Cybercrime - Ransomeware as a Service

The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets.

Ransomware as a service (RaaS) is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.

Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model. RaaS users don't need to be skilled or even experienced, to proficiently use the tool. RaaS solutions, therefore, empower even the most novel hackers to execute highly sophisticated cyberattacks. 

RaaS solutions pay their affiliates very high dividends. The average ransom demand increased by 33% since Q3 2019 to $111,605, with some affiliates earning up to 80% of each ransom payment. The low technical barrier of entry, and prodigious affiliate earning potential, makes RaaS solutions specifically engineered for victim proliferation.

In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.

Ransomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.

The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.

The dark web is a criminal-infested network, so any leaked information on the platform will give multiple cybercriminal groups free access to your sensitive data and those of your customers. The fear of further exploitation compels many ransomware victims to comply with cybercriminal demands.

To make the ransom payment, victims are instructed to download a dark web browser and pay through a dedicated payment gateway. Most ransomware payments are made with cryptocurrency, usually Bitcoin, due to their untraceable nature. 

Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.

How to Protect Yourself from Ransomware Attacks

The most effective ransomware attack mitigation strategy is a combination of educating staff, establishing defenses, and continuously monitoring your ecosystem for vulnerabilities.

Here are some suggested defense tactics:

• Monitor all endpoints connection requests and establish validation processes
• Educate staff on how to identify phishing attacks
• Set up DKIM and DMARC to prevent attackers from using your domain for phishing attacks.
• Monitor and remediate all vulnerabilitiesexposing your business to threats
• Monitor the security posture of all your vendors to prevent third-party breaches
• Set up regular data backup sessions
• Do not solely rely on cloud storage, backup your data on external hard drives
• Avoid clicking on questionable links. Phishing scams do not only occur via email, malicious links could lurk on web pages and even Google documents.
• Use antivirus and anti-malware solutions
• Ensure all your devices and software are patched and updated.
• Provide your staff and end-users with comprehensive social engineering training
• Introduce Software Restriction Policies (RSP) to prevent programs from running in common ransomware environments, i.e. the temp folder location
• Apply the Principles of Least Privilege to protect your sensitive data
• Ransomware: Should You Pay the Ransom?

Whether or not you should pay for a ransomware price is a difficult decision to make. If you make a payment, you are trusting that the cybercriminals will deliver on their promise of supplying you with a decryption key.

Cybercriminal operations are inherently immoral, you cannot trust criminals to uphold a fragment of morality and follow through with their promises. In fact, many RaaS affiliates don't waste time providing decryption keys to all paying victims, time is better spent seeking out new paying victims. 

Because a ransom payment never guarantees the decryption of seized data, the FBI strongly discourages paying for ransoms. But companies have paid ransom and I personally know many clients who have budgeted for paying ransoms as it is a impending risk to any business inspite of having good cybersecurity practices. Some of my clients have cyber insurance which covers payment of ransom but frankly speaking. I don’t know the legality of such cyber insurance coverage .