What is ransomware-as-a-service and how is it evolving?
Ransomware attacks are becoming increasingly common and costly – ransomware-induced breaches have increased by 41 percent over the past year, while the average cost of a devastating attack has risen to $5.12 million. Additionally, a large portion of the cyber criminals who make these attacks operate on a ransomware-as-a-service (RaaS) model.
RaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent” their technology to you on a subscription basis – simply swap “cloud providers” for “ransomware gangs” and “technology” for “ransomware” (and the related crimes involved).
In this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small and medium-sized enterprises (SMEs) can prepare for the next generation of RaaS attacks.
How does ransomware-as-a-service work?
RaaS gangs are not hackers who want to earn a few hundred dollars. They’re about large, sophisticated businesses with up to a hundred employees – LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs Malwarebytes covers in its monthly ransomware report.
“This works as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You’ve got developers, you’ve got managers, maybe you have some levels of people doing the negotiations, things like that. And these gangs have earned hundreds of millions of dollars every year over the past few years.”
RaaS gangs like LockBit make money by selling “RaaS kits” and other services to groups called affiliates that actually launch ransomware attacks. In other words, affiliates do not need any special technical skills or knowledge to carry out attacks. Working closely with “Initial Access Brokers” (IABs), some RaaS gangs can even offer partners direct access to a company’s network.
How ransomware as a service changed the game
Let’s go back to the year 2015. These were the “good days” when ransomware attacks were automated and carried out on a much smaller scale.
The process went like this: someone would send you an email with an attachment, you would double-click on it, and the ransomware would run on your machine. You would be locked out of your machine and would have to pay around $300 in Bitcoin to unlock it. The attackers would send a lot of these emails, many people would encrypt them, and many people would pay them a few hundred dollars. That was the business model in a nutshell.
But then ransomware gangs smelled a golden opportunity.
Instead of attacking individual endpoints, they realized that they could target organizations for more money. Automated campaigns switched to human-operated attacks, where the attack is controlled by one operator. In such attacks, attackers try hard to get wedged into a network so that they can move laterally in an organization.
At the forefront of this evolution from automated ransomware to human-managed ransomware attacks are ransomware-as-a-service gangs- and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments.
Why ransomware-as-a-service attacks are so dangerous
The fact that RaaS attacks are human-managed means that ransomware attacks are more targeted than they used to be – and targeted attacks are far more dangerous than untargeted ones.
In targeted attacks, attackers spend more time, resources, and effort to infiltrate a business network and steal information. Such attacks often exploit known security vulnerabilities to gain access, with attackers spending days to months on your network.
The human factor of RaaS attacks also means that affiliates – RaaS affiliates – can control exactly when they launch an attack – including during periods when organizations are most vulnerable, such as on holidays or weekends.
“RaaS affiliates are known to love weekends,” Stockley said. “They want to execute the ransomware when you’re not going to notice it, to give themselves as much time as they need to complete the encryption. So they like to do it at night, they like to do it during the holidays.”
“You’re dealing with one person,” Stockley continued. “This is not software that runs trying to figure everything out. He is a person who tries to understand everything. And they’re trying to figure out what’s the best way to attack you.”
Is ransomware here to stay? The evolution of RaaS attacks
One of the biggest innovations in the RaaS space in recent years has been the use of double extortion systems, where attackers steal data before encryption and threaten to leak it if the ransom is not paid.
Companies have become more familiar with ransomware and have been better prepared when it comes to things like backups, for example. But if RaaS affiliates have already invaded your environment, they can simply use stolen data as extra leverage, leaking chunks of it to grab your attention, speed up negotiations, or prove what kind of access they have.
All RaaS gangs these days are doing double blackmail, leaking data on exclusive leaked websites on the dark web. Many RaaS plans even come with a suite of extortion support offerings, including hosting leaky websites. Not only is this trend growing, but there is debate about whether a single data leak is the next stage of evolution for RaaS.
“There are now gangs that only leak data and don’t bother to do the encryption at all,” Stockley said. “Because it’s pretty successful. And they don’t have to worry about software, they don’t have to worry about detecting software, they don’t have to worry about running it.”
In other words, the evolution from ransomware-focused RaaS to “leak-focused” RaaS means businesses need to rethink the nature of the problem: It’s not ransomware per se, it’s an intruder on your network. The really dangerous thing turns out to be access, not ransomware itself.
How SMEs can protect themselves from next-generation RaaS
Preparing for RaaS attacks is no different from preparing for ransomware attacks in general, and the advice isn’t going to differ that much in businesses or industries of different sizes. Because the next generation of RaaS is so focused on hacking, however, SMBs have their own unique challenges in fighting it.
Monitoring a network 24/7 for signs of a RaaS intrusion is hard work, let alone for organizations with small budgets and almost no security personnel. Consider the fact that, when a threat actor compromises a target network, it does not attack immediately. The median number of days between system violation and detection is 21 days.
Until then, it is often too late. Data has been collected or ransomware has been developed. In fact, 23 percent of intrusions lead to ransomware, 29 percent to data theft, and 30 percent to exploit activity – when rivals use vulnerabilities to launch further intrusions.
Even with tools like EDR, SIEM, and XDR, sifting through notifications, and recognizing compromise indicators (IOCs) is the work of experienced cyber threat hunters — talents that SMBs simply can’t afford. That’s why investing in managed detection and response – Managed Detection and Response (MDR) – is extremely beneficial for SMBs looking to counter RaaS attacks.
“Obviously, the most economical thing is not to let people invade first and foremost. And that’s why things like patching, two-factor authentication, and multi-vector endpoint protection (EP) are so important,” Stockley said. “But at the point where they’ve invaded, then you want to track them down before they do anything wrong. That’s where MDR comes in.”
The perfect one-two combo combination to fight RaaS
Human-managed, targeted, and easy-to-execute RaaS attacks are a dangerous development in ransomware’s history.
Double extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today – to the point that ransomware itself may become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on detecting intruders with MDR, in addition to implementing ransomware prevention and resilience best practices.
Article source: https://www.malwarebytes.com/blog/business/2022/10/what-is-ransomware-as-a-service-and-how-is-it-evolving
