Ransomware as a Service: Another Popular Method of Cyber Attack

Let’s set the scene: a team of hackers specializing in ways to covertly access systems find a way into your network and remain undetected. During this time, they perform reconnaissance, escalate their privileges, and set the groundwork for phase two of the attack. With preparations complete, an entirely different group of ransomware specialists can take over and put their nefarious infrastructure of malicious software, anonymous payment methods, and, surprisingly, even a customer service platform to work to complete the job and encrypt all your files and wait for a payday. For most people, this scenario sounds like something only a nation-state actor or an organized hacking group could pull off, but unfortunately, the business model software as a service (SaaS) (which gave us Microsoft 365 and Gmail) has now allowed anyone with malicious intent to become an IT security professional’s worst nightmare with the rise of ransomware as a service or RaaS.

How Easy Is if for RaaS to Gain Access?

I want you to think about your group of friends or even your friends’ friends: How many of those people can code? How many people can code a program that can evade antivirus, encrypt files, and provide secure, anonymous payment over the dark web, let alone everything else that goes along with holding a company for ransom? I am guessing the number is most likely zero. With RaaS, getting access to this software and infrastructre is much easier than ever. According to Cybereason, a cybersecurity company, it all starts with a ransomware broker who will lease out their software for a flat fee, monthly subscription, or, more typically, for a commission on any profits made using their software.[1] All the buyer needs to do now is get the software on the target network, run the exploit, and the rest takes care of itself. You do not need to know how to access a network anymore; you can buy that access too. The days are gone where security professionals worried most of the highly skilled and motivated attackers; now, anyone with a connection to the dark web and some Bitcoin can cause just as much havoc.

Keys to Stopping Ransomware

Typically, ransomware attacks are attacks of opportunity, so if your defenses are strong, an attacker will move on to their next target, hoping to find an easier payday. What can be done to prevent these attacks from being successful and bringing a company to a screeching halt?  First and foremost, enable multi-factor authentication (MFA). According to Microsoft, “MFA can reduce the risk of identity compromise by as much as 99.9 percent over passwords alone.”^[2]   Second, train end users to spot suspicious links or emails and on what to do when they come across them because sophisticated, expensive antivirus (AV) software will not help if the user is allowing the malware into the network. Third, keep all devices in the organization are up to date with patching. Finding a zero-day exploit is not only challenging but also extremely expensive, which is why many ransomware attacks are carried out using known vulnerabilities that a security patch has already addressed. Fourth, keep any AV and endpoint detection (EDR) up to date with the latest ransomware signatures. Much like with vulnerabilities, ransomware software can reuse code from previously known attacks.  Ensuring your AV and EDR are aware of these signatures is a great way to stop attacks with previously known ransomware.

The fifth and most critical aspect is backups! This should go without saying but having a standardized and well-practiced backup schedule can save an organization time to get back up and running and a large amount of money. Ransonware.org, a multivendor group whose main goal is to bring awareness to the issue of ransomware, states to implement a solid backup plan, the following should be considered: Document everything regarding the backup procedure.^[3] An organization can have many different types of data sets that are being backed up, with each data set requiring a different procedure. As the complexity of the organization grows it is not if but when something will be missed or forgotten; but with a robust documentation process this is much less likely to happen. The next step is to continually test your backups; having a backup of your data is great, but if it is not recoverable, it will not help you when the time comes. The last and most important is to keep a copy of your backups off-site. A common tactic used by ransomware is to infect and destroy any backup servers hosted in your office, so if an organization wants its data back, its only option would be to pay the ransom demanded. Having a copy of your data offsite, completely removed from your local environment, removes this threat completely and dramatically adds to an organization’s resiliency when responding to an attack.

Now that ransomware can be bought much like a cable TV package, it would appear the bad guys have the upper hand on cybersecurity professionals. Still, if the above recommendations are followed, your chances of being compromised will be lowered, and your ability to recover from a successful attack will be significantly increased.

[1] https://www.cybereason.com/blog/how-do-initial-access-brokers-enable-ransomware-attacks

[2] https://www.microsoft.com/en-us/security/blog/2020/03/05/it-executives-prioritize-multi-factor-authentication-2020

[3] https://ransomware.org/how-to-prevent-ransomware/passive-defense/ransomware-backup-strategy/