Laura
14/07/2022
Whitepaper
Ransomware is still one of the biggest cyber threats to organisations in the UK, and ransomware-as-a-service (RaaS) is one of the main trends driving ransomware risk.
According to one report, ransomware attacks increased by 112%. Although huge, this number might not even paint the full picture. British authorities are “increasingly concerned” victims are keeping incidents secret.
RaaS groups like Conti and LockBit appear to be behind most ransomware campaigns. For example, in January 2023, Britain’s multinational postal service Royal Mail was attacked by LockBit, who left a ransom note for £67 million.
Although extremely dangerous, RaaS attacks can be stopped. Read on to learn how.
What Is Ransomware as a Service?
Similar to how software as a service (SaaS) has democratised access to enterprise-grade business tools, powerful ransomware is now available on subscription.
Previously the preserve of well-funded or state-backed threat actors, the emergence of RaaS business models via dark web forums means that even inexperienced criminals can now launch attacks capable of crippling both private organisations and state bodies.
Ransomware developers typically use one of the following revenue models:
- One-time fee for ransomware tools, i.e., no profit sharing.
- Affiliate model, i.e., RaaS affiliates pay a percentage of profits to the developer (which often goes towards improving the affiliate program).
- Monthly subscription, i.e., RaaS affiliates pay a flat fee every month.
- Profit sharing, i.e., profits are divided among all RaaS affiliates.
Alongside the fact that RaaS enables more threat actors than ever to engage in cybercrime, this profit driver also helps grow extortion demands, as affiliates ask for higher ransoms to cover the cost of the RaaS kit or the commission due to the RaaS operator.
Ransomware Operators Are Losing Control (Or Why Once Off-Limits Industries Are Being Attacked)
The RaaS model does have a downside for malware developers, though. RaaS operators may not always be able to control who their affiliates target.
Remember the infamous attack on Colonial Pipeline? DarkSide, the ransomware gang responsible for it, tried to distance itself from the incident, saying, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money and not creating problems for society.”
DarkSide has since quit the RaaS business, citing disruption to its operations, including lost access to its public-facing portal and even funds that have apparently been transferred from its Bitcoin wallet to an unknown account by the Federal Bureau of Investigation (FBI). As a result, other ransomware groups, such as Abaddon and REvil (also known as Sodinokibi), announced new rules for their affiliates, like a ban on targeting government-affiliated entities, healthcare organisations, and educational institutions.
However, whether RaaS operators will be able to enforce these rules is questionable. After their ransom demands were not met, ransomware attackers leaked confidential data from over a dozen UK schools.
Learn more: Are you ransomware attackers’ ideal victim?
This is bad news for organisations in what might be described as “morally untouchable” industries – they are under as much threat from RaaS as companies typically seen as “fair game.”
Ransom Attacks No Longer End When Ransoms Are Paid and Systems Remediated
Hackers have long realised that just paralysing a victim’s operations may not be enough to get a ransom payment — particularly when backups are available.
As a result, modern ransomware strains don’t just focus on encrypting victims’ systems but also exfiltrate data. This capability unlocks a new tactic for threat actors known as “double extortion,” where the threat of having sensitive information exposed online can be used to leverage wavering victims.
Sometimes, victims even have to pay twice: once for the decryption of their data and once to ensure the data isn’t published on a leak site. To put even more pressure on their victims, attackers may overload their websites with DDoS attacks.
As if double extortion wasn’t alarming enough, hackers can also use triple extortion tactics. In triple extortion, hackers not only steal data from an organisation and threaten to leak it if they don’t pay but also go after the data owners themselves. In October 2020, cybercriminals who hacked a Finnish psychotherapy clinic demanded ransom payments from both the clinic and the patients.
Organisations Need to Prioritise Proactive Defence
Despite the UK government’s efforts to fight back against ransomware attacks through offensive security and sanctions on members of ransomware groups, the current threat landscape is unfortunately as bleak as ever.
Even though most enterprises now deploy around 45 cybersecurity tools on their networks, the average security operation centre’s (SOC’s) ability to contain threats has decreased by 13%. Increased spending on cybersecurity solutions appears to be giving organisations less rather than more security. Indeed, about 40% of organisations are so overwhelmed by security alerts that they have no choice but to ignore at least 25% of them (read our blog post on the hidden cost of alert fatigue in cybersecurity). You can imagine the kind of impact this can have on incident response.
Learn more: Reducing ransomware risk through security tool consolidation.
What this paradox shows is that as they ramp up cybersecurity budgets, rather than buying more tools, organisations need to take a proactive approach to cybersecurity. Security leaders need to focus on the following:
- Providing ransomware-focused cybersecurity training to all employees. Phishing emails — the number one ransomware attack vector — are now so sophisticated that 97% of users are unable to recognise them. Social engineering training is a critical step in patching up the biggest weakness in any organisation’s cybersecurity — employees.
- Enforcing multi-factor or even passwordless authentication. Weak passwords can act as entry points to ransomware and are often available for sale on the dark web. Multi-factor authentication on admin accounts can reduce the risk of ransomware by 40%. Passwordless authentication is even better because it removes the need for passwords altogether.
- Continuously monitoring for vulnerabilities and patching them. Hackers know that most organisations don’t have the time to patch all vulnerabilities. Many of them are now finding luck by exploiting old flaws.
- Implementing zero-trust security. Once attackers breach network perimeters, nothing is stopping them from moving laterally through the networks to find valuable data. To prevent this, organisations should consider implementing zero trust architecture, which limits lateral movement from one endpoint to the next and reduces potential damage.
- Investing in cybersecurity solutions that work. Antivirus tools, endpoint detection and response (EDRs) platforms, etc., generate a lot of alerts, but because most are disjointed and lack context, by the time analysts sift through the noise, real threats can get through. To protect your organisation from ransomware, it’s important to be able to see alerts in the context of one another. This requires security consolidation, i.e., combining multiple siloed security controls into a central security platform. Extended detection and response (XDR) is a new cybersecurity solution that promises to do just that, but unfortunately may not be mature enough to walk the talk just yet. You can read our guide on extended detection and response here. You may also be interested to read our blog post on why cyber insurance may not be a good option for ransomware.
Stop Ransomware with SenseOn
SenseOn focuses on behaviour-based security to detect unknown threats and uses automation and AI to lighten your team’s load.
A self-driving cyber defence platform, SenseOn works 24/7, monitoring deviations from normal behaviour patterns to detect and automatically stop in-progress cyberattacks in seconds — faster than any human analyst.
Through proprietary technology called AI Triangulation, SenseOn automates investigation, bringing to analysts’ attention only genuine alerts and mapping each alert to the MITRE ATT&CK for context so that analysts don’t have to waste valuable time. In time-sensitive attacks like ransomware, SenseOn can also isolate devices autonomously to prevent lateral movement.
Try a demo of SenseOn today.
Resources
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.
Visit resource hub
Blog
Automating the MITRE ATT&CK Framework
Blog
Why I Stopped Using a SIEM – and Why You Should Too
Sign up to our newsletter
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.