The Attacker’s Toolkit: Ransomware-as-a-service | VentureBeat

We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!


Security threats evolve as fast as the technologies used to stop them. New and modified attack strategies are constantly being developed.

To make matters worse, the attack surface within corporate networks is expanding. The work-from-home push has increased vulnerable entry points by introducing a slew of new devices. The shift to cloud-based services and infrastructure has further resulted in a larger landscape that is more difficult to defend.

In recent years, threat actors have begun collaborating with each other in a ransomware-as-a-service (RaaS) model to infiltrate organizations. The RaaS model allows developers of a ransomware variant to recruit affiliates who exclusively use their ransomware in targeted attacks against organizations. Any ransom payments extorted from victims are then split between the ransomware developers and the affiliate who carried out the attack.

RaaS usage continues to skyrocket. In fact, one report estimates that 64% of all ransomware attacks were conducted via the RaaS model in 2020.

An industry in its own right

RaaS comes in many forms. There are many pricing strategies used by ransomware vendors and a variety of nefarious tools available for purchase. Many come with instructions on how to carry out attacks, best practices, ransom strategies, and even IT helpdesk. Basically, RaaS can provide the kind of documentation and architecture you expect from a popular enterprise SaaS offering, far from the stereotypical rogue actor wearing a hoodie depicted in pop culture.

As in the SaaS industry, RaaS pricing strategies differ from vendor to vendor. Some offer their attack services as a one-time purchase, some offer them on subscription plans, and others combine subscriptions with a reduced ransom fee paid to the developer after a successful attack. Others are very selective in selecting clients, accepting only “reputable” attackers with a proven track record.

The essential technology enabling these varied strategies to succeed is cryptocurrency. Currently, bitcoin is the most popular crypto choice for RaaS payments and ransomware. It’s hard to trace and easy to launder into clean money, so it’s an obvious choice for threat actors who want a quick way to profit from RaaS.

Why has RaaS succeeded?

Simply put, RaaS has gained traction because ransomware, in general, is a powerful tool in a hacker’s arsenal. Whenever data is stolen or locked, affected organizations often don’t know what to do. They often think paying the ransom is the only option, even though the FBI and other agencies strongly discourage organizations from doing so.

Not only is ransomware an effective attack strategy, but RaaS services are also relatively easy to access, use, and adapt. Attackers often start with an existing ransomware platform and update it to include new features that can make the platform more destructive than before. Some ransomware developers will go so far as to combine code from multiple ransomware.

Given the effectiveness of ransomware, attackers often strike repeatedly. A notorious ransomware variant, REvil, was widespread from 2019 to 2021. Cybercriminals behind REvil managed to infiltrate and extort millions of dollars from companies for almost three years. Then they lost control of their servers and law enforcement made arrests. This seems to have wiped out this variant, but a new one, called Yanluowang, is rapidly gaining momentum and is available under the same RaaS model.

Other infamous RaaS operations include Ryuk, which has been around since 2018 and is responsible for some of the biggest ransomware attacks of the past two years. DopplePaymer, another service, targets healthcare, emergency services and education organizations. Egregor is another ransomware service derived from Sekhmet and Maze, two notorious old programs. Egregor is probably best known for its use in attacks against Barnes & Noble, Crytek, and Ubisoft.

All of these factors make the prospect of defending against these attacks seem hopeless. Fortunately, this is not the case. Especially considering the importance of preparation and training to prevent a successful ransomware attack.

SaaS vs. RaaS: Defending Against the Attackers’ Toolkit

The most important factor in defending against cyber threats involves a proactive approach. Your defensive posture won’t improve on its own – taking steps to prepare for future attacks is the best way to reduce your risk. Perform internal security audits (or hire an outside firm to perform them), educate yourself and your staff (especially non-security professionals) on how to identify phishing scams and other phishing scams. alarm, and find ways to increase data security, for example, through more frequent backups. Keep backups offsite so they are not compromised with your actively used data. This is called a vacuum solution. Remember that RaaS often exploits known vulnerabilities, which means it’s important to stay vigilant by patching your systems to strengthen your defenses. A starting point is to reference CISA’s catalog of known exploits, focus on the most important vulnerabilities, and remain vigilant when patching your systems.

To thwart attacks such as RaaS, security technology alone is not enough; cultivating a culture of safety throughout your organization is essential. Take an approach to security operations that blends technology with the human element of your organization, starting with cyber hygiene education and understanding that your security posture is an evolving process. As threats evolve, leverage threat intelligence to pivot defense strategies and the security information and training resources you provide to your employees. Rather than viewing employees as a “weak link” in your organization, empower them to keep security top of mind, especially as social engineering attacks become more personalized and target employees of all levels and all services.

Organizations of all sizes need to pay attention to their security posture and take proactive steps to strengthen defenses and create a culture of security that thwarts attackers. By prioritizing security culture as part of the security posture, leaders can foster a more resilient and secure future for their organizations.

Mark Manglimot is Vice President of Security Services at Arctic Wolf.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.

If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider writing your own article!

Learn more about DataDecisionMakers

Comments are closed.