Ransomware attacks have been damaging to their victims and profitable for the perpetrators. Unlike crimes driven by passion or dire need, they tend to be calculated, cynical and carried out by criminals and scammers who would likely be successful if they chose to start up legitimate businesses and work as hard as they do on their ransomware campaigns. Unfortunately, their methods are still evolving; perpetrators are more sophisticated, organized, and professional. These ad hoc acts committed by hackers used simple phishing attacks to gain entry, but now, attacks increased in targets and complexity, often using shady cloud services that provided what has become known as “ransomware as a service,” or RaaS.
RaaS providers operate in the gray zone, between legal and illegal, with polished strategies, business models and formal operating methods to put them into practice. Marketing themselves on the dark web, RaaS providers line up clients interested in a single attack, several attacks, or even in maintaining the rough equivalent of a retainer relationship. Clients of RaaS providers pay a monthly fee, typically in cryptocurrency, for advice and assistance, sometimes including around-the-clock support that covers technical aspects of an attack and matters such as negotiations with a victim. The client also may share a portion of any payment extracted from a victim with the RaaS provider.
The Growing RaaS Model
While anecdotally it appears that a greater proportion of ransomware attacks are being carried out using the RaaS model, it is impossible to determine the amount of these attacks, or how costly they are. Attribution is possible – in some cases, there are elements, such as snippets of malicious code, that can help authorities trace an attack back to a perpetrator known to be running a RaaS operation. When caught, attackers may give up relevant details. From the victims’ perspective, ransomware crimes appear the same, whatever the underlying organizational structure behind them might be. However, the RaaS model enables minimally skilled attackers to launch more sophisticated attacks.
RaaS providers sell expertise and prefer to keep the client at arm’s length to try to avoid detection and prosecution. As such, it can be harder to prosecute RaaS than conventional ransomware attacks because there are more moving parts, and they may move in several jurisdictions governed by competing laws and authorities. The advent of RaaS, and ransomware generally, has increased the momentum to harmonize laws and foster law enforcement cooperation in this area.
RaaS providers are increasingly conducting business by taking advantage of the economics of cloud-based computing and storage the same way their victims do, much like infrastructure as a service (IaaS) providers. The participation of most IaaS companies is usually unintentional, and the desire to maintain clients’ data security – and their own reputations for safety – makes legitimate IaaS providers a formidable ally in the war against ransomware and RaaS providers.
Don’t Be a Victim
Just as in legal commercial undertakings, ransomware skills are continually honed and standards elevated through competition. As RaaS providers raise their game, the stakes for potential targets are also raised. The threats they face will be more acute, at least until cybersecurity professionals and law enforcement raise their game, too, and improve their methods for combating threats – but organizations that find themselves on the wrong end of an attack are not helpless. There are precautions organizations can take, many of which require only modest human or financial resources and are fairly simple to implement. The Center for Internet Security identified 18 basic, commonsensical “Critical Security Controls” that should go a long way to fending off RaaS, and other types of ransomware attacks, and mitigating damage. There is much overlap among the 18 controls, allowing them to be grouped into four broad measures:
- Take inventory of your electronic assets. You can’t protect what you don’t know you have. Take stock of all devices, fixed, portable or mobile, that can connect to your technology platforms physically or remotely. This will allow you to spot any unauthorized or unmonitored devices and remove them or make them secure. Do the same with software assets, including operating systems, programs and apps. Review credentials and permissions for each employee, and limit access, via your organization’s and your employee’s personal devices, on-premises and remote, to files, folders, apps, programs and external websites to those that are appropriate for their duties, and no others.
- Monitor access points. Your infrastructure is most at risk of a breach at the points where it meets the outside world. Enhance malware detection and defense techniques, focusing particularly on these points, and on the means through which a breach is most likely to occur, such as web links and emails. This, plus a rigorous permissions regime, could prevent a considerable expenditure of time and money.
- Anticipate vulnerabilities and respond to threats. Vulnerabilities can be limited but never eliminated, so you should prepare for the worst to make sure the impact is not as bad as it otherwise might be. Use industry resources to stay aware of the latest threats and ensure that your operating system and other software are updated and patches applied when available. The biggest vulnerability is reusable passwords. Most financial services now require Multi-factor Authentication (such as text messages sent to the user’s registered mobile phone number) for login.
- Make the most of your human assets. Some vulnerabilities within an organization may walk on two legs and draw a paycheck. If properly trained and prepared, however, your employees can be an additional factor to aid in thwarting attackers. Their understanding of, and reaction to, ransomware attacks and other threats should be evaluated and sharpened through the development of security awareness programs that establish that work to change user behavior when they are presented with a bogus email or web page. There should be simulations of threat scenarios to put these procedures, and your employees’ preparations – and those of senior management and security officials – to the test
- Invest in your security team’s skills and tools. The cybersecurity workforce gap is a hot topic throughout the industry, but some security organizations have found that there is more of a skills gap than a headcount shortfall. By upskilling security analysts in critical areas such as cloud security, purple teaming and machine learning, the need for additional staff is reduced.
Given that the RaaS model can facilitate ransomware attacks and make them a feasible option for a broader population of bad actors, it is essential to take steps like these. Then, ensure to continually evaluate the threat backdrop, and monitor your systems and people, to assess, maintain and improve readiness. RaaS providers are turning ransomware into a more efficient, more lucrative line of business. You need to remain vigilant to ensure that your systems and data will never be a source of profit for them.
About the author: John Pescatore joined SANS as Director of Emerging Security Trends in January 2013 with 35 years of experience in computer, network and information security. He was Gartner’s Lead Security Analyst for 13 years, working with global 5000 corporations and major technology and service providers. Prior to joining Gartner Inc. in 1999, Pescatore was a Senior Consultant for Entrust Technologies and Trusted Information Systems. Prior to that, Pescatore spent 11 years with GTE developing secure computing systems. Pescatore began his career at the National Security Agency, where he designed secure voice systems and at the United States Secret Service, where he developed secure communications and surveillance systems. He holds a BSEE from the University of Connecticut and is an NSA Certified Cryptologic Engineer.