A recent Microsoft report lays out how the proliferation of ransomware as a service (RaaS) is fast becoming a dominant business model, enabling most anyone, regardless of their technical expertise, to deploy ransomware. Exceprts:
RaaS (Ransomware as a Service) lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs have 50+ “affiliates,” as they refer to the users of their service, with varying tools, tradecraft, and objectives. RaaS kits are easy to find on the dark web and are advertised in the same way goods are advertised across the internet.
A RaaS kit may include customer service support, bundled offers, user reviews, forums and other features. Cybercriminals can pay a set price for a RaaS kit while other groups selling RaaS under the affiliate model take a percentage of the profits.
..attacks follow a template of initial access via malware infection or exploitation of a vulnerability then credential theft to elevate privileges and move laterally. Industrialization allows prolific and impactful ransomware attacks to be performed by attackers without sophistication or advanced skills.
The proliferation of RaaS is a product of the large number of organizations that still employ insecure and outdated user authentication methods. Compromised user credentials are still the number one method for hackers to gain access and the easiest vulnerability for organizations to remediate.
The most concerning aspect of the RaaS marketplace setup is that it greatly reduces the barrier to entry for new groups to spin up, or break off of, smaller operations. It’s easier than ever for novice players to set up an operation and become profitable quickly from their living room.
The ransomware gig economy also makes it challenging for accurate attribution, but even without attribution, detection and prevention guidelines remain fairly consistent because many of the behaviors and signatures do not change drastically across affiliates.
Continue to build awareness of the social engineering and phishing campaigns often used for initial access (especially those that may target your specific industry), always enforce MFA, reduce the scope of admin privileges in your environment.
Regardless of the Tactics, Techniques, and Procedures (TTP) these splinter groups use, an effective defense remains the same. Defenders must gain and maintain visibility across endpoints, prioritize up-to-date malware definitions in security tooling and reduce mean time to patch. That’s the only way to ensure that their systems are patched and secured against attack.