Ransomware has become one of the greatest cyber threats facing organizations in 2022. The impact of ransomware attacks is expanding, affecting not only computing systems and data but also our physical world.
In addition, ransom demands grow exponentially higher compared to previous years. In recent years, we have witnessed the rise of “Ransomware-as-a-Service” (RaaS) due to its ability to profit these criminal organizations.
Businesses can reduce the potential and impact of RaaS by deploying a robust identity and access management solution and enabling multi-factor authentication across all their accounts.
REvil (aka Sodinokibi) is the Ransomware-as-a-Service criminal gang responsible for some of the largest ransomware attacks in history, including the JBS ransomware and Kaseya supply chain incidents.
On 14th January 2022, Russia announced it had arrested 14 members of REvil. The move came at the request of the US authorities, who worked with international partners such as Europol to suppress the activities of the criminal group.
These arrests follow November’s announcement from Europol that seven arrests of REvil affiliates were made in the preceding months.
How do ransomware gangs optimize their business model?
RaaS as a subscription-based service continues to grow in popularity as it provides a low barrier for cybercriminals to enter the ransomware business and become an affiliate. More critically, this model also allows non-technical affiliates to execute ransomware attacks successfully.
The business model of RaaS groups is different from the traditional ransomware attacks in the past. Traditional ransomware criminals operated under a cohesive team that both built the malware and executed the attack.
In the RaaS model, at least two parties establish a business relationship: the developer and the affiliate.
The developer writes the malicious program, and the affiliate executes the attack and collects the ransom. In addition to these parties, security researchers have witnessed a third party assisting in the RaaS attacks – called “Service Provider”.
The “Service Provider” helps the affiliate at various stages of the ransomware attack, starting from selecting victims, providing exploits, and in the negotiations.
This business model helps the REvil activity be unaffected from the recent victories of law enforcement agencies. Early indications from security researchers demonstrate that the REvil activity is unchanged. This continued activity implies one of two scenarios:
-
The arrests have only impacted ‘middlemen’ within the criminal gang’s hierarchy
-
REvil’s ransomware-as-a-service model is resilient enough to survive disruption from law enforcement
These findings match a joint report on ransomware issued by the FBI, CISA, the NCSC, the ACSC, and the NSA. According to the report:
-
RaaS has become increasingly professionalized, with business models and processes now well established.
-
The business model complicates attribution because there are complex networks of developers, affiliates, and freelancers.
-
Ransomware groups share victim information with each other, diversifying the threat to targeted organizations.
The Connection Between Ransomware-as-a-Service and Access-as-a-Service
One of the most essential "Service Providers" to RaaS criminal organizations is Access-as-a-Service, known as Initial Access Brokers (IAB). IABs offer the covert access to a network required in the first stage of a ransomware attack.
Since time is money for every business, even criminal ones, the ransomware-as-a-service economy relies on IABs to reduce the need for extended reconnaissance or the time to find a method for entry.
Initial Access Brokers offer access-as-a-service for a price and these criminals provide ransomware attackers with an easy way into corporate networks, paving the way for the actual damaging attacks.
The Access-as-a-Service marketplace is the source of the disconnect between an initial corporate breach and the subsequent attacks that follow days or even months after.
IABs source the credentials they sell from many different places. These credentials can be in the public domain, purchased from other attackers, found from vulnerability exploitation, or are from other breaches.
One of the primary services that access brokers provide is credential validation. Regardless of the source of these credentials, IABs always try to verify if they work by either trying them manually or using specialized scripts that can do this at scale.
According to research by cybersecurity forum KELA, IABs sell initial access for $4600, and sales take between one and three days to finalize. Once access has been purchased, it takes up to a month for a ransomware attack to take place. At the very least, five known Russian-speaking ransomware operators are using IABs: LockBit, Avaddon, DarkSide, Conti, and BlackByte.
DarkSide is infamous for an attack on Colonial Pipeline that caused fuel panic-buying in the United States. Just before the Super Bowl kicked off, the San Francisco 49ers became the latest victim of BlackByte, who also named the organization on a leak website.
What are the Recommended Strategies to Defend Against RaaS?
Although security best practices such as having effective backup capabilities, segmenting networks, monitoring malicious emails, and shielding users from their effects are excellent preventive measures, corporate defense strategies should not be limited to these steps.
Deployment of effective and efficient identity and access management controls backed by strong access policies can significantly prevent the initial credential breach by IABs that allows a subsequent ransomware attack.
-
Monitor for public credential breaches. These breaches should raise red flags to look for signs of an infringement in your network.
-
If you suspect some of your credentials are out in the open, trigger a password reset for all users.
-
Strongly consider setting multi-factor authentication (MFA) for all your employees, partners, and suppliers. Do not limit MFA to only your privileged accounts since any employee is a potential target.
As Director of Product Marketing, Identity & Access Management (IAM) at Thales, Danna Bethlehem suggests that businesses move towards modern multi-factor authentication methods like FIDO2. She says, "FIDO2 offers a passwordless, multi-factor authentication," with "a high level of security while easing the login experience for employees."
-
Monitor user behavior by looking for things your employees should not be doing.
-
Consider using standard best practices on password policies, like the ones developed by NIST or ENISA.
-
Assume your employees have already lost their passwords to criminals, and therefore, you have been breached and are exposed. Then you would be compelled to implement a form of zero trust architecture and security posture across your network.
Ransomware criminals are advancing their business model, which is now increasingly based on purchasing access to target networks. Hence, the access-as-a-service market is rising in prominence and specialization.
If a company can protect itself from credential theft, it is better positioned to defend itself against any future ransomware attacks. The best defense strategy is establishing robust identity and access management and enabling multi-factor authentication across all your accounts in the framework of a zero-trust security policy.