Ransomware-as-a-service (RaaS) is a dangerous type of Software-as-a-Service (SaaS) provided as an easy-to-use cyber-criminal attack platform. With this cyberattack, actors gain illegitimate access to companies’ information technology resources and proceed to block legitimate access while demanding payment for the release of resources and data that rightfully belongs to the business. Victims are often notified via a lock screen where a ransom payment can be made—typically in the form of cryptocurrency, like Bitcoin.
Once the ransom is paid, customers receive the decryption key to regain access to their data and infrastructure. Unfortunately, many never regain access even after paying. Most companies today have critical data and network infrastructures to protect.
Ransomware is easy to deploy and a profitable way to enter into the Cybercrime space. Additionally, shifting trends make it easier than ever to leverage in cybercriminal activity. According to Threat Research Organizations, Ransomware volume raced to 110.9 million detected attacks in the first half of 2019 — a 15% year-to-date increase over 2018.
Comparing Ransomware-as-a-Service to Previous Known Ransomware Attacks
Understanding previous attacks gives organizations a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continues to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks are typically incremental.
Previous Ransomware Attacks
- CryptoLocker—This was among the first attacks of the current ransomware generation that required cryptocurrency for payment (Bitcoin) and encrypted hard drives and attached network drives. CryptoLocker spread via an email with an attachment that claimed to be FedEx and UPS tracking information. A decryption tool was released for this in 2014. In the end, however, reports suggest that upwards of $27 million was extorted by CryptoLocker.
- NotPetya—Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its predecessor and namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system.
NotPetya leveraged the same vulnerability from its contemporary WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper, since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
- WannaCry—A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the kill switch and in deconstructing the ransomware
- Bad Rabbit—Considered a cousin of NotPetya, and using similar code and exploits to spread, Bad Rabbit was a ransomware attack that appeared to target Russia and the Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake Flash Player update that impacted users via a drive-by attack.
Current Ransomware-as-a-Service Attacks
There are many variations of Ransomware-as-a-Service attack platforms. Most offer customization, and many even offer Service Level Agreements (SLAs). RaaS platforms enable a threat actor to easily encrypt all of a Businesses data, demand payment in exchange for the decryption key. Without the key, most businesses find themselves severally impacted.
Some of these platforms even offer a membership subscription package for aspiring cybercriminals and provides visually appealing dashboards, analytics, and in-depth data about attack victims, including whether or not they have paid the ransom. Additionally, cybercriminals can now change and customize their attack using these services, including the attack name and logo. These services can even come with customer support, making it easier than ever to take advantage of individuals and infiltrate organizations.
The Impact of Ransomware-as-a-Service
The FBI as of Oct 2019 has issued a public service announcement entitled “High Impact Ransomware Attacks Threaten US Businesses and Organizations.” While the announcement doesn’t provide any details of specific attacks, the Bureau warns in the announcement:
“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.
“Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”
With Ransomware-as-a-Service changing the face of the threat landscape, many organizations aren’t prepared to handle the constant onslaught of cyberattacks.
Protecting Your Organization Against Ransomware-as-a-Service
The outlook might seem bleak for your business. Especially for those without large cybersecurity teams or Managed Service Providers to take proactive action. Strong cybersecurity defenses are still key, and most ransomware is still delivered via e-mail, so organizations can rely on phishing protection and other solutions to help build their defenses.
Without an e-mail security solution to help automatically filter out malicious contact, however, you greatly increase the risk of becoming a victim of a ransomware attack. Also, businesses must ensure they have active and tested backup solutions in case emergency recovery is necessary. Lastly, ensuring enterprise-wide malware detection, prevention, and remediation will help to reduce the risk of infection.
Today’s cybersecurity programs focus primarily on detection and remediation, but this is no longer effective. To prevent a ransomware attack, a shift in practice from detection to proactive prevention, combined with automation, is required. The Adapture Security Solutions Architects can help you get started with a Risk Assessment to determine where your cybersecurity gaps are leaving your business vulnerable.
This post was contributed by CISSP Senior Solutions Architect Ben Henderson. Henderson is a cybersecurity professional with over 20 years of operational experience leading Information Assurance activities including Centrify deployments for PAM and providing an increased compliance readiness for the DoD and businesses worldwide.