The popularity of cloud-based services, such as software as a service, has grown significantly in recent years, as more and more organisations wake up to the business benefits on offer, such as rapid scalability, convenient flexibility, and business continuity. However, the more popular something is, the more attention it tends to attract, so it’s perhaps unsurprising that cybercriminals are taking a cue from these as a service models to broaden their reach.
Like many of the advanced enterprise solutions you utilise everyday, ransomware is complex malware that requires customised code that runs on end points, as well as a network of command and control (C&C) servers. Furthermore, there are back-end requirements to store unique keys, collect ransoms, and deliver decryption keys. It requires extensive testing and support to operate smoothly, along with continuous development and updates to avoid detection. In short, ransomware is not something that most cybercriminals have the skills/resources to produce or maintain.
Recognising a market opportunity, the cybercriminals who do have the capability to scale their operations are switching from simply selling ransomware source code on the dark web to selling ransomware in an as service model. But how does ransomware as a service (RaaS) work in reality, and how do those responsible manage to prevent detection? Perhaps more importantly than all of that, what do IT and business leaders need to know to effectively protect their businesses against such an attack?
What is RaaS?
RaaS is a software delivery model whereby the ‘vendor’ provides buyers with a range of pre-constructed tools that can be used to execute ransomware attacks on chosen victims. Once the RaaS source code has been written, it can be sold many times, making it highly economical to deploy. Complex infrastructure can be built and RaaS instances can be dynamically scaled up and down however needed.
Crucially, cybercriminals don’t require any specialised expertise in programming or DevOps to use RaaS, because someone else is doing all the hard work for them. All it really takes is a validated list of email addresses and an effective method to infiltrate the target organisation, which usually takes the form of a phishing or social engineering attack. Everything else is taken care of by the RaaS provider.
Last year, there were over 300 million ransomware attacks recorded globally. However, there are a limited number of new ransomware code variants introduced each year, meaning the vast majority of attacks use the same variants. Many experts believe that RaaS is one of the key drivers behind this. Indeed, several of the biggest ransomware groups, like DarkSide and REvil are well-known RaaS providers.
What kind of business models do RaaS providers use?
There are four main RaaS business models that criminal providers typically sell over the Dark Web. These are as follows:
- A one-time licensing fee, similar to a software license, that’s paid upfront
- A recurring subscription service, typically paid for on a monthly or annual basis
- A hybrid model whereby customer pay a lower subscription fee but also agree to pay providers a percentage of any profits that are made (which is typically around of 20-30%)
- A pure profit model, where all up-front fees are eschewed in exchange for a larger cut of profits made (usually at least 50%)
RaaS makes ransomware much more accessible for non-skilled cybercriminals
Unfortunately, RaaS significantly reduces the barrier to entry for criminals that don’t have the necessary experience, knowledge or skills needed to create ransomware from scratch. No coding or infrastructure knowledge is necessary, all transactions between the criminal and the RaaS provider are completely anonymous, and the criminal is free to attack as many victims as possible during their service period.
Incredibly, some larger RaaS providers even operate ‘customer support’ services to help solve attackers’ technical issues or queries. In many cases, this also includes dedicated personnel to walk attack victims through the ransom payment process.
How can businesses defend against the threat of RaaS?
Sadly, the number of ransomware attacks is only going to increase over time, but the good news is that a combination of staff training, and strategic technology investment can offer a highly effective defence against it.
Even the most complex ransomware still relies on the most basic attack vectors to gain initial entry into a victim’s systems, namely tricking someone within the network to click on a compromised link or attachment. As mentioned earlier, this usually takes the form of social engineering or phishing. However, well-trained, security-conscious staff are much more alert to such tactics and can recognise them a mile off, which makes regular training one of the best forms of defence against ransomware. Having executive leadership support around the importance of proper security hygiene is another way to ensure your staff takes security seriously.
Strategic technology investment
Ransomware code is designed to get past firewalls and evade intrusion detection. However, once ransomware appears on a target machine, it can often be detected by its signature, because there are still only a relatively small number of ransomware variants.
Leading cybersecurity platforms can detect known signatures of ransomware files and potential ransom notes, and update signatures once new ones are found. They can also detect the behaviour of a ransomware attack based on the number of files touched and increasing file entropy. If ransomware does get through, they can help businesses recover by reverting file versions, so ransomware is no longer a debilitating concern.
The rising popularity of RaaS is seen by many to be a key factor in the explosive resurgence of ransomware in recent years, causing concern amongst businesses all over the world. However, with the right cybersecurity defences in place, the risk of becoming the next victim can be significantly lowered, so don’t wait to act until it’s too late.