ransomware as a service blog (1)

Ransomware as a service – What your business needs to know

June 7th, 2022 Posted in Information Security

Ransomware as a Service (“RaaS”) is a business model in which malicious actors sell ready-to-use ransomware tools as a commodity for affiliates to use to launch ransomware attacks. RaaS has been referred to as the ‘democratisation’ of ransomware, enabling threat actors of any skill level to launch a ransomware attack – without having to write a single line of code.  

As background, ransomware is a form of malicious software (“malware”) that encrypts a user’s data, preventing them from accessing the resources they need to operate their business. To unlock their files, the victim must pay a ransom – typically in the form of hard to trace cryptocurrency. Read our ransomware 101 blog for more information on the fundamentals of this malware.  

In 2021, security agencies across the United Kingdom, United States and Australia shared a joint cybersecurity advisory, noting “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organisations globally.” It can be strongly speculated that the rise of RaaS has triggered an uptick in ransomware attacks.  

Below, we will explore how RaaS works, why it is dangerous to businesses and how to improve your defences.  

How does Ransomware as a Service work?

In the same way that organisations can purchase Software as a Service (SaaS), malicious actors can purchase Ransomware as a Service. It’s helpful to think of the RaaS model in terms of a hierarchy. At the top of this hierarchy is the RaaS developer, the group or individual that authors the ransomware code.  

The developer either sells this code to an affiliate for a fee or licenses them to use it for a percentage share of any income. The affiliate will then carry out attacks using the code – perhaps embedding it into a malicious attachment in a phishing email or on a fraudulent website.  

Developers can sell their code to hundreds – possibly thousands – of affiliates. In 2020, the top ransomware variant was Sodinokibi, a RaaS variant with a 26.7% market share, according to a Coveware ransomware report.  

RaaS benefits both developers and affiliates. Developers can scale their earnings to a level they would have been unable to reach by carrying out ransomware attacks on their own. At the same time, affiliates can access tools that were previously beyond their technical capabilities.  

For businesses, though, the democratisation of ransomware means the risk of an attack is higher than ever. Ransomware is no longer cordoned off to a select few individuals with the technical expertise to develop the code; any attacker with malicious intent can now launch an attack.  

This represents an immediate and severe threat to business operations. Unlike other security incidents, which involve the covert exfiltration of sensitive data, ransomware causes immediate disruption, preventing access to mission-critical systems and data. As well as this, paying the ransom associated with these attacks can have a severe financial impact for the victim – and does not even guarantee that the threat actor will release their files.  

To make matters worse, the threat actors responsible for ransomware attacks will often put pressure on their victims, threatening to release sensitive data to the public or competitors to persuade the victim to pay the ransom. In line with this, the security firm, Sophos’s ransomware study, estimates that the cost of a ransomware attack for a company was roughly $1.85 million in 2021, taking into account factors such as downtime, and lost business opportunities, public relations services and the cost of the ransom.  

How to protect your business from RaaS and ransomware

Fortunately, organisations can put in place strategies to mitigate the impact of potential ransomware attacks. While it is not always possible to prevent a ransomware attack from occurring, companies can improve their ability to respond to these incidents and minimise the damage caused.  

Mitigating ransomware and RaaS incidents can be separated into three buckets: preparation, prevention and response.  

Preparation

Even companies with a mature security posture, cannot guarantee that a ransomware attack won’t occur. In order to reduce the potential impact of such an attack, organisations should prepare for the worst and put in place policies, solutions and procedures that will assist in recovery. 

As part of this, maintaining encrypted backups of data is essential. Backups are copies of your information that are stored in an offsite location – increasingly in the cloud. Backups are essential because ransomware impedes access to your company data – and some ransomware variants delete data altogether if the ransom is not paid. By backing up your data, you can restore information in the event of an attack. For more details on how to backup your data, we advise reading the NCSC’s guidance on backups. 

Another integral part of preparation is incident response planning. This helps you map out how you would detect and respond to a ransomware attack, so your organisation feels prepared and confident in the event of a security incident. We have written detailed guidance on incident response planning to help with this. 

A good incident response plan is complemented by thorough practice. Tabletop exercises are an excellent way to rehearse and validate your response plan by simulating the high-pressure environment of a real-world attack. 

Prevention

There is no single way in which ransomware infects a corporate network. Phishing emails, credentials compromise and unpatched vulnerabilities are all common attack vectors. To that end, organisations must take a holistic approach to prevention that takes into account people, processes and technology.  

If you’re a small or medium-sized enterprise (“SME”), we suggest you start with the National Cyber Security Centre (“NCSC”) flagship standard of Cyber Essentials, which recommends five simple actions to protect your organisation: 

  • Use a firewall to secure your internet connection 
  • Choose the most secure settings for your devices and software 
  • Control who has access to your data and services 
  • Protect yourself from viruses and other malware 
  • Keep your devices and software up to date 

Further useful guidance on this topic to consider is the NCSC’s ransomware guidance and NIST’s ransomware risk management document. 

Response

The starting point in responding to any ransomware incident is detection. As part of your incident response preparation, you should have tools in place to help automate this process, including anti-malware, IDS/IPS, SIEM or even an in-house or managed SOC service. 

Once a ransomware variant has been detected, your company must move swiftly to contain the attack and, where possible, halt it from spreading throughout your systems. This involves identifying all impacted systems and those that are at risk of being infected. Success during this phase will depend heavily on the execution of your incident response plan.  

You must work to contain the breach – disconnect affected systems from the network, segregate network sections, disable compromised user accounts and advise users not to connect or use specific systems. This will prevent the ransomware from encrypting multiple systems, aiding business continuity.  

From there, you can move to eradication, where you completely remove ransomware from infected systems. For a detailed overview of how to respond to a ransomware attack, we advise reviewing the Ransomware Response Checklist, which can help you to streamline your response to an attack.  

Need help?

If you need help or advice on how to manage your business’ cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat. 

David Smith

Written by David Smith