Ransomware appears to be everywhere. Reports of new attacks are a common feature of security news, with high profile incidents that include crippling attacks on health care, government and education organizations. Ransomware is often termed an “emerging” threat, however it’s been around for a while and in 2019 accounted for $11.5 billion in losses. That figure is expected to grow for 2020 and beyond.
Ransomware-as-a-service (RaaS) is a variation on the theme. It’s actually more of an emerging threat, in the sense that the techniques and actors are evolving and becoming more sophisticated, with the potential to cause more damage. The relevant differences that make RaaS a more potent threat moving forward are not as commonly understood, which puts organizations at risk. Here’s a closer look at ransomware-as-a-service and how it’s evolving.
What Is Ransomware-as-a-Service?
RaaS is built on a similar model as legitimate IT-as-a-service offerings. A malicious organization or vendor offers other threat agents, including hackers and state-sponsored attackers, a proven ransomware tool that can be used to launch attacks against chosen victims. Successful attacks result in the seizure or encryption of target files, information or systems, which are held for ransom: The victim is told to pay up or lose access forever.
RaaS has become extremely popular because it’s such a successful business model (to the detriment of businesses and individuals). At Avertium, we have extensively studied, modeled, tracked and countered ransomware-as-a-service operations and have deep insights into how it works, which types of organizations are most vulnerable, and many of the threat actors involved.
When you’re facing a RaaS threat, you’re actually being targeted by two discrete malicious groups: 1) the group that developed the ransomware tool and maintains both the code and the administrative plan to use it, and 2) the group that has chosen you as a victim and is deploying it against you. These two groups coordinate, communicate and collaborate in the penetration and ransom operation. The typical workflow looks like this:
- The ransomware developer solicits criminal groups to use their tool on an affiliate basis; both elements in the partnership are typically of Russian origin.
- The affiliate demonstrates they have a viable target, one that has value and is vulnerable; the affiliate has usually already profiled and surveilled the target, and may have already illicitly gained access and exfiltrated some data or established a persistent presence.
- The developer approves the target and provides the ransomware tool; the affiliate unleashes the ransomware tool and begins the ransom operation.
RaaS is a very sophisticated, organized and structured criminal enterprise, sponsored by well-resourced organizations with abundant financial backing. It is emerging as a cybercrime with a very high ROI and low potential for being caught.
Related Reading: How to Leverage Your SIEM to Detect and Respond to Ransomware
New RaaS Vulnerabilities Require Threat-Based Security Solutions
Cybersecurity operations that focus on alerts, intrusions and malware are vital to protection, but they are fundamentally reactive. These measures also tend to handle issues at the micro level, rather than assessing and addressing the underlying threat patterns.
A threat-based defense strategy, by contrast, is based on systematically assessing an environment’s strengths and vulnerabilities to foresee, analyze and mitigate specific potential threats.
By establishing an understanding of what is important to protect, teams can identify the scope of threats like ransomware that they need to be vigilant toward, including who might endanger them and how.
A well-structured approach to threat-based security draws on established industry guidelines and frameworks to assess the environment as the basis for actions to advance its state of maturity. The National Institute of Standards and Technology (NIST) developed its Cybersecurity Framework (CSF) to help practitioners manage cyber risk. The NIST CSF provides standards, guidelines and practices that organizations can use as the basis for assessing threats and the entity’s state of readiness against them. This forms the basis for identifying priorities for advancing security measures.
MITRE ATT&CK is a threat hunting framework that empowers users to proactively investigate their environment for threats. A program using MITRE ATT&CK doesn’t wait for an alert to go off, but continuously samples data and creates hunt strategies to eliminate threats from the environment.
Download the White Paper: Combining NIST CSF standards and MITRE ATT&CK actionable intelligence can help to define and enact a threat-based approach to cyber protection. Download the Threat-Based Security at the Intersection of MITRE ATT&CK and NIST CSF white paper to learn how.
Penetration testing, also known as ethical hacking, involves a cybersecurity expert test the defenses of your network just like a potential attacker would. By simulating the tactics, techniques and procedures (TTPs) of real-world attackers, a penetration test not only gives visibility into the health of your cybersecurity program, but also offers clear, actionable solutions that prevent hackers from infiltrating your systems.
Vulnerability Assessment and Management
A vulnerability assessment is a thorough evaluation of the levels of cybersecurity hygiene within your environment. It is used to identify existing and potential threats in the software throughout your organization’s systems and networks resulting from unpatched and exploitable vulnerabilities, giving the organization the opportunity to remediate these deficiencies before they are discovered by a bad actor.
Vulnerability management goes a step further to create an ongoing program around individual assessments to provide deeper understanding and control over enterprise security risks and ensure consistent attention to and prioritization of addressing weaknesses in the environment to facilitate remediation.
The days of on-premises IT are gone forever. Widespread cloud adoption as broadened the enterprise perimeter along with the overall attack surface. The necessity to work from home during the pandemic has shifted the paradigm completely, possibly making a permanent return to the office unlikely for many. Traditional access management, user authentication and perimeter protection technologies, therefore, can no longer be relied upon.
An extended detection and response (XDR) approach uses layered technologies to allow security teams to reach deeper into the network and take a more proactive stance against security threats. This approach produces fewer alerts, faster event resolutions and lower costs. With layered monitoring, you can gain greater visibility and control, with the ability to microsegment the network and move more efficiently on actionable alerts. Relief from “alert factories” also allows teams to focus attention on real threats and closing the holes that threaten to let them in.
Getting Help to Protect Against Ransomware-as-a-Service
Avertium connects organizations with security solutions designed to keep pace with RaaS threats. Avertium applies a more rigorous approach to security that allows us to understand what makes your environment tick, so that our recommendations are more relevant and responsive to specific threat actors or use cases. Through rigor, relevance and responsiveness, we work diligently to ensure you show no weakness in your security posture.
Contact us if you’d like to know more about innovative security solutions designed to shield your organization against the next generation of digital risks, including ransomware-as-a-service.
8 Steps to Take if You’ve Been Breached
With the prevalence, severity and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.