Does this sound familiar: “Cyberattack prompts major pipeline operator to halt operations”? That’s the kind of headline that only a few years ago, was sci-fi stuff and just plain unthinkable. Yet, it’s true: a cybercrime gang, DarkSide had shut down a vital pipeline, rendering it unusable in the worst cyberattack to date involving critical US infrastructure.
The infamous group had infiltrated the network, encrypting the data to run it, and promising not to budge until it received a large Bitcoin ransom. Such developments do not bode well for corporate organizations and governments, but ransomware gangs are fast “professionalizing” cybercrime. The industry they’re creating off the notorious tools and services they build is called Ransomware as a Service or RaaS.
In essence, if a criminal seeks to go into the business of cyber extortion without having the skills to develop malicious software from scratch, hacker collectives such as DarkSide, are willing to help. Two-thirds of all attacks use this approach, and successful attacks earn perpetrators millions of dollars per victim.
A High-Level Overview of Ransomware as a Service
Businesses must confront the growing threat from targeted ransomware before ugly outcomes begin to show up. Oil pipelines are not the only victims of ransomware attacks. In 2021 alone, everyone from multinational tech companies, international meat producers, and even smaller regional entities have been victims of ransomware attacks.
Reports state that the average true cost of a ransomware attack is around ten times more than the actual ransom. Quite notably, only one in 10 companies who complied to pay a ransom got all their data back.
Ransomware as a Service enables developers to sell or lease malware to unscrupulous users on the dark web. These affiliate schemes allow low-level attackers to distribute and manage ransomware campaigns. A successful attack allows the ransomware developer to earn a decent percentage on every ransom paid for the decryption key.
Researchers at Group-IB, a cybersecurity company, report that nearly 60% of ransomware attacks analyzed in 2020 emanated from criminals exploiting the RaaS model.
Ransomware as a Service has such a high demand now, that fifteen new ransomware affiliate schemes appeared in 2020. The list includes Avaddon, SunCrypt, and Thanos, among others. It’s clearly a loud call for companies to improve their data security.
Like in any other industry, there’s competition in the ransomware as a service business. In fact, competition among ransomware developers is so cutthroat that they started doing special “deals” or “promotions” to anyone interested in their tools. This makes things worse for potential victims.
According to Oleg Skulkin, one of Group-IB’s senior digital forensics analysts, such affiliate programs are bound to lure many in cybercrime. Such attacks have gained popularity to the point every existing corporate entity – big or small, no matter the industry – has become a potential target.
As more companies increasingly explore the remote working option, there has been an increase in the number of RDP (Remote Desktop Protocol) servers accessible by the public. These servers were the points of initial access for many ransomware operators.
How Ransomware Attacks Work
Every ransomware attack begins with the attacker gaining access to the organization’s computers and servers. There are four stages to the average ransomware attack:
- Acquisition of malware/code
- Target infection and spread
- Data extraction and persisting on impacted systems
The attacker encrypts files on an organization’s systems, often exporting sensitive data. The ransom demanded is in exchange of a decryption key and to ensure the confidential files are not published elsewhere. Each “area” has actors, and recently, there has been increased demand for extraction and monetization specialists in the ransomware supply chain.
As unusual as it sounds, monetization has bred a new species of negotiators. Experienced threat actors manage negotiations, ensuring there’s maximum pressure on victims to make them “pay up.” Telephone calls, distributed denial-of-service (DDoS) attacks, threats to publish stolen information, and so forth are some of the tactics in ransomware attacks to ensure that victims pay the ransom.
The role of negotiators
Coordinators of a ransomware attack wish to earn a reasonable sum for their “efforts,” while it’s important to be able to effectively negotiate in conversational English. These two elements have been critical in ensuring that the role of a negotiator has become one of the most important in ransomware attacks. Indeed, the ransomware ecosystem, as KELA’s Victoria Kivilevich calls it, is akin to a company with a variety of roles within and multiple outsourcing activities (such as the negotiator role).
The role of access brokers
Another in-demand role in ransomware attacks is that of the initial access broker. Privileged access to compromised networks is now expensive. Achieving domain admin- level access pushes listings to anywhere between 25% to 115% higher in prices.
Is There Any Defense Against Ransomware as a Service?
Though there have been many successful ransomware attacks, including several high- profile ones, there are numerous ways to ensure your company does not become a victim. They include using uncommon and sophisticated passphrases to limit public access to RDP.
Simple but efficient steps such as the following can help to ensure you don’t become a victim of RDP compromise:
- Restrict IP addresses that can be useful in making external RDP connections.
- Limit the number of login attempts within a specific time frame.
- Enable multi-factor authentication or MFA to limit an attacker’s access even if they succeed in breaching an account.
- Apply security patches and updates as soon as they become available. This alone ensures that criminals have little chance of exploiting known vulnerabilities.
- Lower your exposure through continuous monitoring and automated response.
- Leverage modern vulnerability and security incident management solutions to support your IT teams.
These four steps might not be everything that keeps you impenetrable to ransomware attacks. However, they can help prevent your organization from becoming a victim of RaaS attacks. You’ll improve your cybersecurity posture and also avoid paying ransom that encourages these schemes.
Skulkin adds that if companies continue to pay ransoms that attackers can only right attacks will only grow in proportion, scale, and sophistication.
It’s advisable to be proactive about your company’s IT, security, and risk infrastructure. For robust data protection, your company could leverage IPSYSTEMS’ knowledge and expertise. What’s more they are a trusted cybersecurity partner of companies here in the Philippines.