Individuals looking to launch costly attacks on large organisations don’t need to be skilled hackers. Thanks to ransomware as a service (RaaS), prospective attackers can easily equip themselves with the necessary tools and techniques.
The newfound accessibility to cybercrime has led to a 63.2% increase of RaaS and extortion groups in the first quarter of 2022. Trend Micro Research 2022 Midyear Cybersecurity Report found that over 50 active RaaS and extortion groups victimised more than 1,200 organisations in the first half of 2022.
This article will provide an overview of RaaS, its common families and techniques, and tips on how to prevent ransomware attacks and strengthen your cybersecurity posture.
What is Ransomware as a Service (RaaS)?
Credited as one of the reasons causing ransomware attacks to grow, RaaS, based on the SaaS model, involves selling or renting ransomware capabilities to buyers (called affiliates). Among the key players in this ecosystem are the operators, those who develop and sell the ransomware. They are usually part of a larger group with designated roles.
The following are some unique traits about RaaS:
- Most RaaS operators recruit affiliates who perform the ransomware attack
- RaaS operators split the ransom amounts with their affiliates (splits can vary from a little to a lot, depending on how much the RaaS operator supports the attack)
- Ransomware kits can be very sophisticated to quite limited
- If law enforcement does make arrests, it typically will be the affiliates, not the RaaS gangs
How does ransomware as a service work?
RaaS operators figured out quickly that they couldn’t scale their operations alone, and the affiliate model had worked in the past in other areas of cybercrime. This allows them to scale globally and give them an ability to reap more profit without the overhead. The more people that purchase the ransomware, the more attacks, and victims.
Therefore, marketing and recruitment are just as important in the underground world; RaaS operators have invested as much as USD$1 million in recruitment efforts.
To ensure they can recruit affiliates, many RaaS operators have had to improve their offerings, since there are many competitors out their nowadays. This means more sophisticated tools, interfaces that allow the affiliate to track and manage their attacks, and even lists of potential victims they can supply to their affiliates.
However, this isn’t a free-for-all. To increase the chances of a big payout, RaaS operators or affiliates are very selective when choosing a target. For example, Trend Micro Research observed many public and private group discussions about avoiding specific countries like Taiwan, due to strict anti-money laundering policies that make it difficult to purchase cryptocurrency to pay the ransom.
RaaS operators are also taking a bigger role in picking victims as high-profile accounts could garner attention of governments and/or LEA; a direct result of the Colonial Pipeline attack.
Ransomware families used by RaaS operates and affiliates
The RaaS model has been adopted by most modern ransomware families. In fact, our 2021 midyear cybersecurity report determined that 8 of the top 10 most detected ransomware families have been used by RaaS operators and affiliates at some point.
In the first half of 2022, three RaaS threat actors stood above the rest: Conti, LockBit, and BlackCat.
Here’s a deeper look at some of the most prevalent RaaS families in 2022 thus far:
Known for using malspam and exploiting n-day vulnerabilities, Conti continues its reign as one of the top active ransomware families. Conti has amassed more than 1,000 victims and payouts amounting to more than US$150 million as of January 2022, making it one of the costliest ransomware families to date.
Previously estimated to be one of the largest ransomware families operating, it appears that as of recently, it has disbanded and will likely either reform as a new group or be absorbed into other groups.
LockBit has been active since 2019 and recently morphed into LockBit 3.0 or LockBit Black, becoming a more formidable threat since incorporating double extortion into its playbook.
Lockbit detections dramatically increased to 1,843 in the first half of 2022 compared to only 341 in the first half of 2021. LockBit operators have also claimed to have breached France’s Ministry of Justice.
BlackCat (aka AlphaVM or AlphaV)
By March 2022, BlackCat had successfully compromised at least 60 organisations. It gained initial notoriety for being the first professional ransomware family created in the Rust programming language, which is notoriously secure and capable of concurrent processing.
BlackCat typically exploits exposed and vulnerable applications to gain access into their target systems and then use third-party frameworks and toolsets like Cobalt Strike to deliver the ransomware.
Since emerging in April 2022, Black Basta has blitzed nearly 50 organisations. Given the ransomware family is a new addition, there’s limited information on the scope and structure of its operation. However, Trend Micro Research reported Black Basta uses a sophisticated encryption routine as well as a double extortion technique to persuade a victim to pay up. Furthermore, its ransom note is hard-coded into the malware itself, which suggests it might use unique binaries for each victim.
Connections between other ransomware and APT groups have been noted. MalwareHunterTeam tweeted many similarities between Black Basta and Conti, while Trend Micro Research found correlations between Black Basta and QakBot.
Trend Micro Research analysed a sample of a new SolidBit ransomware variant targeting users of popular video games and social media platforms. It’s been disguised as different applications, include a League of Legends account checker tool, and an Instagram follower bot, to lure in victims. The malicious actors behind the malware variant have also posted a job advertisement on an underground forum in June 2022 to recruit potential affiliates for their ransomware as a service activities. Affiliates stand to gain 80% of the ransomware payment as a commission.
How to prevent ransomware attacks
Ransomware remains, and always will be, a threat against businesses of all sizes. Organisations can no long take a reactive approach to cybersecurity. As ransom demands increase significantly, cyber insurance carriers have mandated strict anti-ransomware security controls for organisations applying for or renewing coverage. Consider these 5 security practices to prevent ransomware attacks:
5 steps to defend against ransomware
1. Leverage cybersecurity frameworks from the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST) for thorough guidance on prioritisation and resource management, as well as filling any gaps that could be exposed by attackers.
2. Leverage a unified cybersecurity platform to remove lack of visibility and security gaps caused by disparate point products. Choose a platform that continuously monitors the entire attack surface for early signs of an attack and using advanced detection techniques such as AI-powered technologies, machine learning, and XDR.
3. Follow a zero trust approach to network security by implementing Zero Trust Network Access (ZTNA) technology. ZTNA protects the network by validating access at a point-in-time by checking that patches are installed, the app is domain-connected, etc and authenticating the user’s identity via multifactor authentication (MFA). It will also continuously monitor the user and device for risky behaviour and terminate access if detected.
4. Regularly back up your files: Practice the 3-2-1 rule by creating three backups in two different formats with on stored offsite.
5. Train and test your defence strategy by cultivating a security-aware culture. This includes developing and conducting regular security skills assessment and training, as well as red team exercises and penetration tests.
To continue improving your attack surface management against RaaS operators, check out the following resources: