We’ve said it before: Cybercriminals are smart -- so smart they’ve now branched out to Godfather villainy much the same as a cartel.
They’ll make you an offer you can’t refuse, a ransom threat, but they don’t necessarily need the wherewithal to do it themselves. They hire “hit men” — companies, groups, nefarious entities — that have all the skills needed and will sell it for a price.
This is called RaaS or ransomware as a service. Because of RaaS, anyone can become a cybercriminal; no hacking required. It’s hard to believe but true.
What Is Ransomware as a Service?
At its heart, ransomware is software: malicious software to be sure, but it's created not unlike your TurboTax or Zoom. When people think of cybercriminals, they think of hackers writing code and launching it onto networks. That image has little connection with the reality of modern cybercrime. Today, becoming a cybercriminal is as easy as purchasing a software license. That’s ransomware as a service (RaaS) — ready-made ransomware software that just about anyone can buy and use.
The ransomware-as-a-service market has helped lower the entry barriers for prospective cybercriminals, creating a larger number of ransomware attacks against legitimate organizations. A pattern of cooperation developed between ransomware gangs and the adoption of double and triple extortion tactics. As a result, the likelihood has increased that a victim will pay at least one ransom demand. With more people paying, ransomware threats have soared.
Average ransomware payments have increased 33 percent from the fourth quarter of 2019 to the first quarter of 2020 according to the Canadian Center for Cybersecurity.
Workflow attacks today depend on a hands-on keyboard component to circumvent defensive controls, which is why a human-response component is necessary to track, stop and eradicate threats.
RaaS Is Gaining in Popularity
Ransomware as a service is gaining popularity because cybercrime groups don’t have to do the operations themselves and most of them do not have the skills. This has resulted in the new RaaS exploitive industry. The new platforms include:
- Renting an RaaS platform, which gives them a command and control platform.
- Extortion websites, which can double and triple extortion components of ransomware groups.
- Marketplaces, where smaller groups post stolen data.
- Purchasing RaaS offerings, including exploitation kits and training on how to commit cybercrime.
- Hosted payment websites, which help customers pay ransoms.
- Updated lists daily of compromised data, including screenshots and company names.
With these new RaaS opportunities, the criminals learn:
- How the groups get the money and launder it.
- How marketplaces offer an escrow: blind trust.
- How to “clean” bitcoins (or other digital currency) by using crypto tumblers that mix them with clean coins to make them harder to trace.
- How to amass currency within platforms.
There is an emergence of ransomware cartels coming together. An RaaS provider is just like a legit software provider:
- They use the same legitimate software developers to lease RaaS products.
- A customer simply logs into the RaaS portal, creates an account, pays with Bitcoin, enters details on the type of malware they wish to create and clicks the submit button.
- The most sophisticated RaaS operators offer portals that let their subscribers see the status of infections, total payments, total files encrypted and other information about their targets.
- In addition to RaaS portals, RaaS operators run marketing campaigns and have websites that look exactly like your own company’s campaigns and websites. They have videos, white papers and are active on Twitter.
- In addition to the threat, the affiliate provides proof, such as a screenshot of an example document contained within the victim data.
- The steps to prevent a RaaS attack are the same as preventing any ransomware attack, because RaaS is just ransomware packaged for ease of use by anyone with ill intent.
The availability of international cloud infrastructure has grown exponentially, providing crime gangs from across the globe with scalable and standardized environments that can be accessed from anywhere.
This makes it possible for them to easily attack organizations within the United States and other countries using sophisticated cybersecurity programs—with little fear of extradition.
Additionally, a growing number of organizations, such as the DarkSide, REvil and others, franchise their ransomware-as-a-service (RaaS) capabilities to attackers. The attackers are responsible for penetrating the organizations, while the franchisers provide the encryption tools, communications, ransom collection, etc., all for a percentage of the ransom collected. More ominously, the recent U.S. focus on ransomware could lead to even more attention from bad actors.
For talented hackers, this RaaS model provides two streams of income. First, they can create and implement sophisticated attacks using proven tactics, techniques and procedures. In addition, they can outsource that attack using a commodity infrastructure proven out in several years of ransomware attacks.
Countering RaaS and Other Threats
For the business owner, understanding ransomware as a service is mostly about realigning how you think about cybercrime. Once you comprehend just how easy it is for criminals to get into the ransomware game, it’s impossible to bury your head in the sand and think “it can’t happen to me.” It can, and it will.
The good news is that countering RaaS attacks is the same as countering any ransomware attack — or even any cyber attack. It involves a comprehensive approach to protecting your systems, staying on top of the threat landscape, training your team and ensuring that backup and recovery planning can provide business continuity. Visibility is critical for success. Everyone in the company from the CEO down needs training in how to spot and mitigate vulnerabilities.
The right IT partner can help. Not sure what to look for? Download our Choose IT Support Checklist.
If you’re an Intrust client, you have an inside track to the best cybersecurity prevention available today and tomorrow. We constantly monitor the landscape to stay up to date with these nefarious actors. We do it like we do everything for our clients: 24/7/365; providing a holistic approach to keeping your data safe.