud gives and takes
RaaS providers leverage IaaS (Infrastructure-as-a-Service) and the economics of cloud-based computing and storage in the same way as legitimate businesses. The participation of most IaaS companies is usually unintentional. The desire to protect their customers’ data security and their own reputations makes legitimate IaaS providers a formidable ally in the war against ransomware and RaaS providers.
Just as with legal and commercial endeavors, ransomware capabilities are continually being refined and standards raised through competition. As RaaS providers up their game, so are the stakes on potential targets. The threats they face will be more acute, at least until cybersecurity professionals and law enforcement up their game and improve their threat-fighting methods. Likewise, organizations that find themselves on the wrong end of an attack are not helpless.
Resisting the rise of RaaS
The risk of RaaS attacks is increasing, and the need to withstand ransomware attacks remains critical. That’s why the Center for Internet Security has shared a sensible set of critical security controls that should go a long way in preventing RaaS and other types of ransomware attacks, and mitigating damage should one occur. These include:
- Inventory of all electronic assets. You can’t protect what you don’t know you have. Make an inventory of all fixed, portable, or mobile devices that can physically or remotely connect to your technology platforms. This allows you to detect and remove or secure unauthorized or unsupervised devices. Do the same with software assets, including operating systems, programs, and apps. Verify each employee’s credentials and permissions, and restrict access to files, folders, apps, programs, and external websites from your company’s and employees’ personal devices, local and remote, to those who are appropriate for their jobs, and not on others .
- Monitoring of access points. Your infrastructure is most vulnerable to attack where it meets the outside world. Improve malware detection and defense techniques with a particular focus on these points and the means through which a security breach is most likely to occur, such as: B. Web links and emails. This, coupled with a rigorous permissions regime, could prevent a significant investment of time and money if Dave from Accounts decides to click the wrong Pornhub banner ad when he’s supposed to be processing invoices.
- Anticipate vulnerabilities and respond to threats. Vulnerabilities can be limited but never eliminated, so prepare for the worst to ensure the impact isn’t as bad as it could be. Use industry resources to keep up to date with the latest threats and ensure your operating system and other software are updated and patched when available. The most significant vulnerability is reusable passwords. Most financial services now require multi-factor authentication (e.g. text messages sent to the user’s registered mobile phone number) for login. This simple form of MFA prevents over 99% of all phishing attacks.
- Make the most of your human resources. Some weak points within an organization can walk on two legs and pull a paycheck, like Dave from accounting. However, with proper training and preparation, your employees can be an additional factor in deterring attackers. Their understanding of and response to ransomware attacks and other threats should be assessed and sharpened through the development of security awareness programs aimed at changing user behavior when presented with a fake email or web page. There should be threat scenario simulations to test these practices and the preparations of your employees—as well as managers and security officials.
- Invest in the skills and tools of your security team – There’s been a lot of talk in the press about a “cybersecurity workforce shortage,” but successful security organizations have found that there is a skills gap rather than a workforce shortage. By upskilling security analysts in critical areas like cloud security, purple teaming, and machine learning, you gain twofold benefits: the need for additional staff is reduced, and surveys show that security staff who receive regular training are less likely to move to another company for a salary increase and expensive fluctuation is reduced.
Continuous proactive protection
Protection against ransomware (as well as other forms of cyberattacks) should now be seen as fundamental to any organization’s day-to-day operations. The RaaS model only increases the likelihood of an attack, making it a viable option for a broader population of attackers. There is now no choice but to take proactive steps to protect against this real threat, continuously assessing the threat background and monitoring systems and people. When it comes to a potentially business-damaging attack, the question is no longer if, but when.
