As if ransomware on its own were not worrisome enough—a new delivery model is making cybersecurity’s greatest scourge even more dangerous. Ransomware-as-a-service (RaaS) providers grant malware access to less inventive criminals, expanding the playing field for bad actors and sending more threats into the ecosystem. We talked to Sherri Davidoff, CEO of LMG Security, about why RaaS is the biggest development in the hacker economy and what organizations can do to protect themselves from its expansion.
What is ransomware-as-a-service?
SD: Ransomware-as-a-service (RaaS) is model in which criminals rent access to a ransomware delivery infrastructure, typically in exchange for a subscription fee, percentage of the proceeds, or both. Imagine SaaS products like Microsoft or Google applications, but designed for cybercriminals. The operators that maintain the RaaS infrastructure often refer to their customers as “affiliates” or “partners,” particularly when they skim off a percentage of the proceeds.
There are many different RaaS offerings, ranging from inexpensive (and typically low-quality) strains that anyone can buy on the dark web, to highly sophisticated versions that are only available to specific, carefully vetted affiliates. Features of RaaS products often include a portal with a chat feature, customizable ransomware strains, template ransom notes, customer support for the affiliates, and more.
As data exposure extortion has become increasingly effective, RaaS operators have added supporting features to their platforms as well. For example, the NetWalker strain advertised “[A] fully automatic blog, into which the merged data of the victim goes, the data is published according to your settings.”
The RaaS business model appears to have been wildly successful. For example, the NetWalker ransomware strain reportedly netted at least $46 million. According to Chainalysis, when a ransom is paid, typically the bulk of the payment goes to the affiliate, a smaller percentage to the operator, and a smaller percentage still goes to two commissionable roles.
As the hacker economy matures, we have increasingly seen the evolution of specialized cybercriminal roles. RaaS clearly illustrates this trend toward specialization: Often, the actors that initially gain a foothold into the victim’s network are not the same as those that deploy the ransomware (although the entire group of affiliates may profit from a ransom payment). Instead, an “initial access broker” might gain access using stolen RDP credentials or phishing attacks, and then rent or sell access to the RaaS affiliates. Then, the affiliate leverages the RaaS platform to deploy the ransomware and extort a payment.
Who is using this model of attack? Who are the victims?
SD: A wide variety of cybercriminals leverage RaaS, from experienced organized crime groups to lone amateurs. For example, anyone can buy access to a low-end RaaS infrastructure on the dark web for as little as $40 and purchase stolen RDP credentials for $16-24 or phishing kits for $5-$15. These attacks are typically opportunistic, and the victims might be any organization unlucky enough to have an employee or vendor click on a link or fall victim to a credential-stuffing attack.
Organizations with slim budgets for cybersecurity (such as SMBs and public entities) are at higher risk, since they may not have the resources to support proactive cybersecurity monitoring, multi-factor authentication rollout, effective backup strategies, etc.
On the flip side, there are some ransomware gangs that invest much greater sums in their tools and specifically target higher-revenue organizations for bigger ransoms. In addition, ransomware gangs often target organizations that would be critically impacted by network outages (such as hospitals, technology providers, industrial goods and services) or hold confidential/regulated information (such as public sector, law firms, and professional services).
The highest-risk organizations are those that are strapped for resources, have critical uptime requirements and hold large volumes of sensitive data: hence, healthcare and the public sector have been hit especially hard over the years.
Why is this a concern to organizations? How has it changed the threat level of the cybersecurity landscape?
SD: RaaS offerings lower the barrier to entry for would-be ransomers, making it easier for amateurs to launch ransomware attacks, and bring powerful, scalable tools into the hands of more experienced criminals. They also increase the effectiveness of ransomware. For example, many RaaS operators tout increased speed of encryption and advanced features to ensure that all files are locked up, making it harder for defenders to contain and recover from ransomware.
In addition, the new RaaS platforms that automatically publish information pose a new and frightening threat of scalable data exposure.
How are these attacks staged?
SD: Different operators have different models for facilitating ransomware attacks. Some of the most popular platforms, such as Dharma, are deployed after the customer has already gained access to an RDP platform (typically using stolen credentials or credential spraying). From there, the customer uses the Dharma toolkit to deploy ransomware. Similarly, the Sodonokibi and NetWalker operators specifically partner with affiliates that already have their own methods of gaining access to networks: RaaS is leveraged to deploy ransomware after the affiliates already have a foothold.
One common thread is that RaaS offerings frequently leverage popular Microsoft administrative tools, such as Powershell, PSexec toolkit, Remote Desktop and the net user system to create administrative accounts and push out ransomware within an organization. The RaaS typically automates the encryption process, creates ransom notes and facilitates the payment process. The most advanced RaaS products automatically create a portal for each victim, enabling real-time chat and supporting victim self-service.
How can organizations protect against this threat?
SD: The top ways that ransomware attacks begin include email phishing, RDP credential theft, and exploitation of Internet-exposed software vulnerabilities. Here are ways that organizations can reduce the risk of a ransomware attack:
- Deploy strong multifactor authentication on all internet-facing login interfaces.
- Use effective anti-phishing technologies, such as email security software and hardened mail server configuration settings.
- Conduct regular user awareness training to reduce the risks of phishing and password re-use.
- Leverage a VPN for remote access whenever possible, instead of RDP or similar login interfaces.
- Patch workstations, servers and network equipment regularly.
We want to thank Ms. Davidoff for her thoughtful observations and recommendations. She has always been very generous with her time, trying to help bring awareness to the industry. With ransomware a leading cause of loss, the cyber risk insurance industry has been paying careful attention to the rise of RaaS over the past few years and is especially hyper-focused on trying to ensure that their policyholders have most of the required/baseline safeguards in place so a cyber-insured organization is not a wide-open target. In addition to training, endpoint protection and 2FA, we might add having an actionable breach response plan, such as BPC.
See previous interviews with Sherri Davidoff here
Ms. Davidoff is also a valued member of the NetDiligence Ransomware Advisory Group. We want to thank her again.