Ransomware attacks commanded headlines globally in 2022 and show no signs of slowing down as we move into the new year. As enterprise digital transformation creates new opportunities to exploit vulnerabilities, the average ransomware payment demand has now increased to over $2 million according to research from Unit 42, with the average payment breaching $500,000.This cyberattack category has spawned an increasingly professionalized industry worth billions of dollars to threat groups and shows no signs of letting up.
One of the biggest developments in recent years has been the rise of productized ransomware, also known as Ransomware-As-A-Service (RaaS). RaaS provides entry-level cybercriminals with the ability to license software to execute attacks with speed and efficiency. The ransomware ecosystem continues to evolve at a rapid pace, and when it comes to RaaS, here’s what you should be looking out for.
The rise of the ransomware underground economy
The RaaS model provides a significant amount of flexibility and benefits for both ransomware groups and associate affiliates. Like RaaS’ software counterpart, RaaS providers develop and deliver the actual ransomware to affiliates - and sometimes criminals pay for short-term subscriptions too. Attackers can take advantage of ransomware products that are rapidly updated and tweaked following detection or attention from law enforcement, which increases their capacity for damage and allows them to adapt through trial and error until they find the right combination for their use case.
Today, the dark web is where the majority of cybercriminals operate, and in that encrypted ecosystem they can access billions of verified combinations of usernames and passwords exposed through theft and data breaches. Would-be attackers now can access RaaS solutions through a variety of illegal marketplaces where they can pick and choose tools, malware and even direct corporate access. This has the knock-on effect of making it significantly more challenging for defenders to attribute attacks to particular criminal organizations, and for threat actors to remain anonymous due to the decentralization of services.
As a result, RaaS lowers the technical barrier of entry for conducting these cyberattacks. This raises the appeal of RaaS to potential cybercriminals looking to expand their horizons, freeing them from the technical knowledge requirements necessary to break into an organisation's network.
Anna Chung is a Principle Researcher at Palo Alto Networks Unit 42.
Affiliate networks and burgeoning ransoms
As part of the RaaS model, criminal groups provide infrastructure, adaptable encryptors, decryptors, and services for negotiation communications, as well as websites for leaking the stolen data when victims don’t pay the ransom demand. Affiliates identify network intrusion opportunities and deployment of the ransomware itself. They take a significant fee from the ransom, typically 70-80% of the total payment.
The more sophisticated RaaS providers offer subscribers a portal to view the status of all infections, ransom payments, and other sensitive information about their targets. It’s not necessarily that easy to get involved, however; many would-be affiliates are vetted through a series of tests or interviews to get into the program. Some groups even operate on a referral system where an affiliate vouches for another criminal to join, making both parties accountable. Once an affiliate joins the program, they can access the portal and choose the type of malware they want to use at their leisure.
Multi-extortion techniques, where attackers not only encrypt the files of an organization but also name and shame their victims and/or threaten to launch additional attacks - such as distributed denial of service (DDoS) attacks - are increasingly part and parcel of RaaS tactics. In 2021, the names and proof of compromise for 2,566 victims were publicly posted on ransomware leak sites by the Conti ransomware group, marking an 85% increase compared to 2020.
Ransomware gangs target victims using these tactics with the intention of pressuring them to pay more and with greater urgency – though how effective such approaches are depend somewhat on how sensitive the data they’ve stolen truly is. In 2021, 35 new ransomware groups were found to be using double-extortion techniques, which means they demanded a ransom and then alerted victims they would publish the data they had stolen publicly unless the ransom was paid. This shows how cybercriminals are increasingly promoting the use of multi-extortion techniques designed to increase the financial toll and immediacy of threats whilst contesting other ransomware groups for business.
Education and fighting back
Fighting back against the challenge of productized ransomware requires a multifaceted cyber threat engagement strategy. Maintaining good general cyber hygiene and implementing security awareness training are the foundational starting points, but there are several steps organizations can take to reduce the risk and impact of a successful RaaS attack.
Analyzing the business impact of losing critical data is vital to help stakeholders across the organization understand the risks at play. This requires a comprehensive audit of any potential upstream and downstream consequences to help prioritize efforts as well as to help update business continuity plans. Threat actors can be extremely aggressive so identifying exposed assets and maximizing the visibility of associated risks is important, particularly when it comes to information technology (IT) and operation technology (OT) assets.
When facing a current RaaS attack, acting rapidly is key. Creating and maintaining an up-to-date cyber security incidence response plan in place helps to keep organizations ahead of the curve by enabling them to know the capacity of cyber defense teams and the external support they need, as well as documented processes in place that identify the key stakeholders required to take quick and effective action. This can be put in place and supported by dedicated incident response experts as an extension of your team to help create a predictable incident response budget, enabling quicker action to minimize the impact of an attack.
If devised and implemented properly, a cybersecurity incident response plan can also provide structure to prevent future attacks by identifying weaknesses and gathering valuable threat intelligence. Complementing this with a data recovery plan will further add peace of mind from a business continuity perspective - ransomware groups know how difficult it is to survive without access to data, so making sure that data can be recovered quickly and effectively is paramount.
