Josue_RaaS-1

What is RaaS and why is it so dangerous?

Reading time: 11 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

It’s no secret that ransomware is quickly becoming the most dangerous threat to organizations. There has been a dramatic increase in ransomware attacks, largely due to the pandemic.  Globally, ransomware attacks increased over 60% in 2020, and 158% in North America, with the FBI receiving 20% more ransomware complaints. In the first half of 2021, ransomware attacks increased 151% compared to the same time period last year.

One of the reasons ransomware attacks have become so prolific has been due to the rise of RaaS, or Ransomware as a Service. This refers to a shift in how ransomware gangs conduct attacks and even how ransomware is deployed on networks, increasing the chance of success.

We’ll break down this new ransomware development and give you tips on how you can better defend yourself.

How ransomware used to work

Ransomware was largely made possible via exploit kits — software that could be purchased via hacker forums and the dark web. The Hermes ransomware is a good example. Exploits kits contain malware, rookits, and ransomware, usually packed in a form of an exploit vulnerability that allows the malware to infect a network. This allows the purchaser to attempt to infect organizations with the malware, given the organization hasn’t patched the associated vulnerability, but hackers could also leverage phishing or other types of attacks to drop the malicious code.

Depending on the exploit kit, a hacker could purchase, send out a phishing attack containing the ransomware buried in a malicious file, and reap the rewards of anyone who downloaded the file. However, this form of ransomware has largely declined due to lack of effectiveness.

The old model of sending out spam phishing emails with hopes of getting an individual to download a malicious attachment didn’t work as often. Anti-phishing, AV, malware detection, spam filters can stop this kind of ransomware attack at various steps in the attack chain.

Even against a commodity ransomware like Hermes, having backup files was enough to deal with the ransomware attack.

And because the ransomware was essentially available to any purchaser, security researchers could develop decryption keys that could release victims from the ransomware without them having to pay attackers, forcing the ransomware developers to continuously update them.

This meant ransomware attacks weren’t as effective - hackers needed to find another way.

Ransomware as a Service, explained

The most dangerous ransomware groups decided to privatize their most effective ransomware and decided to go one step further. Rather than selling it and allowing bad actors to use them freely, they decided to license the ransomware, split the cost, and leverage their own expertise as a service.

This meant a bad actor could essentially outsource a ransomware hacker groups’ services completely — a major shift in how ransomware attacks were carried out.

Rather than leveraging them in phishing and spam attacks, which are far less effective, ransomware hacker groups will either infiltrate target organizations or deploy the ransomware to targets that the malicious actors have already found their way into.

This gives ransomware attackers two advantages:

The organization’s already compromised: These aren’t your traditional spray and pray style of attacks. Instead, these are much more targeted attacks that infect an already compromised organization, vastly increasing the odds of success. And because malicious actors are already in a company’s environment, the ransomware is more likely to affect a larger part of the organization’s network.

There’s no readily available decryption key: Cybersecurity hinges on information. The fact that ransomware was being leveraged on such a wide scale made it more possible for security researchers to develop decryption keys. However, the ransomware isn’t as available and is only used sparingly against organizations, making it more difficult to build decryption keys.

The Ryuk ransomware is a good example of this. Licensed only by the hacker group WIZARD SPIDER, the ransomware code shares a lot of commonalities with Hermes but only targets large enterprises with this ransomware. And because it doesn’t make it widely available for purchase, it generates victim-specific attributes for each attack, making it much more difficult to develop a decryption key for it.

RaaS is likely to become the new normal

Unfortunately, this new development is likely to stay. This new method is highly lucrative for the attackers. The malicious hacker looking to infect an organization is much more likely to succeed and the ransomware gang can take a cut without doing much work.

As a result, we’ve already seen ransomware gangs adopt a cartel model and working with smaller ransomware groups, building up an organized network of ransomware criminals. The observed success of this model is also why it’s likely to stay and increase in the near future.

This is partly why ransomware attacks have increased so much and why we’re seeing larger and larger payouts. The average ransomware payout increased dramatically to over $300K in 2020, a 171% increase.

Organizations can still protect themselves against RaaS

Despite these novel developments, it doesn’t mean organizations are helpless against these style of attacks. Fortunately, organizations can leverage existing tools, processes, and solutions to protect themselves against ransomware.

Here are a few areas you should prioritize.

Don’t stop traditional ransomware defense

Spam filters, AV, and anti-malware detection and elimination tools have been effective enough to force criminals to adopt other methods and may even stop ransomware from ever running on your environment. These tools as well as security awareness training programs should still be used and prioritized

Always have backups

If you can back up your files or revert your environment to a stage before ransomware infection, then you don’t have to pay your ransom to begin the recovery process. Make sure your back-ups are completely disconnected from your main network to avoid infection.

Invest in monitoring and detection tools

The precursor to these new ransomware attacks is infiltration. If you can detect an unauthorized individual entering your network, you can pre-empt the attack and potentially kick them out of your environment before they do any damage.

Leverage network segmentation whenever possible

This has always worked against ransomware and still does. If you have a robust network segmentation system in place, you should be able to prevent ransomware from infecting your most business critical assets, stopping even further extortion or data leak threats.

Have a response plan ready

Organizations can’t afford to not be prepared for a ransomware attack. You should have an incident response plan ready and may even want to employ a response or forensic investigation partner on retainer who can help them in case they’re compromised. In the face of any ransomware attack, speed to action is key.

The rise of RaaS is quite concerning but security principles, methods, tools, and systems still provide robust defense, detection, and response capabilities. Don’t neglect these important priorities and consider leveraging partners who can help on the detection and response side.

Learn more about the decryptor that helped more than 1,400 companies in 83 countries recover their files and save over $550 million in unpaid ransom.

Additional Resources:

Building a security strategy in the times of ransomware webinar

Learn how to combat RaaS