RaaS: Wait for the BOOM!
- By Winston Thomas
- April 10, 2023
We all know that fighting cybersecurity threats is mainly one-sided.
Chief information security officers (CISOs) are busy keeping every threat actor from intruding into your networks, but all it takes is one threat actor to manufacture chaos.
Ransomware made this asymmetric war worse. Threat actors use ransomware to disrupt and earn as companies go digital to find new opportunities, engage a more digital-savvy base, and drive data-driven efficiencies.
“Ransomware is a real challenge for companies that is more and more difficult to counter because of continuing digital transformation efforts, the increased uptake in internet or network connected devices, along with the ongoing move to cloud data storage or use of cloud-hosted solutions,” says Victor Keong, field chief information security officer for APJ at Cohesity.
It does not help that many companies are only now shoring up their recovery capabilities. For too long, the focus had been on stopping or keeping the intruders out; there was not enough attention on what a company needs to do when it is being ransomed.
“Companies now operate in a world where cyberattacks are likely a ‘when’ not ‘if’ scenario, which means it is not enough to focus on attack prevention and remediation. The recovery of data and restoration of business processes must become an objective for companies within their security posture,” says Keong.
But we know this. We’ve been talking about ransomware for years, and CDOTrends has been writing about it for some time. So what’s changed?
Well, ransomware is now a service for hire.
Redrawing the battle lines
Ransomware has been with us for a long while since Joseph Popp released the “AIDS Trojan” in 1989. The first attempt did not bode well for Popp, who was declared mentally unfit to stand trial.
In 1996, researchers Adam Young and Moti Yung at Columbia University, inspired by the facehuggers in the movie Alien, suggested an improved “cryptoviral extortion” approach following a hybrid encryption methodology. The researchers also suggested e-money as a means to pay the ransom, way before cryptocurrency entered the market.
Since then, ransomware has exploded. Attackers now use SMSes and even imitated Windows Production Activation notices that saw victims incurring long-distance charges.
Today, names like Petya and WannaCry highlight the effectiveness of ransomware. After the Ukraine attack by Russia, we saw a rise in critical infrastructure attacks with ransomware. DarkSide’s chaos on Colonial Pipeline was a case in point.
“The Cybersecurity Agency of Singapore, in their latest report, found ransomware increased 54% in 2021 compared to that of 2020. With Sophos reporting 65% of Singaporean organizations that were surveyed in their ‘State of Ransomware 2022’ report were hit with ransomware in 2021, up from 25% in 2020. Therefore, the threat of ransomware for Singaporean companies is real and requires companies to prioritize modern data security and management capabilities,” says Keong.
Democratizing ransomware
Ransomware-as-a-Service (RaaS) is a significant leap forward for ransomware. It allows anyone to be a ransomware threat actor.
“It is a form of ransomware where less technically able or equipped cybercriminals are provided with a ransomware offering that allows them to execute ransomware attacks, often faster or more frequently than if they were to do it alone,” says Keong.
The most crucial point about RaaS is that it lowers the barrier to entry for threat actor wannabes. Anyone with access to the service and the right cash can attack.
This is not just bad news for companies; RaaS makes it more challenging for law enforcement to catch cybercriminals.
“The challenge of catching out cybercriminals becomes more complex with the increased number of threat actors, which is why most authorities around the world advise against paying ransoms,” says Keong.
Another problem is that RaaS offers a business model for ransomware creators. Since they are not directly involved, they can focus on innovation and experimentation.
“What makes RaaS different from other cyber threats is the sophistication of the business model behind it. RaaS kits often come with features or benefits like 24/7 ‘customer support’, user reviews, dedicated forums, and even bundle offers — all attributes that a business or technology leader would expect from their technology providers,” says Keong.
RaaS effectively commoditizes ransomware, creating a sub-economy all on its own. “If we take cybercrime as an economy, then Ransomware could be seen as a highly profitable industry driving the cybercrime economy, and RaaS as a highly pervasive and profitable business model,” says Keong.
