Ransomware attacks are on the rise and are targeting both governments as well as businesses. While ransomware has been around for decades, the coronavirus pandemic, the growing reliance on digital infrastructure, and a number of geopolitical shifts have opened up many opportunities for attackers. In this climate, everything is seen as fair game – from critical government and public infrastructure to big corporations and even small-scale businesses.
Moreover, the amount of ransom has also been growing, with attackers becoming emboldened by repeated successes and “big hits” in recent years. According to Forbes, the cost of cleaning up after a ransomware attack has doubled over the last year, and the overall cost of a ransom situation is equal to 10 times the ransom itself. The average ransomware payment in 2021 has been estimated at $570,000.
One of the reasons for this significant increase in ransomware attacks is the entry of many new actors on the scene through the use of ransomware-as-as-Service (RaaS). In a short amount of time, RaaS has become an industry in itself. This has significantly lowered the entry bar allowing people with little knowledge of how to construct an attack alone to benefit from large ransomware groups’ know-how in return for a share of the profit.
In turn, this development poses new challenges to businesses and organizations that urgently need to learn how to protect their systems and data from breaches
To learn more about the emergence of RaaS, and what you can do to protect your organization, keep reading!
The emergence of RaaS
RaaS is a fairly recent phenomenon, yet it has already gained significant traction.
The first known instance of RaaS was the Cerber ransomware from 2017. That year, Cerber accounted for as much as 90% of all ransomware attacks on Windows worldwide.
One of the reasons for its popularity and success was that its developers (or operators) began leasing it out to attackers (or affiliates) in exchange for a share of the profits made from the ransom. This allowed actors with little to no technical expertise to easily launch ransomware attacks, carving a whole new niche in the ransomware space. While Cerber was largely gone by the end of that year, it is attributed with giving rise to the model we today call RaaS.
The profitability of RaaS was further cemented by GandCrab in 2019, at the time described by Europol as “one of the most aggressive forms of ransomware” for that year. GandCrab’s popularity was short-lived, as it shut down suddenly halfway through the year with its developers claiming that they were retiring since they had been making $2.5 million per week.
Supposedly, the claim made by the group further incentivized individuals and groups who were seeking to become rich quickly to enter the ransomware market.
As a result, in 2021 all large ransomware attacks such as DarkSide, REvil, Dharma, and LockBit are available as RaaS. But financial incentives are only one reason why RaaS is growing in popularity and why we can expect to see more of it in the coming years.
Why RaaS is growing
Thanks to RaaS, for anyone who is willing to take the risk, ransomware attacks are now more accessible and easy to execute. While that is certainly part of the reason the model itself is growing, there are several other significant contributing factors. These factors include:
Greater availability and reliance on digital infrastructure globally
Businesses are becoming more and more reliable on digital infrastructure and managed services such as the cloud. Reliance on the cloud has exploded over the last decade, providing attackers with large-scale targets that can be attacked from anywhere on the globe with little fear of consequence.
At the same time, these digital environments are hardly built to withstand all the threats that are directed at them. According to Zeynep Tufekci, the security status quo of software infrastructure globally is akin to “building skyscraper favelas in code—in earthquake zones.” In other words, there are increasingly more targets with little to no security and multiple entry points.
Cryptocurrencies allow for attackers to remain hidden
With the advent of cryptocurrencies, extortion has gotten significantly easier. For all the freedom and technological improvements that they promise, cryptocurrencies have unfortunately also given cybercriminals a method of collecting ransom that exposes them minimally.
And while these currencies may be volatile, the anonymous nature of Bitcoin transfers has effectively eliminated the danger previously associated with collecting a ransom. With the decrease in risk, participating in a RaaS scheme has become much more enticing
RaaS is becoming more structured and efficient
RaaS groups and schemes are beginning to look and operate in disturbingly similar ways to corporations. From diversified roles to outsourced activities, the RaaS ecosystem is becoming more organized and with that – more efficient.
Now each stage of the attack may have people who act as its “owners”, and a variety of new roles, such as those of negotiators, are being filled. This offers more opportunities by attracting people with different skill sets.
Geopolitics are beginning to legitimize ransomware attacks
While ransomware has not yet openly been used between states, game theory suggests that it is only a matter of time for this to occur.
Meanwhile, states such as North Korea and Russia, among others, will turn a blind eye or even tacitly support groups who operate on their territory as long as these do not target the country’s structures and interests.
All of this serves to further create a climate of permissiveness that is also emboldening groups to seek out targets that sometimes have geopolitical significance.
How to avoid ransomware attacks
Protecting against ransomware attacks has several dimensions. On the one hand, an overarching organizational strategy must be put in place that helps prepare your organization and mitigate attacks early on.
The main elements of such a strategy are:
- Assessing the vulnerability of your company’s systems
- Putting in place a governance system of processes and procedures in case of an attack
- Maintaining operational readiness through drills and exercises, and frequent testing
- Regularly backing up data and applications and maintaining reliable backup and recovery capabilities
- Implementing least privilege access to reduce the possible entry points
- Educating staff how to respond during an attack
In addition to designing a strategy, you should also consider introducing a number of particular measures that will serve to actively deter ransomware attacks. Concrete measures that you can take can include:
- Introducing multi-authentication and strong passwords – two-factor authentication is one of the strongest measures that you can take to stop ransomware attackers in their tracks
- Restricting IPs that can be used to make external remote desktop protocol(RDP) connections and set limits on the possible number of login attempts within a given timeframe
- Keeping immutable and offsite backups apart from cloud storage backups to guarantee the recoverability of your data
- Introducing a zero-trust security model that requires all users and devices that connect to the network to pass authentication every time
- Using automated email and endpoint protection
- Installing the latest security patches as soon as possible
Amatas can be your partner in implementing robust cybersecurity protection. With our Managed Security Awareness service, you can begin to uncover any security vulnerabilities that are currently present in your organization. We will also help you create awareness among your staff and build a security culture that is solid and with the necessary degree of preparedness to meet any future security risks.
If you need support in spotting and addressing vulnerabilities and threats, our Managed Extended Detection & Response service will provide your organization with effective and easy-to-use threat monitoring, detection, and response around the clock. In addition, our experienced security analysts will be at your disposal to provide you with threat intelligence and conduct cyber forensics, if needed.
Do you need help protecting yourself from ransomware attacks? Get in touch to learn more about how Amatas can help you with your company’s cybersecurity!