Beware Ransomware-as-a-Service
- By CDOTrends editors
- August 30, 2022
In recent years, ransomware has become one of the most prevalent and costly types of cybercrime. The ease with which malicious actors can deploy ransomware, combined with the high potential payouts, has made this type of attack especially attractive to criminals.
One of the key factors driving the growth of ransomware is the rise of ransomware-as-a-service (RaaS). RaaS is a business model in which malware developers and attackers partner to launch ransomware campaigns. RaaS allows even inexperienced cybercriminals to launch sophisticated ransomware attacks with minimal effort and expense.
Microsoft's second edition of Cyber Signals highlights how RaaS works, its new business model, and what companies can do to protect themselves from this growing threat.
RaaS: How it works
Microsoft calls the rise of RaaS "industrialization of cybercrime," which has created specialized roles like access brokers who sell access to networks. With RaaS, cybercriminals can purchase access to ransomware payloads, data leakage, and payment infrastructure.
According to Microsoft, actors switch between RaaS programs and payloads, making it difficult to attribute attacks. Conti or REvil are two RaaS programs often referred to as "gangs" due to the number of affiliates who use them. Conti has already shut down, but new RaaS like QuantumLocker and Black Basta are filling in the void.
RaaS kits, which include malware, customer service support, and other tools, are easy to find on the dark web, Microsoft notes. The sale follows the affiliate marketing model in which the RaaS provider gets a cut of the ransom payout.
Double extortion has become more common as part of the RaaS business model. In double extortion attacks, the attackers not only encrypt victims' data but also threaten to leak it unless a ransom is paid. This has proven to be an effective strategy, as many companies are willing to pay to keep their data private.
Defending against RaaS attacks
Microsoft recommends three steps for organizations to defend against RaaS attacks:
1. Harden the cloud: This means securing resources and identities in the cloud as well as on-premises accounts. Multi-Factor Authentication (MFA) should be enabled for all accounts, and cloud admins/tenant admins should be treated with the same level of security and credential hygiene as domain admins.
2. Prevent initial access: This can be achieved by managing macros and scripts and enabling Attack Surface Reduction Rules.
3. Close security blind spots: Companies need to ensure that security tools are running in optimum configuration and perform regular network scans to ensure a security product protects all systems.
Image credit: iStockphoto/undefined undefined