Ransomware-as-a-Service: SaaS' Evil Twin

As each year passes, the enterprise attack surface widens—leaving backdoors for malicious actors to exploit. While the rapid adoption of digital transformation by organizations is a great development, it comes with challenges. One of such challenges is ransomware groups, which caused over 50% of ransomware attacks between 2020 and 2022 alone.

“Ransomware groups” is an everyday word for ransomware developers (also called “operators”) that provide ransomware kits on a subscription-based model. Technically known as Ransomware-as-a-Service (RaaS), its business model mirrors Software-as-a-Service (Saas)—the cloud computing service that allows you to access applications (e.g., Slack and Gmail) through the internet without managing the underlying internet infrastructure.

Think of RaaS as “SaaS for cybercriminals”; it’s the illegitimate business that provides malware code for threat actors (or “affiliates”) to spread ransomware. RaaS makes ransomware accessible to anyone—amateur and professional malicious actors can access sophisticated ransomware kits. It's also cheap—subscriptions are as low as $50, a measly amount compared to ransom fees.

Malicious actors are using RaaS to spread ransomware at an alarming rate. This article will educate you about RaaS groups and protective measures against ransomware attacks.

Ransomware: The weaponized encryption malware

“...it [ransomware] is akin to someone stealing your archive and filing cabinets and [then] demanding a ransom to return it”—James Bores, security consultant at Bores Security and Consultancy.

Ransomware is malicious software that weaponizes encryption. It encrypts your data until you pay a ransom (in cryptocurrency or payment vouchers). Common methods used to spread ransomware attacks include:

1. Phishing: It’s the tech-speak for “fishing” for confidential data using deceptive tricks. Threat actors trick users into clicking ransomware-embedded links (e.g., ZIP files, PDFs, Word documents, or Excel spreadsheets). Once you click the link, your files are encrypted with ransomware within a predetermined interval.

   
   

   Phishing can be targeted toward an individual (spear phishing or whaling) or a group of people through malicious ads (malvertising) and emails. Email phishing is a major ransomware delivery vehicle. For instance, Datto, a cybersecurity and backup company, reported that phishing emails caused 54% of ransomware attacks in 2020.

   
   

2. Software vulnerabilities: Vulnerable software systems provide uncontested access to networks. Software vulnerabilities include coding errors (e.g., buffer overflows), bugs (software failures), poor accessibility and security configurations, a lack of two-factor authentication (2FA) systems, and weak or stolen login credentials.

   
   

   Ransomware groups relish taking advantage of software flaws to spread malware. In 2021, software vulnerabilities caused 14% of ransomware attacks—the third-highest attack avenue for ransomware groups.

   
   

   High-profile examples of ransomware attacks due to software vulnerabilities are the 2021 breaches at JBS (a US-based meat processing firm) and computer manufacturer Acer. The JBS attackers took advantage of leaked login credentials. In comparison, Acer attackers leveraged a Microsoft Exchange email server flaw.

3. Removable Media: Threat actors target removable media (e.g., USB sticks, smartphones, and external drives) because of lax security protection. For USB drives, bypassing infrastructural security checks enables hackers to deliver malicious software to network systems undetected. Removable devices are also the perfect vehicle to spread the Try2Cry and Spora ransomware because they can encrypt files offline.

   
   

   Like USB drives, smartphones—especially Android devices—are hackers' delight. Smartphones are vulnerable to ransomware attacks through fake app downloads,  smishing (SMS phishing), and unsecured WiFi connections. Common examples of mobile ransomware are Crypto-Ransomware and AndroidOS/MalLocker.B.

   
   

4. Remote Desktop Protocol (RDP): RDP creates private and secure connections to desktop applications from a remote location. Despite its encryption and remote access merits, RDP isn't without vulnerabilities. It’s susceptible to the following:

• Man-in-the-middle attacks: an eavesdropping technique that intercepts network traffic.**
  
• Brute-force attacks: a trial-and-error method for cracking login credentials.**
  
• Common Vulnerability and Exposure (CVE): a list of publicly known software flaws.

In 2020, open RDP access caused 20% of ransomware attacks. Typical examples of ransomware that exploit open RDP connections are Crysis and SamSam—the perpetrator of the Hancock Health hospital breach in 2018.

RaaS: The illegitimate SaaS

RaaS is a coordinated and bespoke approach to spreading ransomware attacks. It offers affiliates encryption tools in exchange for a commission, usually 20-30% of the ransom, or a monthly license fee.

