Ransomware-as-a-Service (RaaS) is a relatively new acronym in IT terminology. Derived from the more common SaaS, PaaS or IaaS, RaaS defines a service that is not only available to ordinary users, but also to cybercriminals. Regardless of the business or industry, organizations should focus on protecting themselves from these types of attacks with a few simple measures, and strict adherence to best practices. Safeguarding your system against a Ransomware-as-a-Service attack could be the difference between functioning normally, and going bankrupt.
What is Ransomware-as-a-Service and how does it work
Crowdstrike defines Ransomware as a Service (RaaS) as a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. RaaS kits allow affiliates lacking the skill or time to develop their ransomware variant to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers.
Ransomware-as-a-Service has essentially lowered the bar for cybercriminals by making it easy for ordinary criminals to successfully carry out massive attacks. In recent years, ransomware has been used to encrypt data, and interrupt business continuity in nearly every industry. While Colonial Pipeline, Kaseya, JBS, and the Ukraine cyberattacks stand out as examples of recent ransomware incidents, the threat is prevalent everywhere.
The expansion of cloud infrastructures
A key reason for the success of ransomware attacks is the increasing expansion of cloud infrastructures. On the one hand, attackers use cloud services themselves. On the other hand, they benefit from the larger attack surfaces offered by enterprises—especially in pandemic and post-pandemic times, in which the remote work-model has become the norm. Another reason is the lack of updates or misconfigurations of corporate IT networks. No wonder then that the RaaS industry, which provides cloud services for cybercriminals, has flourished in recent years.
The business model is clear. Customers, i.e. potential attackers, no longer need technical skills, but they benefit from discounted promotions and professional services. In addition to this, RaaS developers are safe, because they only provide the infrastructure and are therefore not responsible for the attacks.
Popular attack models and how to defend
There are currently four common RaaS models: the subscription-based model where payments are made on a monthly basis, the partnership scheme model which include fraudulently obtained profit-sharing schemes, the licensing-based model, and the pure profit-sharing model.
Criminal customers receive enterprise-level services for the money they have invested. A typical product includes not only ransomware code and encryption or decryption keys, but also appropriate phishing emails for launching attacks, the relevant documentation, and ongoing support. Further included in the paid service is billing, monitoring, updates, status reports, calculations, and revenue-expense balance forecasts.
Fortunately, there are some important defenses organizations can deploy to battle this phenomenon:
- Ensure MFA and RBA implementation
- Keep all operating software fully patched and up to date
- Train users to identify and prevent cyberattacks—especially phishing attacks
- Limit the number of users with administrative access
- Protect cloud data by ensuring the use of MFA
- Encrypt data stored in the cloud
- Back up data and systems regularly
- Practice excellent password hygiene
Ransomware attacks are only going to grow in 2022
The success of ransomware attacks in 2021 has only emboldened cyberthreat actors around the globe to continue these practices. Consequently, ransomware attacks will be increasing in 2022. This conclusion is derived from a recent international partner advisory jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA.
The advisory, titled 2021 Trends Show Increased Globalized Threat of Ransomware, outlines the following top trends observed in three countries:
- Cybercriminals are increasingly gaining access to networks via phishing, stolen remote desktop protocols (RDP), credentials or brute force, and by exploiting software vulnerabilities.
- The market for ransomware has become increasingly sophisticated, and there has been an increase in cybercriminal services-for-hire.
- More and more ransomware groups are sharing victim information, including access to victims’ networks.
- Cybercriminals are diversifying their approaches to money extortion.
- Ransomware groups’ impact is intensifying, due to their approaches involving targeting the cloud, managed service providers, industrial processes and the software supply chain.
- Ransomware groups are increasingly targeting organizations on holidays and weekends.
Conclusion
Ransomware remains one of the most disruptive cyberthreats to organizations. Against such sophisticated methods, businesses can protect themselves with a few simple measures and strict adherence to best practices. This includes backup in separate locations, separation from day-to-day operations, multifactor authentication to prevent attackers from obtaining passwords, strong password hygiene, and last but not least, automating IT security because of the speed at which attacks are carried out. For more information about how to respond to a ransomware attack, explore further imperative dos and don’ts here.