Ransomware as a service: A new wrinkle on an old threat

Ransomware is now the most significant online threat facing the UK. While destructive for the victims, it can be hugely profitable for an emerging hacker talent pool. It’s a booming business that has seen hackers run rampant, using professional and sophisticated tactics to get a slice of the highly profitable ransomware pie. The cyber security arms race is in full swing, with criminals ramping up tactics, sophistication and never-ending tricks. Once ad hoc acts were committed by hackers using simple phishing attacks to gain entry, they have now become complex and targeted, using the latest ‘toolkit’. Ransomware as a service (RaaS) is now a vital part of the puzzle; a new wrinkle on an old threat, RaaS models present sophisticated approaches for amateurish hackers.

From the shadows to the grey zone

RaaS providers have strategies and business models, and they use polished, formal operating methods to put them into practice. Marketing themselves on the dark web, they line up clients interested in a single attack, perhaps several, or even maintaining the rough equivalent of a retainer relationship. The client can pay a monthly fee, usually in “crypto-currency”, for advice and assistance, sometimes including around-the-clock support that covers technical aspects of an attack and matters such as negotiations with a victim. The client also may share a portion of any payment extracted from a victim with the RaaS provider.

Providers have upped their game to avoid detection.

While it appears that a more significant proportion of ransomware attacks are being carried out using the RaaS model, it is impossible to determine the number of such attacks or how costly they are. Attribution is possible – in some cases, there are elements, such as snippets of malicious code, that can help authorities trace an attack back to a perpetrator known to be running a RaaS operation, and attackers, when caught, may give up relevant details. From the victims’ perspective, ransomware crimes appear the same, whatever the underlying organisational structure behind them might be.

However, the RaaS model enables minimally skilled attackers to launch more sophisticated attacks – much the same way modern audio processing tools like Autotune can make tone-deaf singers sound like stars.

RaaS providers sell expertise and prefer keeping the client at arm’s length to avoid detection and prosecution. Indeed, it can be harder to prosecute RaaS than conventional ransomware attacks because there are more moving parts, and they may move in several jurisdictions governed by competing laws and authorities. The advent of RaaS and ransomware, generally, have increased the impetus to harmonise laws and foster law enforcement co-operation in this area.

What IaaS and RaaS providers do have in common is that the latter increasingly are conducting business with the former – taking advantage of the economics of cloud-based computing and storage the same way their victims do. The participation of most IaaS companies is usually unintentional, and the desire to maintain their clients’ data security – and their own reputations for safety – makes legitimate IaaS providers a formidable ally in the war against ransomware and RaaS providers.

Just as in legal and commercial undertakings, ransomware skills are continually honed and standards are elevated through competition. As RaaS providers raise their game, the stakes for potential targets are also raised. The threats they face will be more acute, at least until cyber security professionals and law enforcement raise their game and improve their methods for combating threats.

Building cyber resilience

But organisations that find themselves on the wrong end of an attack are not helpless. They can take precautions, many of which require only modest human or financial resources and are relatively simple to implement. The Centre for Internet Security identified 18 basic, common-sense critical security controls that should go a long way to fending off RaaS and other types of ransomware attacks and to mitigating damage should one occur. There is much overlap among the 18, allowing them to be grouped into four broad measures:

• Take inventory of your electronic assets. You can’t protect what you don’t know you have. Take stock of all fixed, portable or mobile devices that can connect to your technology platforms physically or remotely. This will allow you to spot any unauthorised or unmonitored devices and remove them or make them secure. Do the same with software assets, including operating systems, programs and apps. Review credentials and permissions for each employee and limit access, via your organisation’s and your employee's personal devices, on-premises and remote, to files, folders, apps, programs and external websites to those that are appropriate for their duties and no others.

• Monitor external connections. Your infrastructure is most at risk of a breach at the points where it meets the outside world. Enhance malware detection and defence techniques, focusing particularly on these points and the means through which a breach is most likely to occur, such as web links and e-mails. This, plus a rigorous permissions regime, could prevent a considerable expenditure of time and money if Dave from accounting decides to click on the wrong Pornhub banner ad when he is supposed to be processing invoices.

• Anticipate vulnerabilities and respond to threats. Vulnerabilities can be limited but never eliminated, so you should prepare for the worst to ensure the impact is not as bad as it might be. Use industry resources to stay aware of the latest threats and ensure that your operating system and other software are updated and patches applied when available. The most significant vulnerability is re-usable passwords. Most financial services now require multi-factor authentication (such as text messages sent to the user’s registered mobile phone number) for login. Using this simple form of MFA stymies over 99% of all phishing attacks.

• Backup critical data. Some ransomware attacks will encrypt your data and hold it hostage. If you have working and tested backups, you can keep business running and customers safe.

• Make the most of your human assets. Some vulnerabilities within an organisation may walk on two legs and draw a paycheque, like Dave from accounting. If properly trained and prepared, however, your employees can be an additional factor to aid in thwarting attackers. Their understanding of and reaction to ransomware attacks and other threats should be evaluated and sharpened through the development of security awareness programmes that work to change user behaviour when presented with a bogus e-mail or web page. There should be simulations of threat scenarios to put these procedures and your employees’ preparations – and those of senior management and security officials – to the test.

• Invest in your security team’s skills and tools. There is a lot of press hype about a “cyber security staffing shortfall”, but successful security organisations have found that there is more of a skills gap than a headcount shortfall. By upskilling security analysts in critical areas such as cloud security, purple teaming and machine learning, you get a double benefit: the need for additional staff is reduced and surveys show that security staff that gets regular training are less likely to jump to another company for a salary increase and expensive attrition is reduced.

The new horizon

Given that the RaaS model can facilitate ransomware attacks and make them a feasible option to a broader population of bad actors, it is essential to take steps like these, then continually evaluate the threat backdrop and monitor your systems and people to assess, maintain and improve readiness. RaaS providers are turning ransomware into a more efficient, more lucrative line of business. It would be best if you remained vigilant to ensure that your systems and data will never be a source of profit for them.