Ransomware is still one of the biggest cyber threats to organisations in the UK, and ransomware-as-a-service (RaaS) is one of the main trends driving ransomware risk.
According to one report, ransomware attacks increased by 112%. Although huge, this number might not even paint the full picture. British authorities are “increasingly concerned” victims are keeping incidents secret.
RaaS groups like Conti and LockBit appear to be behind most ransomware campaigns. For example, in January 2023, Britain’s multinational postal service Royal Mail was attacked by LockBit, who left a ransom note for £67 million.
Although extremely dangerous, RaaS attacks can be stopped. Read on to learn how.
Similar to how software as a service (SaaS) has democratised access to enterprise-grade business tools, powerful ransomware is now available on subscription.
Previously the preserve of well-funded or state-backed threat actors, the emergence of RaaS business models via dark web forums means that even inexperienced criminals can now launch attacks capable of crippling both private organisations and state bodies.
Ransomware developers typically use one of the following revenue models:
Alongside the fact that RaaS enables more threat actors than ever to engage in cybercrime, this profit driver also helps grow extortion demands, as affiliates ask for higher ransoms to cover the cost of the RaaS kit or the commission due to the RaaS operator.
The RaaS model does have a downside for malware developers, though. RaaS operators may not always be able to control who their affiliates target.
Remember the infamous attack on Colonial Pipeline? DarkSide, the ransomware gang responsible for it, tried to distance itself from the incident, saying, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money and not creating problems for society.”
DarkSide has since quit the RaaS business, citing disruption to its operations, including lost access to its public-facing portal and even funds that have apparently been transferred from its Bitcoin wallet to an unknown account by the Federal Bureau of Investigation (FBI). As a result, other ransomware groups, such as Abaddon and REvil (also known as Sodinokibi), announced new rules for their affiliates, like a ban on targeting government-affiliated entities, healthcare organisations, and educational institutions.
However, whether RaaS operators will be able to enforce these rules is questionable. After their ransom demands were not met, ransomware attackers leaked confidential data from over a dozen UK schools.
Learn more: Are you ransomware attackers’ ideal victim?
This is bad news for organisations in what might be described as “morally untouchable” industries – they are under as much threat from RaaS as companies typically seen as “fair game.”
Hackers have long realised that just paralysing a victim’s operations may not be enough to get a ransom payment — particularly when backups are available.
As a result, modern ransomware strains don’t just focus on encrypting victims’ systems but also exfiltrate data. This capability unlocks a new tactic for threat actors known as “double extortion,” where the threat of having sensitive information exposed online can be used to leverage wavering victims.
Sometimes, victims even have to pay twice: once for the decryption of their data and once to ensure the data isn’t published on a leak site. To put even more pressure on their victims, attackers may overload their websites with DDoS attacks.
As if double extortion wasn’t alarming enough, hackers can also use triple extortion tactics. In triple extortion, hackers not only steal data from an organisation and threaten to leak it if they don’t pay but also go after the data owners themselves. In October 2020, cybercriminals who hacked a Finnish psychotherapy clinic demanded ransom payments from both the clinic and the patients.
Despite the UK government’s efforts to fight back against ransomware attacks through offensive security and sanctions on members of ransomware groups, the current threat landscape is unfortunately as bleak as ever.
Even though most enterprises now deploy around 45 cybersecurity tools on their networks, the average security operation centre’s (SOC’s) ability to contain threats has decreased by 13%. Increased spending on cybersecurity solutions appears to be giving organisations less rather than more security. Indeed, about 40% of organisations are so overwhelmed by security alerts that they have no choice but to ignore at least 25% of them (read our blog post on the hidden cost of alert fatigue in cybersecurity). You can imagine the kind of impact this can have on incident response.
Learn more: Reducing ransomware risk through security tool consolidation.
What this paradox shows is that as they ramp up cybersecurity budgets, rather than buying more tools, organisations need to take a proactive approach to cybersecurity. Security leaders need to focus on the following:
SenseOn focuses on behaviour-based security to detect unknown threats and uses automation and AI to lighten your team’s load.
A self-driving cyber defence platform, SenseOn works 24/7, monitoring deviations from normal behaviour patterns to detect and automatically stop in-progress cyberattacks in seconds — faster than any human analyst.
Through proprietary technology called AI Triangulation, SenseOn automates investigation, bringing to analysts’ attention only genuine alerts and mapping each alert to the MITRE ATT&CK for context so that analysts don’t have to waste valuable time. In time-sensitive attacks like ransomware, SenseOn can also isolate devices autonomously to prevent lateral movement.
Try a demo of SenseOn today.
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.Visit resource hub
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.