How to Protect against Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) models let cyber criminals extort the companies they target by stealing data with malicious code. Learn what you can do. 

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a subscription-based business model that allows ransomware affiliates — that is, cyber criminals — to use previously developed ransomware tools to execute ransomware attacks against others. Others such as you. 

Similar to Software-as-a-Service (SaaS), the RaaS model lets ransomware developers sell or lease their ransomware to other parties, who then use that software to attack organizations. For this service, the ransomware developer typically earns a percentage of the ransom payment received.

Ransomware is malware that encrypts and locks targeted files. Since decryption is practically impossible, ransomware allows cyber criminals to hold the files hostage and demand a ransom in exchange for decryption keys. 

The first known ransomware attack is believed to have occurred in 1989, and lately ransomware has become the modus operandi of cyber criminals across the globe. A report from the Beazley Group says ransomware attacks increased by 25 percent from Q4 2019 to Q1 2020, and all evidence suggests the attacks have proliferated even more since then.

Largely opportunistic, ransomware attacks usually infect myriad easy targets to collect the highest financial reward. A January 2020 Coveware report found that the average ransom payment jumped from $41,198 in Q3 2019 to $84,116  in Q4 2019 — an increase of 104 percent.

Ransomware-as-a-Service further expands the current ransomware threat landscape by letting criminals use already-developed ransomware products for their attacks. With RaaS, even the most inexperienced hackers can now launch highly sophisticated cyberattacks. 

RaaS solutions also typically pay their users high dividends. In some cases, attackers earn up to 80 percent of each ransom payment. 

Ransomware will likely remain a widespread and serious threat. It will almost certainly continue to grow and evolve as RaaS becomes more accessible to more cyber criminals. Therefore, it’s important to understand how ransomware works, and how you can protect your organization from a ransomware attack.

How RaaS Works

A relatively new business model for ransomware developers, RaaS allows developers to sell or lease their ransomware to others — often called affiliates —  who then use them to launch cyber attacks. 

RaaS begins with expertly coded ransomware developed by “reputable” ransomware operators. RaaS ransomware usually has a high chance of penetration success and a low chance of discovery.

After the ransomware is developed, it’s then modified to a multi-end infrastructure so it can be licensed to multiple affiliates.

To recruit affiliates, many ransomware developers post queries on dark web forums. Affiliates are provided with onboarding documentation, including a step-by-step guide for launching attacks using the ransomware. Some RaaS solutions also provide a dashboard to help affiliates monitor the status of each ransomware attack.

Like SaaS, the revenue model for RaaS operates using an affiliate program. Affiliates either sign up with a one-time fee or a monthly subscription. Some RaaS operators don’t even use sign-up fees; affiliates can sign up to work on a commission basis. 

After RaaS affiliates sign up to gain access to ransomware, the developer will create a custom exploit code licensed to that particular affiliate. Once affiliates have access to the custom exploit ransomware code and instructions, they’re ready to launch a cyber attack.

How Ransomware Attacks Happen

After a RaaS affiliate has the custom ransomware code in its possession, it can identify and target an infection vector and deliver the exploit code to the victim (via malicious email, for example). 

Most ransomware attacks are executed via phishing. Phishing is a method of stealing sensitive data (like passwords and payment information) by duping the victim with a bogus email message. Phishing emails are a quick and easy way for cyber criminals to gain access to their victims’ servers. 

If the victim clicks the link in a phishing email, the ransomware is downloaded and executed on the computer the victim used to access the website. 

The ransomware then encrypts the victim’s files, identifies additional targets on the network, modifies system configurations to establish persistence, disrupts or destroys data backups, and covers its tracks. 

After the data has been encrypted, the victim typically receives a ransom note with instructions to pay it with untraceable funds (usually cryptocurrency). Money launderers move the money through multiple transformations to hide the identities of the ransomware affiliate and the developer. 

Once funds are received by the affiliate, they may or may not send a decryption key to the victim. The affiliate may make additional demands, or do nothing at all and leave the victim stuck with encrypted files. 

When an internal host is infected, preventing the ransomware from spreading to other computers within the network can be difficult. 

The most effective way to prevent ransomware from spreading to other computers is to disconnect it from wired connections, Wi-Fi, and Bluetooth as soon as possible. Automated backups to local or external storage should also be disabled to prevent them from being destroyed. 

