Credential theft food chain—What is Ransomware-as-a-Service

September 13, 2022  |  Ross Moore

This blog was written by an independent guest blogger.

Anyone who has watched the Lockpicking Lawyer realizes that certain locks promoted as the latest-and-greatest arent necessarily the most reliable devices for securing physical assets. Like many other security professionals, he seeks to educate consumers and manufacturers on defects in devices and how to improve their security. It reminds me of a quote by Deviant Ollam (security auditor and penetration testing consultant): "Security is achieved through openness. Take things apart and play with them... exposing bad security is what protects us all."

This preemptive step of testing security is vital because, while the defenders are actively finding security holes, so are criminals. Criminals – in this current context, cybercriminals – are looking to do all kinds of disruptive or destructive activities, whether its a straightforward denial of service attack on one end of the spectrum to a full-scale attempt to take down a government or critical infrastructure by whatever means possible on the other.

These threat actors start by stealing credentials, focusing on those that give access to servers and other corporate assets, though individual non-admin accounts are not out of their sight. What sets them apart from many other thieves is that they dont use the credentials themselves to gain entry. Either the credential thieves are Initial Access Brokers (IABs), or they sell these credentials sets to IABs, who turn around and sell these to customers and affiliates who are organized underground (aka Dark Web) threat actors. While it is not necessarily simple or straightforward, this is the entry point for the topic at hand: Ransomware-as-a-Service.

What is Ransomware as a Service (RaaS)?

Ransomware as a Service (RaaS) is Conti attacking numerous healthcare, first responder, and law enforcement agencies in early 2021.

RaaS is Lockbit 2.0 attacking a Bulgarian refugee agency.

RaaS is REvil abusing Kaseya Virtual Systems Administrator (VSA) to attack Managed Security Service Providers.

RaaS, though illegal, is a valid and highly efficient business model, similar to the Software-as-a-Service (SaaS) model. Ransomware operators create ransomware attacks, then customers, or affiliates, can buy those services and launch the attacks. RaaS syndicates may offer different tiers of services, including technical support, bundles, and community forums.

How the RaaS model operates

Because it is a business model, the success of affiliates plays a part in the sales strategy. The better affiliates perform, the better chance they have of being noticed by other groups for future sales and engagement opportunities.

One aspect of attempting to increase market performance is Big Game Hunting (BGH). In scoping out ransomware victims, one target has been large organizations whose industries include Healthcare, Manufacturing, Managed Services, Media, and Government agencies.

While BGH seems intuitive (low effort, enormous payoff), there has been a decrease in its activity recently. This drop-off is most likely due to US authorities focusing on protecting those industries and successfully combatting ransomware activities (e.g., retrieving some of the ransom paid by Colonial Pipeline). Due to the increased investigation, RaaS has moved more toward mid-sized industries, but is still highly successful.

Why the success? Like the old saying goes: Why did I rob the bank? Because thats where the money is.” From 2013 to 2019, ransomware brought in over $144 million for criminals. In 2020 alone, ransomware groups extorted $692 million. RaaS not only works, but it is lucrative and demonstrates exponential growth.

Preventing RaaS attacks

There are many ways to protect oneself from RaaS attacks. Here are some common and proven approaches for data defense:

Zero Trust

No product or suite of tools that achieves this, but Zero Trust (ZT) is a mindset. ZT can be used as a hanger from which all other security controls hang.

Phishing training

This can be purchased, obtained for free (e.g., Cofense), or created in-house (e.g., using Moodle). There are numerous options for protecting Layer 8.

Identity and Access Management (IAM)

Being able to set granular controls to ensure only the proper individuals access the proper resources is a key component of attack prevention. This includes monitoring, logging, alerting anomalous activity, and denying suspicious logins.

Two-factor/Multi-factor Authentication

MFA and 2FA get bad publicity at times because they can be circumvented. In truth, any security can be circumvented given the right resources (knowledge, software, access, etc.), but that shouldnt keep anyone from implementing layered security. The percentage of attacks stopped by 2FA/MFA varies, but using it makes theft just that much harder, and for some, the prevention was 100%. MFA is a strong security authentication addition to anyones defense strategy.

Backup and restore-ready

There will always be a debate about the best way to back up data (tape, cloud, hybrid, local, scheduled, real-time, etc.; and all dependent on ones resources), but there's no doubt about the need to back up data and to ensure it can be restored. While even the restoration strategy can be debated (e.g., 3-2-1, incremental, differential), being able to restore slowly is better than not at all.

Education on the ransomware ecosystem

While RaaS is a huge industry, its also run by people, and people can be turncoats. One example is to being aware of events such as the Conti Leaks. Like the "Panama Papers", the Conti Leaks, leaked by a disgruntled former Conti employee, provide the inner workings of one of the most successful ransomware groups. This helped the world-at-large better understand RaaS.

Understand the business risk

Keep up with the latest attack trends against your industry. According to the FBIs 2021 IC3 Report, Conti (though not in business anymore, at least by that name) often targeted manufacturing, commercial facilities, and Food/Agriculture; Lockbit 2.0 has focused its efforts on government facilities, healthcare, and financial services; and REvil targeted financial services, IT, and healthcare. Knowing where attacks may come from puts organizations in a better position to be on the lookout for IoCs.

If compromised, dont pay the ransom

This might not seem like a tactic for prevention or protection, but its a longer-term approach. Paying may seem like a valid option, but in the long run, it has a couple of negative results:

  • Discourages proper security

A similar attitude prevails when consumers rely on payment card providers to return money lost in fraudulent transactions while simultaneously not setting relevant account alerts, not using good passwords, or setting other controls (such as 2FA) on their accounts, which could have prevented the theft to begin with. There’s a financial burden placed on others or displaced to the future.

  • Encourages crime

Not only do the criminals end up getting their money, but they also realize who they can attack again.

Theres no doubt that RaaS is a tremendous negative force to reckon with, but there are also good forces out there ready to provide the right resources to protect individuals and organizations. With the right people, processes, and technology, data defense is realistic and feasible.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial