As a security engineer, who has been focused on systematizing automated response to security threats for decades, I make a point of understanding the threats I’m faced with. I’ve seen ransomware evolve technologically, and tactically, across my career. Today, I discuss one such evolution, why this particular one warrants our attention (both as security researchers and IT folks just trying to stay ahead of such threats), and steps we can take to mitigate its impact. The threat, of course, is Ransomware-as-a-Service (RaaS).
What is RaaS?
Ransomware itself has been around for decades (if that sounds excessive to you, think back to the AIDS Trojan distributed on floppy disks - that was in 1989!). RaaS itself isn’t new either; we’ve seen instances of ransomware delivered via this lucrative model since 2015 with Tox. Ransomware-as-a-Service doesn’t refer to a specific technology or variant of ransomware, but to the shifts in the black market for ransomware that has enabled its widespread distribution and optimization.
Optimization & Spread
Ransomware itself has become more robust in part due to the rise of RaaS. Contributing factors to RaaS include the creation and the breakup of centralized marketplaces for ransomware, like the Silk Road. Their creation allowed a place for ransomware developers to sell their software to threat actors who lacked development skills, but had infiltration skills in spades. This, coupled with invocation of business tactics (multilingual 24/7 support pages, subscription models, affiliate programs, and more) discussed in our whitepaper The Rise of Ransomware-as-a-Service contribute to the spread.
The breakup of such marketplaces mandated a shift to decentralized and well-encrypted private chat networks, under which ransomware developers, distributors, and deployers (infiltrators) were now able to specialize in their particular function within the ransomware attack cycle. Gone were the days of well developed software’s efficacy being inhibited by poor distribution or a lack of infiltration skills. Or, conversely, of well designed attack campaigns falling apart due to poor encryption or other ransomware tech.
A Growing Problem
As described above, RaaS has increased both the prevalence of ransomware (there’s more of it) and its ongoing improvement (due to the separation and specialization by ransomware developers, distributors, and deployers). But it’s when you look at the evolution and synthesis of these factors with others that you start to see the real nastiness behind it.
For example, when coupled with the shift from encryption and disruption, to encryption and exfiltration of victims’ data seen in double extortion ransomware, the probability of extortion rises considerably. Specifically, threatening to release the exfiltrated data without ongoing monthly payments increases the likelihood of renewed attack efforts (in my colleague’s post on How Not to Pay a Ransom, you’ll see that while ongoing extortion is relatively new, renewed attacks after paying is not). I discuss this ‘extortion-as-a-service’ as part of a panel of experts in a recent Information Security Magazine webinar, Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms.
Such shifts to ongoing ransom demands also parallels the shift we’ve seen in the software market for legitimate Software-as-a-Service (SaaS). The simultaneous shift from ‘one and done’ quick deployment tactics, to long cycle (months not weeks) spread-before-payload means that the operational impact and immediate business disruption can be far higher than traditional ransomware attacks. The aforementioned specialization of ransomware roles (specifically, the ‘deployers / infiltrators’ in this case) has contributed to this.
In summary, ransomware’s evolution yields new tactics that can parallel legitimate business tactics - but now they are far more wide-reaching as they get bundled into aaS offerings, available for very low prices. The barrier to entry for criminals is lower than ever before.
What can you do about it?
Really, you’re not going to have an impact on the marketplace factors that have led to the rise of RaaS. Leave that to our friends in law enforcement! But, what you can do is prepare in the same ways you would for ransomware generally, and, as always - test them! Here are a few far-reaching ways you can protect yourself. We discuss each in more detail in our whitepaper on this topic.
- Harden your systems through configuration of OSs across your endpoints, configuration of network technologies to limit the edge vector exposed to the internet.
- Backup all data and ensure that those backups are readily available, and regularly tested.
- Audit and correctly configure your security prevention technology, like antivirus and firewall.
- Practice good hygiene by ensuring you have antivirus installed on your systems, and that they’re up to date.
- Have an incident response plan in place such that you can mitigate the risk of business impact when ransomware does get past your defenses.
- Conduct fire drills to simulate ransomware attacks, and practice putting that plan into action. Be sure to conduct one when key IT and security personnel aren’t available.
- Implement your Software Restriction Policy (SRP) to limit ransomware’s ability to execute on your systems. See my colleague’s post on SRP here.
How AI-Enabled Managed Detection and Response helps
Having detection and response capabilities is essential for dealing with a multitude of security threats. With ransomware executing far quicker than human eyes can detect, let alone respond before it is too late, human dependant response efforts may not be sufficient to combat this threat effectively. Managed Detection and Response(MDR) can help you achieve such capabilities, or augment them where you’ve already developed some in-house. By choosing a MDR solution that is powered by AI, with automated response capabilities that are battle tested to avoid false positives that yield unnecessary operational impact, you enable the machine-speed response that is requisite for stopping ransomware payloads fueled by RaaS tactics.
For a detailed look at the tactics hackers are taking from legitimate businesses, to further their criminal interests with RaaS, check out our whitepaper: The Rise of RaaS. In it, my colleagues and I discuss the factors that led to this, specific examples of RaaS in action, the implications for mid-sized enterprises defending against them, and specific steps you can take to mitigate these risks.