2019 Has been an interesting year for Ransomware thus far. After plaguing countless victims with dreaded ransom notes and bringing some pretty large corporations to their knees, the attack method built a strong reputation for inflicting cyber terror on consumers and businesses. As cyber criminals noticed increasing success from this method, the trends shifted towards more targeted enterprise attacks with the potential for more lucrative payouts. Furthermore, criminals saw the growing demands for these attacks on the Dark Web as a business opportunity to make attack kits more easily accessible. This new realm of service would essentially remove the burden of coding and crafting attacks from the criminals, thus reducing the difficulty of launching such attacks. What once required tons of planning and preparation, could now be purchased as a subscription or service – just as you would an email account or a video streaming service. Welcome to the rise of ransomware as a service.
What is ransomware?
Also termed digital extortion, Ransomware is a form of cyber – attack in which criminals block access to prized digital possessions or resources and demand payment for their release. There are many variations of ransomware attacks, but the common goal is usually to extort companies or users for money. For example, an attacker may encrypt all of your data and ask for payment in exchange for the decryption key. Without the key, your operations could end up being crippled.
What is Ransomware as a Service (RaaS)?
One of the biggest trends in technology over the last decade has been the growth of subscription-based service models and products. Examples include Software as a Service (SaaS), Platform as a Service (PaaS, Infrastructure as a Service (IaaS) and more. Instead of building software or installing software directly in corporate environments, these companies are providing customers with the ability to effectively rent access to the services they need without dealing with development, maintenance, and additional back end work. Given the high demand for Ransomware in this day and age, creative cyber-criminal entrepreneurs followed this tech industry trend and created ransomware as a service (RaaS) to ease the burden of cyber attackers having to develope their own attacks.
Using the services, cyber criminals are able to launch varying levels of novice to advanced attacks. The RaaS provider may then keep a percentage of the profits from the attack as a service fee. Run as legitimate service businesses, some of the services are so advanced that they include customer support, service level agreements, satisfaction guarantees, and more.
How does Ransomware as a Service (RaaS) work?
Ransomware as a service solutions include a variety of programs available to cyber criminals looking to launch these attacks. To start, hackers create the malware attacks, advertise them, and rent access to the exploit kit to other malicious attackers. They then provide the resources and instructions for operating the attack software. Once purchased, the “dark customer” launches the attack against the target, the malware encrypts the victim’s resources, and payment is requested in order to unlock the information. If the targeted organization folds and pays the ransom, the money is then split between the RaaS provider and the cyber criminal who purchased the service.
This set up is perfect for a cyber criminal who may not know how to code or create an attack. In addition, for a hacker who knows how to code but doesn’t want the direct exposure of launching attacks, they are able to profit from attacks without getting their hands dirty directly. The products work so well because they are created for cyber criminals, by cyber criminals.
What’s an example of Ransomware As A Service (RaaS) provider?
There are countless variations of ransomware in existence today, and there are several Dark Web vendors who offer the service. One popular example of this is Jokeroo. According to an article on the provider, “unlike most ransomware-as-a-service offerings, in order to become an affiliate, a would-be criminal has to pay to join a particular membership package. These packages range from $90 USD, where the affiliate earns 85% of the ransom payments, to $300 and $600 packages where the affiliates keep all of the revenue and get extra perks such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options.”
The software comes with visually appealing dashboards, analytics, an ability to view information about their attack victims, including whether or not they have paid their ransom.
Should businesses be worried about this growing trend?
Ransomware attacks against small businesses and large enterprises remain a concern. When done right, these attacks can cripple ill-prepared companies. Without adequate and tested backups, one of the key defenses against successful ransomware attacks, some companies have found themselves out of business for days or even weeks while scrambling to recover. Ransomware attacks get delivered through a variety of channels, the main one being via email. Business email compromise attacks are another legitimate concern in this space. These attacks can be hard to entirely avoid, especially in companies with large employee populations prone to click on harmful links from time to time. The bottom line is that it’s nearly impossible to avoid every single attack attempt. Thus companies must pay attention and ensure they are protected from this trend through a combination of people, process, and technology.
If RaaS impacts you, what can you do?
Generally speaking, layered security is critical here. For example, in the case of email compromise as a delivery vector for ransomware – layers can help. Email security technology that filters malware out and isolates links, limited access control to prevent elevated privileges being used for unauthorized tasks, disaster recovery programs to assist with the response to the incident should it occur, and more can all help mitigate the impact of a successful ransomware attack. Typical response actions include:
- Restoring impacted systems from backup to help recover your information.
- Though not recommended, paying the ransom may or may not get you access to your information.
- Attempting to wipe the malware from the devices and decrypting the information using other tools where possible.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.