Today’s subscription economy makes accessing nearly any service as easy as hitting enter. The same model has now entered the dark web. The same Netflix-style instant-access menu is now part and parcel of the online criminal’s lifestyle. Ransomware-as-a-Service (Raas) is opening up the hacking talent pool, giving amateurs access to sophisticated ransomware toolkits – a plug and play option that has seen hackers run rampant.
Once ad hoc acts were committed by hackers using simple phishing attacks to gain entry, they have now become complex and targeted, using the latest purchasable ‘toolkits.’ RaaS models now present sophisticated options for amateurish hackers, allowing any dark actor to get a slice of the highly profitable ransomware pie by simply subscribing to a ransomware toolkit.
A growing proportion of ransomware attacks are being carried out using the RaaS model. While it is impossible to determine the number of such attacks or how costly they are, it is clear that the toolkit creators and their customers are cashing in. So, what can organisations do to ensure they aren’t victims of these cookie-cutter attacks?
Sophisticated criminal service providers
RaaS providers sell their services using sophisticated business models and marketing strategies to appeal to hackers wanting maximum return for minimal effort. These providers operate in the grey zone between legal and illegal, marketing themselves on the dark web; they appeal to criminal clients interested in purchasing a single attack or even maintaining a retainer-style relationship for ongoing attacks. The client can pay a monthly fee for advice and assistance, usually in cryptocurrency. Like the best subscription providers, this can even include around-the-clock support that covers technical aspects of an attack and matters such as negotiations with a victim. The client also may share a portion of any payment extracted from a victim with the RaaS provider.
The RaaS model makes attribution of attack difficult but not impossible. In some cases, there are elements, such as snippets of malicious code, that can help authorities trace an attack back to a perpetrator known to be running a RaaS operation, and attackers, when caught, may give up relevant details. From the victims’ perspective, ransomware crimes appear the same, whatever the underlying organisational structure behind them might be.
However, the RaaS model enables minimally skilled attackers to launch more sophisticated attacks – much like modern audio processing tools like Autotune can make tone-deaf singers sound like stars.
RaaS providers sell expertise and prefer keeping the client at arm’s length to avoid detection and prosecution. Indeed, it can be harder to prosecute RaaS than conventional ransomware attacks because there are more moving parts, and they may move in several jurisdictions governed by competing laws and authorities. The advent of RaaS and ransomware, generally, have increased the impetus to harmonise laws and foster law enforcement cooperation in this area.
Cloud gives and takes
RaaS providers are taking advantage of IaaS (Infrastructre-as-a-Service) and the economics of cloud-based computing and storage the same way legitimate businesses do. The participation of most IaaS companies is usually unintentional. The desire to maintain their clients’ data security and their own reputations makes legitimate IaaS providers a formidable ally in the war against ransomware and RaaS providers.
Just as in legal, and commercial undertakings, ransomware skills are continually honed, and standards are elevated through competition. As RaaS providers raise their game, the stakes for potential targets are also raised. The threats they face will be more acute, at least until cybersecurity professionals and law enforcement raise their game and improve their methods for combating threats. Similarly, organisations that find themselves on the wrong end of an attack are not helpless.
Resisting the rise of RaaS
The risk of RaaS attacks are increasing, and the need to resist any ransomware attack remains critical. As such, The Centre for Internet Security has shared a series of common-sense Critical Security Controls that should go a long way to fending off RaaS and other types of ransomware attacks and to mitigating damage should one occur. These include:
- Taking inventory of all electronic assets. You can’t protect what you don’t know you have. Take stock of all fixed, portable, or mobile devices that can connect to your technology platforms physically or remotely. This will allow you to spot any unauthorised or unmonitored devices and remove them or make them secure. Do the same with software assets, including operating systems, programs, and apps. Review credentials and permissions for each employee, and limit access, via your organization’s and your employee’s personal devices, on-premises and remote, to files, folders, apps, programs, and external websites to those that are appropriate for their duties and no others.
- Monitoring access points. Your infrastructure is most at risk of a breach at the points where it meets the outside world. Enhance malware detection and defense techniques, focusing particularly on these points and the means through which a breach is most likely to occur, such as web links and emails. This, plus a rigorous permissions regime, could prevent a considerable expenditure of time and money if Dave from accounting decides to click on the wrong Pornhub banner ad when he is supposed to be processing invoices.
- Anticipating vulnerabilities and responding to threats. Vulnerabilities can be limited but never eliminated, so you should prepare for the worst to ensure the impact is not as bad as it might be. Use industry resources to stay aware of the latest threats and ensure that your operating system and other software are updated, and patches applied when available. The most significant vulnerability is reusable passwords. Most financial services now require Multi-factor Authentication (such as text messages sent to the user’s registered mobile phone number) for login. Using this simple form of MFA stymie’s over 99% of all phishing attacks.
- Making the most of your human assets. Some vulnerabilities within an organisation may walk on two legs and draw a paycheck, like Dave from accounting. If properly trained and prepared, however, your employees can be an additional factor to aid in thwarting attackers. Their understanding of and reaction to ransomware attacks and other threats should be evaluated and sharpened through the development of security awareness programs that work to change user behaviour when presented with a bogus email or web page. There should be simulations of threat scenarios to put these procedures and your employees’ preparations – and those of senior management and security officials – to the test.
- Investing in your security team’s skills and tools – there is a lot of press hype about a “cybersecurity staffing shortfall,” but successful security organisations have found that there is more of a skills gap than a headcount shortfall. By upskilling security analysts in critical areas such as cloud security, purple teaming, and machine learning, you get a double benefit: the need for additional staff is reduced, and surveys show that security staff that gets regular training are less likely to jump to another company for a salary increase and expensive attrition is reduced.
Continual proactive protection
Protection against ransomware (as well as other forms of cyberattack) should now be considered fundamental to any organisation’s day-to-day business. The RaaS model only increases the likelihood of an attack, making it a feasible option to a broader population of bad actors. There is now no choice but to take proactive steps to protect against this genuine threat, continually evaluating the threat backdrop and monitoring systems and people. When it comes to a potentially business-breaking attack, it’s increasingly not a question of if but when.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.