Ransomware-as-a-service – The new face of industrialized cybercrime.
Ransomware, one of the most persistent and pervasive cyber threats, continues to evolve, and its latest form presents a new menace to organizations worldwide. The evolution of ransomware doesn’t involve new advances in technology. Instead, it involves a new business model: ransomware-as-a-service (RaaS).
Ransomware-as-a-service (RaaS) is an arrangement between an operator, who develops and maintains the tools to power extortion operations, and an affiliate, who deploys the ransomware payload. When the affiliate conducts a successful ransomware and extortion attack, both parties’ profit.
Advancing the capabilities of cybercriminals and growing the overall cybercriminal economy:
The ransomware-as-a-service model has facilitated a rapid refinement and industrialization of what less capable criminals can accomplish. In the past, these less sophisticated criminals may have used commodity malware they either built or purchased to perform attacks that are limited in scope, but now they can get everything they need—from access to networks to ransomware payloads—from their RaaS operators (for a price, of course). Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services.
Discovering and exploiting network vulnerabilities… for a price:
One way RaaS operators provide value to their affiliates is by providing access to compromised networks. Access brokers scan the internet for vulnerable systems, which they can compromise and reserve for later profit.
In order to be successful, attackers need credentials. Compromised credentials are so important to these attacks that when cybercriminals sell network access, in many instances, the price includes a guaranteed administrator account.
What the criminals do with their access once it has been achieved can vary wildly depending on the groups and their workloads or motivations. The time between initial access to a hands-on keyboard deployment can therefore range from minutes to days or longer, but when the circumstances permit, damage can be inflicted at breakneck speed. In fact, the time from initial access to full ransom (including handoff from an access broker to an RaaS affiliate) has been observed to take less than an hour.
Keeping the economy moving – persistent and sneaky access methods:
Once attackers gain access to a network, they are loathe to leave—even after collecting their ransom. In fact, paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals, who will continue trying to monetize attacks with different malware or ransomware payloads until they are evicted.
In order to be successful, attackers need credentials. Compromised credentials are so important to these attacks that when cybercriminals sell network access, in many instances, the price includes a guaranteed administrator account.
Facing the most elusive and cunning adversaries in the world:
One of the qualities of RaaS that makes the threat so concerning is how it relies on human attackers who can make informed and calculated decisions and vary attack patterns based on what they find in the networks where they land, ensuring they meet their goals.
While most initial access campaigns rely on automated reconnaissance, once the attack shifts to the hands-on-keyboard phase, attackers will use their knowledge and skill to try to defeat the security products in the environment.
Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy. This human decision-making means that even if security products detect specific attack stages, the attackers themselves don’t get fully evicted; they attempt to continue if not blocked by a security control. In many instances, if a tool or payload is detected and blocked by an antivirus product, attackers simply grab a different tool or modify their payload.
Hardening security against threats while avoiding alert fatigue:
A durable security strategy against determined human adversaries must include detection and mitigation goals. It’s not enough to rely on detection alone because 1) some infiltration events are practically undetectable (they look like multiple innocent actions), and 2) it’s not uncommon for ransomware attacks to become overlooked due to alert fatigue caused by multiple, disparate security product alerts.
Because attackers have multiple ways to evade and disable security products and are capable of mimicking benign admin behavior in order to blend in as much as possible, IT security teams and SOCs need to back up their detection efforts with security hardening measures.
Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.