This blog was written by an independent guest blogger.
Anyone who has watched the Lockpicking Lawyer realizes that certain locks promoted as the latest-and-greatest aren’t necessarily the most reliable devices for securing physical assets. Like many other security professionals, he seeks to educate consumers and manufacturers on defects in devices and how to improve their security. It reminds me of a quote by Deviant Ollam (security auditor and penetration testing consultant): "Security is achieved through openness. Take things apart and play with them... exposing bad security is what protects us all."
This preemptive step of testing security is vital because, while the defenders are actively finding security holes, so are criminals. Criminals – in this current context, cybercriminals – are looking to do all kinds of disruptive or destructive activities, whether it’s a straightforward denial of service attack on one end of the spectrum to a full-scale attempt to take down a government or critical infrastructure by whatever means possible on the other.
These threat actors start by stealing credentials, focusing on those that give access to servers and other corporate assets, though individual non-admin accounts are not out of their sight. What sets them apart from many other thieves is that they don’t use the credentials themselves to gain entry. Either the credential thieves are Initial Access Brokers (IABs), or they sell these credentials sets to IABs, who turn around and sell these to customers and affiliates who are organized underground (aka Dark Web) threat actors. While it is not necessarily simple or straightforward, this is the entry point for the topic at hand: Ransomware-as-a-Service.
What is Ransomware as a Service (RaaS)?
Ransomware as a Service (RaaS) is Conti attacking numerous healthcare, first responder, and law enforcement agencies in early 2021.
RaaS is Lockbit 2.0 attacking a Bulgarian refugee agency.
RaaS is REvil abusing Kaseya Virtual Systems Administrator (VSA) to attack Managed Security Service Providers.
RaaS, though illegal, is a valid and highly efficient business model, similar to the Software-as-a-Service (SaaS) model. Ransomware operators create ransomware attacks, then customers, or affiliates, can buy those services and launch the attacks. RaaS syndicates may offer different tiers of services, including technical support, bundles, and community forums.
How the RaaS model operates
Because it is a business model, the success of affiliates plays a part in the sales strategy. The better affiliates perform, the better chance they have of being noticed by other groups for future sales and engagement opportunities.
One aspect of attempting to increase market performance is Big Game Hunting (BGH). In scoping out ransomware victims, one target has been large organizations whose industries include Healthcare, Manufacturing, Managed Services, Media, and Government agencies.
While BGH seems intuitive (low effort, enormous payoff), there has been a decrease in its activity recently. This drop-off is most likely due to US authorities focusing on protecting those industries and successfully combatting ransomware activities (e.g., retrieving some of the ransom paid by Colonial Pipeline). Due to the increased investigation, RaaS has moved more toward mid-sized industries, but is still highly successful.
Why the success? Like the old saying goes: “Why did I rob the bank? Because that’s where the money is.” From 2013 to 2019, ransomware brought in over $144 million for criminals. In 2020 alone, ransomware groups extorted $692 million. RaaS not only works, but it is lucrative and demonstrates exponential growth.
Preventing RaaS attacks
There are many ways to protect oneself from RaaS attacks. Here are some common and proven approaches for data defense:
Zero Trust
No product or suite of tools that achieves this, but Zero Trust (ZT) is a mindset. ZT can be used as a hanger from which all other security controls hang.
Phishing training
This can be purchased, obtained for free (e.g., Cofense), or created in-house (e.g., using Moodle). There are numerous options for protecting Layer 8.
Identity and Access Management (IAM)
Being able to set granular controls to ensure only the proper individuals access the proper resources is a key component of attack prevention. This includes monitoring, logging, alerting anomalous activity, and denying suspicious logins.
Two-factor/Multi-factor Authentication
MFA and 2FA get bad publicity at times because they can be circumvented. In truth, any security can be circumvented given the right resources (knowledge, software, access, etc.), but that shouldn’t keep anyone from implementing layered security. The percentage of attacks stopped by 2FA/MFA varies, but using it makes theft just that much harder, and for some, the prevention was 100%. MFA is a strong security authentication addition to anyone’s defense strategy.
Backup and restore-ready
There will always be a debate about the best way to back up data (tape, cloud, hybrid, local, scheduled, real-time, etc.; and all dependent on one’s resources), but there's no doubt about the need to back up data and to ensure it can be restored. While even the restoration strategy can be debated (e.g., 3-2-1, incremental, differential), being able to restore slowly is better than not at all.
Education on the ransomware ecosystem
While RaaS is a huge industry, it’s also run by people, and people can be turncoats. One example is to being aware of events such as the Conti Leaks. Like the "Panama Papers", the Conti Leaks, leaked by a disgruntled former Conti employee, provide the inner workings of one of the most successful ransomware groups. This helped the world-at-large better understand RaaS.
Understand the business risk
Keep up with the latest attack trends against your industry. According to the FBI’s 2021 IC3 Report, Conti (though not in business anymore, at least by that name) often targeted manufacturing, commercial facilities, and Food/Agriculture; Lockbit 2.0 has focused its efforts on government facilities, healthcare, and financial services; and REvil targeted financial services, IT, and healthcare. Knowing where attacks may come from puts organizations in a better position to be on the lookout for IoCs.
If compromised, don’t pay the ransom
This might not seem like a tactic for prevention or protection, but it’s a longer-term approach. Paying may seem like a valid option, but in the long run, it has a couple of negative results:
- Discourages proper security
A similar attitude prevails when consumers rely on payment card providers to return money lost in fraudulent transactions while simultaneously not setting relevant account alerts, not using good passwords, or setting other controls (such as 2FA) on their accounts, which could have prevented the theft to begin with. There’s a financial burden placed on others or displaced to the future.
- Encourages crime
Not only do the criminals end up getting their money, but they also realize who they can attack again.
There’s no doubt that RaaS is a tremendous negative force to reckon with, but there are also good forces out there ready to provide the right resources to protect individuals and organizations. With the right people, processes, and technology, data defense is realistic and feasible.