By John Davis, UK & Ireland Director, SANS Institute.
Today’s subscription economy makes accessing nearly any service as easy as hitting enter. The same model has now entered the dark web. The same Netflix-style instant-access menu is now part and parcel of the online criminal’s lifestyle. Ransomware-as-a-Service (Raas) is opening up the hacking talent pool, giving amateurs access to sophisticated ransomware toolkits – a plug and play option that has seen hackers run rampant.
Once ad hoc acts were committed by hackers using simple phishing attacks to gain entry. They have now become complex and targeted, using the latest purchasable ‘toolkits’ allowing any dark actor to get a slice of the ransomware pie by simply subscribing to a ransomware toolkit.
A growing proportion of ransomware attacks are being carried out using the RaaS model and it is clear that the toolkit creators and their customers are cashing in. So, what can organisations do to ensure they aren’t victims of these cookie-cutter attacks?
Sophisticated criminal service providers
RaaS providers sell their services using sophisticated business and marketing strategies to appeal to hackers wanting maximum return for minimal effort. These providers operate in the grey zone between legal and illegal, marketing themselves on the dark web; they appeal to criminal clients interested in purchasing a single attack or even maintaining a retainer-style relationship for ongoing attacks. The client can pay a monthly fee for advice and assistance, usually in cryptocurrency. Like the best subscription providers, this can even include around-the-clock support that covers technical aspects of an attack and matters such as negotiations with a victim. The client also may share a portion of any payment extracted from a victim with the RaaS provider.
The RaaS model makes attribution of attack difficult but not impossible. In some cases, there are elements, such as snippets of malicious code, that can help authorities trace an attack back to a perpetrator known to be running a RaaS operation, and attackers, when caught, may give up relevant details.
RaaS providers sell expertise and prefer keeping the client at arm’s length to avoid detection and prosecution. Indeed, it can be harder to prosecute RaaS than conventional ransomware attacks because there are more moving parts, and they may move in several jurisdictions governed by competing laws and authorities. The advent of RaaS and ransomware, generally, have increased the impetus to harmonise laws and foster law enforcement cooperation in this area.
Cloud gives and takes
RaaS providers are taking advantage of IaaS (Infrastructre-as-a-Service) and the economics of cloud-based computing and storage the same way legitimate businesses do. The participation of most IaaS companies is usually unintentional. The desire to maintain their clients’ data security and their own reputations makes legitimate IaaS providers a formidable ally in the war against ransomware and RaaS providers.
Just as in legal, and commercial undertakings, ransomware skills are continually honed, and standards are elevated through competition. As RaaS providers raise their game, the stakes for potential targets are also raised. The threats they face will be more acute, at least until cybersecurity professionals and law enforcement raise their game and improve their methods for combating threats. Similarly, organisations that find themselves on the wrong end of an attack are not helpless.
Resisting the rise of RaaS
As the risk of RaaS attacks increases The Centre for Internet Security has shared a series of Critical Security Controls that should go a long way to fending off RaaS and other types of ransomware attacks and to mitigating damage should one occur. These include:
- Taking inventory of all electronic assets. Take stock of all fixed, portable, or mobile devices that can connect to your technology platforms. This will allow you to spot any unauthorised or unmonitored devices and remove them or make them secure. Do the same with software assets, including operating systems, programs, and apps. Review credentials and permissions for each employee, and limit access to files, folders, apps, programs, and external websites to those that are appropriate for their duties.
- Monitoring access points. Your infrastructure is most at risk of a breach at the points where it meets the outside world. Enhance malware detection and defence techniques, focusing particularly on these points and the means through which a breach is most likely to occur, such as web links and emails. This, plus a rigorous permissions regime, could prevent a considerable expenditure of time and money if Dave from accounting decides to click on the wrong Pornhub banner ad when he is supposed to be processing invoices.
- Anticipating vulnerabilities and responding to threats. Use industry resources to stay aware of the latest threats and ensure that your operating system and other software are updated, and patches applied when available. The most significant vulnerability is reusable passwords. Most financial services now require Multi-factor Authentication for login. Using this simple form of MFA stymies over 99% of all phishing attacks.
- Making the most of your human assets. If properly trained your employees can be an additional factor to aid in thwarting attackers. Their understanding of and reaction to ransomware attacks and other threats should be evaluated and sharpened through the development of security awareness programs that work to change user behaviour when presented with a bogus email or web page. There should be simulations of threat scenarios to put these procedures and preparations to the test.
- Investing in your security team’s skills and tools. There is a lot of concern about a “cybersecurity staffing shortfall,” but successful security organisations have found that there is more of a skills gap than a headcount shortfall. By upskilling security analysts in critical areas such as cloud security, purple teaming, and machine learning, you get a double benefit: the need for additional staff is reduced, and surveys show that security staff that get regular training are less likely to jump to another company for a salary increase.
Continual proactive protection
The RaaS model only increases the likelihood of an attack, making it a feasible option to a broader population of bad actors. There is now no choice but to take proactive steps to protect against this genuine threat, continually evaluating the threat backdrop and monitoring systems and people. When it comes to a potentially business-breaking attack, it’s increasingly not a question of if but when.