According to Bores, RaaS thrives on collaboration between “access brokers” and cyber criminals. He said, “...there are criminal groups known as ‘access brokers’ who will find a way into an organization's network, and then sell that access to RaaS groups”. Access brokers do the “dirty work” to make breaches successful.

Bores further explained why the RaaS model is popular: “...anyone can now buy a RaaS subscription and use it to support their criminal financial gain where once criminals would need technical knowledge to build their system”.

Like SaaS providers, RaaS groups are innovative—they provide specialized malicious code to penetrate systems. Simon Jelley (Veritas Technologies GM) explained the innovativeness of RaaS to Forbes in 2021. He said, “Ransomware gangs are getting better at phishing and taking advantage of the latest developments in artificial intelligence and machine learning to slip past perimeter defenses such as antivirus and firewall software.”

The high technical intelligence means RaaS families can exploit vulnerabilities seamlessly. That's why it's unsurprising that Sophos (a UK-based security firm) revealed ransomware groups orchestrated all the ransomware attacks it surveyed in 2020. The major perpetrators were Conti (16%), REvil (15%), Ryuk (9%), Lockbit (4%), Ragnarok (4%), and DarkSide (3%).

3 ways to guard against ransomware

Ransomware is everywhere. But it doesn't have to get to you. Here's how you can protect your digital systems against ransomware attacks.

1. Update your software

   In 2021, 4 out of every top 5 vulnerabilities were new vulnerabilities, including the notorious Log4j CVE. This is why you must install the latest security updates—it'll help you fix the latest software bugs and errors.

   
   

2. Apply zero-trust security

   Ransomware gangs thrive on user recklessness and gullibility. This is why weak passwords or poor access management (21%), poor user practice (27%), and stolen credentials (10%) were frequent causes of ransomware attacks in 2020.

   
   

   Zero-trust security thwarts recklessness and hinders unauthorized entries. It operates on a “never trust, always verify” policy. It requires continuous authentication from every user and device, internal or external, before granting access. With Zero Trust security, one-time authentication is insufficient because threats and vulnerabilities are dynamic, especially with the sophisticated presence of RaaS.

   
   

   Zero trust is distinct from the traditional “trust but verify” approach that puts your data at risk against malicious insiders. Its advanced identity management policies significantly reduce attack surfaces for malicious actors to exploit.

3. Backup your data

   Data backup—an archive of your data—is a recovery technique to control the impact of ransomware attacks. The 3-2-1 rule is the golden backup strategy where you store three copies (one primary copy and two backup copies) of your data on two different media (e.g., tape or local drive) with one offsite copy.

   
   

   But ransomware gangs (e.g., Sabbath and Conti) also target data backups. To tighten the security of your backups, do the following:

• Create air gaps: Air gaps have zero connections to a device or network—it's an "airtight" security system. With air gaps, you can store your backup data in an offline location different from the data production environment. Air gaps make data intrusion difficult because only authorized entities can access the ultra-secure site of the data.

• Encrypt your backups: It's insufficient to make data inaccessible; you must make it unreadable—and that's what encryption does. Encrypted backups convert your readable data to incomprehensible texts. It ensures the safety of your data, whether it's stored on your device (“in rest”) or transmitted between networks (“in transit”).

• Create immutable backups: Immutability is a defense mechanism that protects your backup data against any modification. An immutable backup is fixed and locked—no one can modify your data regardless of intention.  Also known as Write-Once-Read-Many (WORM) storage, immutability preserves data integrity and availability in case of ransomware attacks.

Will RaaS groups go away?

As IBM revealed in its X-Force Threat Intelligence Index 2022, ransomware groups are behind most cyber breaches. Ransomware groups are also growing—according to Statista, over 120 new RaaS groups were formed between 2015 and 2020.

Besides, RaaS gangs have a short lifespan—on average, they rebrand (or shut down) after 18 months. Their exponential growth, illicit hydra-like rebranding, and high technical intelligence make them elusive and difficult to track.

To deal with RaaS, you must be proactive. Your first steps toward security proactiveness start with what you learned in this article—routinely apply security fixes, create secure backups, and use advanced authentication protocols (Zero Trust). These measures aren't silver bullets against ransomware families, but they'll help you identify and fix potential gaps RaaS groups can exploit.