As a security engineer specialized in systematizing automated response to security risks, I prioritize understanding emergent threats using tools like Threat Modeling to guide the process. Through the course of my decades long career, I have witnessed the technological and tactical evolution of ransomware. This post will discuss Ransomware-as-a-Service (Raas), why it merits special attention from IT and security personnel, and key steps to execute to mitigate its impact.
Let’s get into the nuts and bolts.
Though ransomware has seen a record growth in the last few years, it has been around for decades. Think back to the year 1989, when the first documented ransomware attack- AIDS Trojan (PC Cyborg Virus) occurred. Since then, its evolution from floppy disks attacks for menial money exchange, to worldwide sieges taking conglomerates hostage, is staggering.
Ransomware-as-a-Service reared its ugly head in 2015, with McAfee Labs reporting an initial sighting while sifting through our stream of “dark web” data. Known as Tox, it offered a free model for creating malware to attack and extort. For clarity, RaaS isn’t a specific technology or variant of ransomware. It is the gallant shifts in the black market for ransomware that have enabled its widespread distribution and optimization.
The forceful nature of Ransomware attacks is in part because of the rise of RaaS. Other contributing factors include the creation and disintegration of centralized marketplaces for ransomware like Silk Road designed for the anonymous exchange of goods. Ransomware developers now use the conveniently packaged business model of RaaS to sell their software. This, coupled with the invocation of business tactics such as multilingual 24/7 support pages, subscription models, and affiliate programs discussed in our whitepaper, The Rise of Ransomware-as-a-Service contributes to its vicious spread.
The breakup of these marketplaces triggered a shift to decentralized and well-encrypted private chat networks, creating saturated cubby-holes for ransomware developers, distributors, and deployers aka infiltrators to fine-tune their skills, and specialized functions within the attack cycle.
Long gone are the days of inhibiting the efficacy of an advanced software with poor distribution or a lack of infiltration skills, and fragmenting well-designed attack campaigns because of poor encryption and ransomware tech.
As described above. RaaS has increased both the prevalence of ransomware, and its continued expansion, courtesy of the separation and mutation by ransomware developers, distributors and deployers. However, it is in observing the evolution and synthesis of these facts with others that we see the cruelty behind it.
For example, the shift from encryption, and disruption to the encryption and exfiltration of victims’ data as seen in our downloadable multi-level extortion ransomware response playbook results in a substantial upsurge of blackmail. Expressly threatening to release the exfiltrated data without ongoing monthly payments increases the likelihood of renewed attack efforts. In my colleague’s post on How Not to Pay a Ransom, you’ll see that while ongoing extortion is relatively new, renewed attacks after paying are not. In a recent Information Security Magazine Webinar, I discussed this phenomenon of ‘extortion-as-a-service’ the Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms, with a panel of other experts.
Such shifts to ongoing ransom demands also parallel the shift we’ve seen in the software market for legitimate Software-as-a-Service (SaaS). The simultaneous shift from ‘one and done’ quick deployment tactics to long-cycle attacks’ (months, not weeks) spread-before-payload approach means that the operational impact and immediate business disruption can be far higher than traditional ransomware attacks. The specialization of ransomware roles (specifically, the ‘deployers / infiltrators’ in this case) has contributed to this.
In summary, the advancement of ransomware yields new tactics that parallel legitimate business tactics - but are now far more wide-reaching, bundled into SaaS offerings, and available for reasonable prices. The barrier to entry for criminals is lower than ever before.
Let’s face it. Your siloed attempts won’t have a drastic impact on the marketplace factors that have led to the rise of RaaS. So, we’ll leave that to our friends in law enforcement! There are, however, preparedness steps you can take to protect yourself. We go into more detail on this topic in our eBook: Foundations for Incident Response Readiness. But here are snippets:
Having detection and response capabilities is essential for dealing with a multitude of security threats. With ransomware executing with lightning speed, far quicker than human eyes can detect and respond, human-dependent response efforts do not combat this threat effectively.
Don't take our word for it. Request a complimentary Ransomware Readiness Assessment today, to evaluate your defenses against advanced ransomware threats. Compare the results when our MDR service is protecting the same endpoint.
Managed Detection and Response (MDR) can achieve and augment in-house capabilities. Choosing an AI-powered MDR solution with built-in auto response prevents false positives that trigger unnecessary operational impact and activates the machine-speed response required to stop ransomware payloads fueled by RaaS tactics.
Our whitepaper, The Rise of RaaS, offers a comprehensive look into the tactics hackers appropriated from legitimate businesses to further their criminal activities with RaaS. In it, we discuss the factors that led to this, specific examples of RaaS in action, the implications for mid-sized enterprises, and specific risk mitigating steps to take.
The explosion of RaaS demands our diligent attention, and continued adherence to IR best practices. Get the practical templates you need to document your IR plans, communicate buy-in and approval and equip your business with the security coverage it needs to withstand RaaS cyber-attacks. Download our free eBook: Foundations for Incident Response Readiness today!