As a result of RaaS, ransomware attacks are soaring. RaaS kits such as Locky, Goliath, and Shark target different vulnerabilities and technology infrastructure. DarkSide, Hive, and REvil have also reportedly used RaaS techniques or issued RaaS kits, points out Keong.
Navigating ransomware tyranny
Ransomware is also reaching a new stage in its evolution.
LAPSU$ offers a good example. “Unlike more traditional ransomware attacks that focus on demanding ransoms with a threat to encrypt or delete data if ransoms are not met, with LAPSU$ they have threatened to leak sensitive data if ransom demands are not met,” says Keong.
Sometimes called leakware or doxxware, these types of malware see lucrative ransoms exchanged. That’s because sensitive data can impact the top and bottom lines of large organizations or even countries. Sometimes, it puts lives at risk.
“In October 2022, one of Australia’s largest private health insurers, Medibank Private, was hit with an attack where the attacker followed the approach of threatening to leak data if their USD10 million ransom demand was not met. Medibank Private didn’t comply with this demand, so the attack leaked the health records of over 300 high-profile Australians, including politicians, celebrities, sports stars, and business leaders,” says Keong.
The problem for CISOs is that paying ransoms does not guarantee the problem will disappear. “It’s also important to note that even if this ransom was met, the attacker could still have leaked the data or a subset of it, which is why organizations should not pay ransoms,” adds Keong.
At the same time, the blast radius of a ransomware attack is widening.
“Unlike a ransomware attack where bad actors encrypt production data or lock up production and backup data — Ransomware 1.0 and 2.0 — with Ransomware 3.0, the blast radius of the attack is increased because of the target and scope of the attack,” says Keong.
“Exfiltration attacks with a threat to leak data are still ransomware attacks, however, organizations should recognize this as an evolution of ransomware, a particularly malicious evolution, which requires the adoption of crucial capabilities,” he explains.
Prepare for ransomware
Keong believes ransomware is here to stay. And with RaaS, it is only going to get more prolific.
“As RaaS and the evolution of ransomware demonstrate, malicious actors will look to leverage new technology to their advantage in any way that offers them success,” says Keong.
Companies need to recognize this reality and adopt modern data security and management capabilities “that allow them to effectively protect their technology infrastructure and data, regardless of how cybercriminals choose to innovate,” he adds.
CISOs need to keep up with new data security and management capabilities. They include machine learning-based anomaly detection, which provides alerts when uncharacteristic changes to data occur, encryption of data in transit and at rest to an AES-256 standard, multi-factor authentication, and role-based access control (RBAC) and quorum control that allows companies counter ransomware 3.0 and exfiltration ransomware attacks.
Keong notes that ChatGPT and other generative AI technology can help but also worsen the problem.
“The positive uses for ChatGPT in a security context include being able to generate or test code at speed, inform better decision making, help you test what information is publicly available given it’s a source-based technology, and it can help generate dummy phishing emails that can be used for employee testing and education,” says Keong.
On the flip side, Keong sees ChatGPT being used by threat actors for social engineering and phishing attacks, especially “as it helps eliminate the mistakes that tip the average user off like poor formatting or spelling errors, to generate malware and ransomware code, help with password cracking, impersonate a company’s chatbots or online tools, and even organically search for publicly available material that could then be used in an extortion attempt.”
This is why Keong urges companies to understand and improve their cyber resilience. “Adopting a modern data security and management approach, built upon a strategy of implementing best practices and best-in-class technology capabilities, provides companies with the adaptability and confidence regardless of what the cyber threat landscape brings,” he says.
Merely paying lip service to cyber resilience is like flirting with a ticking time bomb. With RaaS enabling anyone into a ransomware cybercriminal, it will be only a matter of time before your infrastructure goes “BOOM!”
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/Dennis Swanson - Studio 101 West Photography
Winston Thomas
Winston Thomas is the editor-in-chief of CDOTrends. He likes to piece together the weird and wondering tech puzzle for readers and identify groundbreaking business models led by tech while waiting for the singularity.