The reality of ransomware-as-a-service

First things first: what exactly is ransomware-as-a-service (RaaS)?

Wouter: “To understand RaaS, we first need to know what ransomware is. Simply put, it’s a specific type of malware that encrypts an organization’s files, making them unreadable. In exchange for the decryption key, the affected organization has to pay the attacker a ransom. These can go up to millions of dollars. The largest known ransom demand to date was made to computer giant Acer in March 2021, by notorious hacker group REvil (Ransomware Evil). Pricetag: a whopping USD 50 million. 

“Over the last few years, we’ve witnessed an exponential rise in ransomware attacks. It’s expected that the global cost of ransomware will go up to USD 265 billion by 2031. One of the main reasons for this is ‘ransomware-as-a-service’. As you might have guessed, the business model is similar to software-as-a-service: professional hacker groups, such as REvil, DarkSide and others, create highly sophisticated ransomware and franchise it to bad actors. In return, they receive either a fixed price or a percentage of the ransom. Their services include not only the ransomware itself, but also encryption and ransom collection tools, communications and email templates, … even a 24/7 help desk. They really got the end-to-end covered.” 

What makes RaaS so dangerous?

Wouter: “The RaaS model means that these hacker groups don’t have to actively search for targets anymore. Instead, they can focus on developing increasingly sophisticated software, tactics and techniques. In addition, we’re witnessing an uptake in the ‘double extortion’ model, in which attackers also threaten to make sensitive files public (exfiltration). There is even triple and quadruple extortion, which include DDoS attacks and direct communication with customers or other stakeholders.

“But perhaps even more crucially, the emergence of RaaS means that every organization, no matter how small, has become a potential target. Say, for example, that you’re running a small local business. Without investing much time or energy, someone – criminals, or a competitor – could carry out a ransomware attack using REvil’s services.” 

How often do businesses pay up?

Wouter: “The rise of multi-level extortion practices means more organizations are willing to pay. Since paying the ransom is actually illegal in many countries there are no exact numbers, but estimates indicate that nearly one third of victims pays up in the end. Most of these are smaller businesses who are more vulnerable to downtime of one or more services, or didn’t have the resources to set up the necessary recovery systems. But large organizations aren’t immune either. Remember the attack on the Colonial Pipeline in the US in May 2021?”

How does ransomware get in, and how can business protect themselves?

Wouter: “There are lots of potential entry points, from email and brokers to active hacking via password stuffing. IoT devices are increasingly targeted as well, as they often share the same network with other company IT infrastructure.

“A successful cyberattack is almost never caused by one specific vulnerability or oversight, but by a cascade of things. It starts with a minor misconfiguration in a firewall, which then enables access to a printer that is, in turn, connected to another company server, which maybe has a weak admin password, etc. 

“As IT professionals, we often think in silos, with each part of the infrastructure having its own team of specialists. This increases the chances of miscommunication between departments, which is a weakness hackers love to exploit. Protecting your business thus requires a holistic approach, with continuous, pro-active and automated monitoring to keep things manageable.”