In 2021, the world experienced nearly 2,700 ransomware attacks, virtually doubling the number of attacks in 2020, according to cybersecurity advisor NCC Group. Security researcher Unit 42 found that ransomware criminals demanded an average of $2.2 million from each victim last year, which represented a 144% increase over 2020. What’s unknown is exactly how many of those attacks started as ransomware as a service (RaaS), but a threat report by Sophos said that as many as 60% of ransomware attacks over the past 18 months were perpetrated by ransomware-as-a-service groups.
What Is Ransomware as a Service?
While all ransomware involves infiltrating organizations and stealing data and/or depositing malicious payloads, ransomware as a service goes about the process differently. Instead of one group targeting a victim and then developing and launching an attack, ransomware as a service makes it so someone with little hacking experience can attack.
Experienced hackers develop ransomware “toolkits” containing some of or all the components needed to perpetrate an attack. Kits can provide the malware itself, a list of potential targets, a dashboard to track ransomware campaigns, and support for ransom negotiations.
Ransomware-as-a-service developers will sometimes even provide customer service agents who can advise affiliates on how to use the ransomware. Furthermore, agents may even walk victims through the process of procuring cryptocurrency and transferring it to the hacker in exchange for a decryption key. What is included in a package depends on what the customer ultimately wants to do.
Ransomware-as-a-service providers typically function just like any other technology business. As such, they are known to offer various options for customers to engage their services:
- A monthly RaaS subscription for a flat fee
- An affiliate program that shares some percentage of the profits with the ransomware-as-a-service operator
- A one-time license fee without profit sharing
- Pure profit sharing
“Enterprising and capitalistic hackers learned quickly that they could sell services for a lot of money without having to get involved in the actual attack itself,” explained Jon Clay, vice president of threat intelligence at Trend Micro. “That way, they are removing themselves from getting arrested, since the people who are likely to get arrested are those who perpetrate the actual attack.”
Other criminal entities can also get involved, as well. For example, a would-be perpetrator might also purchase network access to a target from a network access broker. Network access brokers typically use remote desktop protocol, virtual private networks (VPN), web shells, and other legitimate remote-access tools to breach networks. They then sell access to those networks. Purchasing network access from a broker can cost as little as a few thousand dollars.
“RaaS is a business model very much like a legitimate market with market differentiation,” explained Keegan Keplinger, research and reporting lead at eSentire. “Each person owns their phase of the process, which opens up to a bigger labor pool that can compete with each other.” As a result, everybody can perfect their offering, giving ransomware-as-a-service buyers a choice of options that will fit their needs.
All these factors make ransomware as a service insidious and difficult to track down. It’s easy, profitable, and increasingly popular because of the availability of toolkits, and it’s virtually unconstrained by laws or enforcement bodies.
And RaaS developers aren’t lazy. Just like the good guys, they purchase ransomware defense tools, which they learn how to get around. They also have access to the same threat intelligence that organizations use to harden their security capabilities.
What Does Ransomware as a Service Mean for IT Pros?
IT professionals should be concerned about the proliferation of ransomware as a service. There are key steps you can take to protect your organization from attacks.
Develop a Response Plan
The best time to plan for a ransomware attack is definitely not when you’re in the middle of one, said Tanner Johnson, a principal analyst for data security at Omdia. Instead, take the time to assess your capabilities and weaknesses and develop a ransomware response plan. There is plenty of guidance to help prepare, including the federal government’s Cyber Security Evaluation Tool Ransomware Readiness Assessment and multiple publications from NIST.
Ensure Your BCDR Plan Will Cover You
While most companies have business continuity and disaster recovery (BCDR) plans, these often aren’t fully compatible with combatting ransomware.
“These are plans that have existed for generations and are designed to outline the specific protocols, policies, responsibilities, and chain of command in the event of a crisis,” Johnson said. “It’s important to incorporate cyber-incident response plans into those plans by delineating what your organization’s ‘crown jewels’ are, what critical data assets you need to function fully, and whether you have external, offline gold image copies of the data you can use to replace encrypted, corrupted, or [ransomed] information at a moment’s notice.”
Other Important Processes
Ransomware protection should also include:
- Periodic phishing and social-engineering awareness training for employees
- Vulnerability assessment and penetration testing
- Regular backups
- Data encryption
- Software and hardware updates
- Network segmentation
It’s also worth conducting periodic code reviews. Ransomware is a multidimensional problem that starts at the technical level with how coders write applications. That’s especially true when it comes to communications, because that’s where remote attacks tend to be successful. “Handling the communication between applications and the processes of the application itself, like how it accepts and inputs code, is important to code security,” Keplinger explained. “If you enforce good code and good rules, you reduce the chance of the service or tool being abused.”
Implement Necessary Tools
After developing these processes, the next step is to ensure that your organization has the right tools. This includes good threat intelligence capabilities, next-generation firewalls, and intrusion detection and prevention. The ability to monitor processes at all levels (e.g., the files being created and DLLs being loaded) is also important and best accomplished via endpoint monitoring. Other important technologies include VPNs with multifactor authentication and vulnerability management systems.
Organizations should also aim to deploy extended detection and response (often called XDR) and zero-trust security, which Clay said helps organizations respond quickly to anomalies inside the network.
With the right processes and tools, it’s more likely you can catch hackers before they do significant damage. Usually, threat actors will leave when they get noticed.
Get the Right Security Skills
Having a skilled staff onboard is as equally important as having the right tools and processes in place. “There are real people intruding on your systems, and they are creative and intelligent, so they can get around defenses by thinking their way around them,” Keplinger said. “To counter that, you need human agents on your side. Automation and AI are helpful, but a human should be managing all of these tools and reacting with the same kind of creative intelligence.”
If All Fails
So, what can you do if you get hit? Clay recommended negotiating with the criminals and seeing if you can reduce the ransom payment amount.
And don’t keep the attack to yourself. Contact law enforcement, Johnson said. “Get the FBI or another agency involved to help you, because, ultimately, they want to track these people down and get them to stop,” he said. The FBI, for example, recently created a new arm called the Virtual Assets Unit that helps organizations hit by ransomware.
As ransomware as a service continues to proliferate in the dark, IT professionals must become increasingly vigilant.
To make sure you cover your bases, Johnson recommended frequently reviewing and revising ransomware detection and response plans, processes, and tools. In addition, keep your employees updated on the dangers of ransomware and what to look out for.
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.