Ransomware continues to be one of the most persistent and pervasive cyber threats. The one constant with ransomware is that it continues to evolve and adapt as new technologies become available. The latest evolution is not related to new technologies but rather a new business model called ransomware-as-a-service or RaaS. This new business model is a threat to organizations big and small because it provides the most up-to-date tools, technologies, and know-how to cybercriminals of varying abilities, allowing them to increase their victim base.
RaaS is a business model where there exists an agreement between an operator and an affiliate. The operator develops and maintains the tools used for the extortion, and an affiliate, deploys the ransomware payload or malware. When the affiliate is successful with the ransomware and extortion attack, both the operator and the affiliate profit.
Basically, ransomware-as-a-Service lowers the barrier to entry for cybercriminals who may not have the skills or technical talent to develop their own tools but can carry out the ransom attacks.
The result is that the impact on an organization of a successful ransomware and extortion attack stays the same, regardless of the cybercriminals skillset.
One of the ways RaaS providers give value to their affiliates is by providing access to compromised networks. They scan the internet for systems that are vulnerable that they can compromise and inventory for profits.
Compromised credentials are crucial to the success of the attacks. When cybercriminals sell network access, in many instances the price usually includes a guaranteed administrator account.
What happens after cybercriminals gain access depends on the groups and their motivations. The time between initial access to deployment can range from minutes to days or longer. But when they are ready, damage can be inflicted extremely fast. In some cases, the whole process from access to deployment of the ransom attack has taken less than one hour.
Cybercriminals like to maximize their investments. Once they have access to a network, they will do everything in their power to stay there. This is true even if the victimized organization pays the initial ransom requested. Paying the ransom serves to fund continued attacks with different ransomware and malware payloads until they are removed from the network.
The Human Element
One of the reasons that RaaS is so concerning is that the attackers are humans that can vary their attack patterns based on what they find in the networks they breach, to ensure the success of the attack.
Ransomware threat actors are motivated by easy money, which means that hardening an organization’s security will add to their operating costs and disrupt the cybercrime economy. Having security products that detect or block malicious payloads is not enough due to the human decision-making element involved in RaaS. Although the malicious payload is blocked, the cybercriminals themselves may remain and will just use other tools or change their payloads to continue to attack.
Cybercriminals are also very aware of response times and the capabilities and limitations of detection tools. By the time the attack reaches the stage of deleting backups, it would be just minutes away from a ransomware deployment. The threat actor would probably have already performed harmful actions such as exfiltration of data. This is important to know for remediation and incident response purposes.
Hardening the Security Stance
Here are some steps organizations can take to harden their security.
- Develop network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement.
- Audit credential exposure. Reduce administrative privileges and understand the level of exposure for these credentials.
- It is important to secure cloud resources and identities as well as the on-premises accounts. The focus should be on hardening security identity infrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud admins with the same level of security as domain admins.
- Organizations should verify that their security tools are running and configured properly. They should also perform regular network scans to ensure the security tools in place are protecting all systems.
- Organizations need to identify and secure perimeter systems that attackers might use to access the network.
- Establish patching procedures. The cybercriminals use unpatched vulnerabilities on a regular basis whether already disclosed or zero-day to do their dirty work so having excellent patching processes can mitigate the risks.
- Be prepared with a recovery plan. The costs of recovery are usually less than to paying a ransom. Organizations need to ensure that regular backups of critical systems are conducted and that the restore capabilities are checked and tested on a scheduled basis.
- They should also make sure that those backups are protected against deliberate erasure and encryption.
Ransomware-as-a-Service has once again changed the landscape increasing the risks of a ransomware attack on multiple levels. The above steps and recommendations are an excellent start to mitigating those risks.
MicroAge can help businesses and organizations through the journey of hardening their security stance while disrupting the cybercrime economy driven by RaaS. Contact us to see how we can help you.