To lessen the likelihood of a successful web-based malware download, firewalls that implement whitelisting or robust blacklisting may deter ransomware from connecting to command-and-control servers. 

Firewalls should also limit or completely block remote desktop protocol (RDP) and other remote management services. 

Common ransomware threats 

As mentioned above, the most common method for ransomware attacks is phishing. Using phishing emails, cyber criminals can obtain sensitive data by tricking a victim into clicking a link that automatically downloads the ransomware. 

The 10 most active ransomware variants and their respective market share percentage in Q1 2020 are as follows:

1. Sodinokibi (26.7%)
2. Ryuk (19.6%)
3. Phobos (7.8%)
4. Dharma (7.8%)
5. Mamba (4.8%)
6. GlobeImposter (4.4%)
7. Snatch (2.6%)
8. IEncrypt (2.2%)
9. 777 (2.2%)
10. MedusaLocker (2.2%)

Of these 10 ransomware variants, Sodinokibi, Phobos, Dharma, and GlobeImposter use an RaaS business model. 

Paying Ransom

Making a ransom payment usually involves downloading a dark web browser to pay through a dedicated payment gateway. Most of the time, payments are made using cryptocurrency (such as Bitcoin) due to the untraceable nature.

Deciding whether to pay the ransom demand is a difficult choice. If you make a payment, you are essentially trusting the cyber criminals holding your data hostage to deliver on their promise of decryption. 

The FBI explicitly recommends against paying ransoms for this very reason: because a ransom payment never guarantees the decryption of data. 

That said, more than half (56 percent) of ransomware victims paid the ransom to restore their data in 2020. According to a global study of 15,000 consumers, 17 percent of those who paid the ransom did not secure the return of their stolen data. 

In the future, paying ransom to cyber criminals may result in additional fines. Currently, the U.S. Treasury Department is exploring financial penalties to organizations who pay a ransom to recover their data because the payments fund future extortion and encourage new attacks.

How to Protect Your Organization From Ransomware

It is impossible to block ransomware completely at its two most common points of entry: email and websites. You can, however, take steps at the system level to reduce ransomware attacks and cyber threats.

The most effective deterrent to ransomware is to back up and verify your system regularly. Still, because a ransomware attack may delete or encrypt your backed up data, you may find yourself looking for other options to further protect your organization. 

Here are some things you can do to better protect your organization from ransomware:

• Educate employees. Organizations should conduct regular training to help employees avoid common malware pitfalls because ransomware often infects a system through email attachments, downloads, and web browsing.
• Conduct regular data backups. Storing backups offline or offsite so that they cannot be accessed through your network is critical to protect your data. Verify that the data backup process works in your environment by periodically checking that files can be accessed from your backup device, removing backup media from networked devices, and avoiding popular online backup solutions that are also vulnerable to ransomware attacks.
• Restrict code execution. By limiting access control, ransomware that is designed to execute from temporary and data folders will not be able to access these folders. 
• Restrict administrative and system access. Decreasing user accounts and terminating all default system administrator accounts can create an extra roadblock for some strains of ransomware that are designed to use a system administrator account to perform their operations. 
• Maintain and update software. Pay particular attention to your security, antivirus, and anti-malware software to protect against (or assure early detection of) ransomware. 

If you do become the victim of a ransomware attack, consider the following steps:

• Take a snapshot of your system.
• Shut down your system.
• Identify the attack vector.
• Block network access to any identified command-and-control servers used by ransomware. 
• Notify authorities. 

How ZenGRC Can Help

As your organization looks for ways to protect itself against the threat of ransomware — and especially as RaaS contributes to its rise in efficacy and popularity — you might want to consider a governance, risk, and compliance (GRC) tool to help keep your data safe. 

ZenGRC from Reciprocity is a risk and workflow management software with an intuitive, easy-to-understand platform that keeps track of your workflow, and also lets you identify areas of high risk before that risk has manifested as a real threat.

Similarly, ZenGRC helps you stay compliant with cybersecurity frameworks, which therefore protects you from RaaS. 

With ZenGRC, a team of cybersecurity professionals is always looking out for your organization and its assets to make sure you get the best protection against security breaches and cyberattacks. 

For more information about how ZenGRC can help your organization protect itself against ransomware and RaaS, contact us for a demo today.