As a security engineer specialized in systematizing automated response to security risks, I prioritize understanding emergent threats using tools like Threat Modeling to guide the process. Through the course of my decades long career, I have witnessed the technological and tactical evolution of ransomware. This post will discuss Ransomware-as-a-Service (Raas), why it merits special attention from IT and security personnel, and key steps to execute to mitigate its impact.
Let’s get into the nuts and bolts.
What is Ransomware-as-a-Service (RaaS)?
Though ransomware has seen a record growth in the last few years, it has been around for decades. Think back to the year 1989, when the first documented ransomware attack- AIDS Trojan (PC Cyborg Virus) occurred. Since then, its evolution from floppy disks attacks for menial money exchange, to worldwide sieges taking conglomerates hostage, is staggering.
Ransomware-as-a-Service reared its ugly head in 2015, with McAfee Labs reporting an initial sighting while sifting through our stream of “dark web” data. Known as Tox, it offered a free model for creating malware to attack and extort. For clarity, RaaS isn’t a specific technology or variant of ransomware. It is the gallant shifts in the black market for ransomware that have enabled its widespread distribution and optimization.
Optimization & Spread of Ransomware
The forceful nature of Ransomware attacks is in part because of the rise of RaaS. Other contributing factors include the creation and disintegration of centralized marketplaces for ransomware like Silk Road designed for the anonymous exchange of goods. Ransomware developers now use the conveniently packaged business model of RaaS to sell their software. This, coupled with the invocation of business tactics such as multilingual 24/7 support pages, subscription models, and affiliate programs discussed in our whitepaper, The Rise of Ransomware-as-a-Service contributes to its vicious spread.
The breakup of these marketplaces triggered a shift to decentralized and well-encrypted private chat networks, creating saturated cubby-holes for ransomware developers, distributors, and deployers aka infiltrators to fine-tune their skills, and specialized functions within the attack cycle.
Long gone are the days of inhibiting the efficacy of an advanced software with poor distribution or a lack of infiltration skills, and fragmenting well-designed attack campaigns because of poor encryption and ransomware tech.
RaaS: A Growing Problem
As described above. RaaS has increased both the prevalence of ransomware, and its continued expansion, courtesy of the separation and mutation by ransomware developers, distributors and deployers. However, it is in observing the evolution and synthesis of these facts with others that we see the cruelty behind it.
For example, the shift from encryption, and disruption to the encryption and exfiltration of victims’ data as seen in our downloadable multi-level extortion ransomware response playbook results in a substantial upsurge of blackmail. Expressly threatening to release the exfiltrated data without ongoing monthly payments increases the likelihood of renewed attack efforts. In my colleague’s post on How Not to Pay a Ransom, you’ll see that while ongoing extortion is relatively new, renewed attacks after paying are not. In a recent Information Security Magazine Webinar, I discussed this phenomenon of ‘extortion-as-a-service’ the Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms, with a panel of other experts.
Such shifts to ongoing ransom demands also parallel the shift we’ve seen in the software market for legitimate Software-as-a-Service (SaaS). The simultaneous shift from ‘one and done’ quick deployment tactics to long-cycle attacks’ (months, not weeks) spread-before-payload approach means that the operational impact and immediate business disruption can be far higher than traditional ransomware attacks. The specialization of ransomware roles (specifically, the ‘deployers / infiltrators’ in this case) has contributed to this.
In summary, the advancement of ransomware yields new tactics that parallel legitimate business tactics - but are now far more wide-reaching, bundled into SaaS offerings, and available for reasonable prices. The barrier to entry for criminals is lower than ever before.
What Can You Do About Ransomware-as-a-Service?
Let’s face it. Your siloed attempts won’t have a drastic impact on the marketplace factors that have led to the rise of RaaS. So, we’ll leave that to our friends in law enforcement! There are, however, preparedness steps you can take to protect yourself. We go into more detail on this topic in our eBook: Foundations for Incident Response Readiness. But here are snippets:
- Harden your systems through the configuration of OSs across your endpoints and designing network technologies in a way that limits the edge vector exposed to the internet.
- Backup ALL data. We can’t stress this enough! And ensure that the data backup is readily available and regularly tested.
- Audit and correctly configure your security prevention technology with antivirus and firewall.
- Practice good security hygiene by installing antivirus on your systems and ensuring proper maintenance with regular updates. Do not ignore the prompts!
- Have an incident response plan in place such that you can mitigate the risk of business impact if ransomware gets past your defenses. Don’t just plan - prepare and practice, too.
- Conduct fire drills to simulate ransomware attacks and practice using the plan. It is helpful to do this when key IT and security personnel are unavailable. See our blog discussion of IR fire drills here, or a quick video on IR practice here.
- Implement your Software Restriction Policy (SRP) to limit a ransomware’s ability to execute on your systems. See more on this here.
Does AI-Enabled Managed Detection and Response help? Yes! This is how.
Having detection and response capabilities is essential for dealing with a multitude of security threats. With ransomware executing with lightning speed, far quicker than human eyes can detect and respond, human-dependent response efforts do not combat this threat effectively.
Managed Detection and Response (MDR) can achieve and augment in-house capabilities. Choosing an AI powered MDR solution with built-in auto response prevents false positives that trigger unnecessary operational impact and activates the machine-speed response required to stop ransomware payloads fueled by RaaS tactics.
Our whitepaper, The Rise of RaaS, offers a comprehensive look into the tactics hackers appropriated from legitimate businesses to further their criminal activities with RaaS. In it, we discuss the factors that led to this, specific examples of RaaS in action, the implications for mid-sized enterprises, and specific risk mitigating steps to take.
The explosion of RaaS demands our diligent attention, and continued adherence to IR best practices. Get the practical templates you need to document your IR plans, communicate buy-in and approval and equip your business with the security coverage it needs to withstand RaaS cyber-attacks. Download our free eBook: Foundations for Incident Response Readiness today!