The “as a service” business model has gained widespread popularity as growing cloud adoption has made it possible for people to access important services through third-party providers. Given the convenience and agility of service offerings, perhaps it shouldn’t be surprising that the “as a service” model has been harnessed by cybercriminals.
Four common Ransomware as a Service (RaaS) revenue models:
- Monthly subscription for a flat fee
- Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20–30%) going to the ransomware developer
- One-time license fee with no profit sharing
- Pure profit sharing
Operators can run marketing campaigns and create mirror websites to spoof any organization’s campaigns and websites. Total ransomware revenues are around $20 billion and growing every year.
RaaS gives cybercriminals the opportunity to purchase and sell access to dark web tools like ransomware payloads and leaked data as RaaS kits. Examples of these dangerous kits include Locky, Goliath, Shark, Stampado, Encryptor, and Jokeroo. In the event of a discovery, RaaS operators can lock down, reorganize and be back in the cyberworld with new and improved ransomware variants.
Human-operated ransomware is actively tracked, as cybercriminals make decisions at every stage of the attack. This can destroy organizations because it is powered by stolen data. Malware attack infrastructure can also be sold on the dark web as part of the RaaS kits. It is then deployed in company environments with features that include customer service support, bundled offers, and user review forums.
By exploiting common configuration errors in software and devices, cybercriminals can take hold. Companies can practice good cyber hygiene via timely patching, credential hygiene, and an in-depth review of any changes to software and system settings and configurations. A challenge arises when cybercriminals sidestep ransomware payload and exfiltrate company data for a high price.
Companies have to remain vigilant during their hunting efforts to find any signs of ransomware payloads and avoid successful breaches and subsequent extortion. Cybercriminals love RaaS for how easy it is to tap into any lax security.
Cybercrimes including ransomware, business email compromise schemes, and the criminal use of cryptocurrency can ruin any business. America’s losses totaled $6.9 billion in 2021, according to the FBI’s 2021 Internet Crime Report. Stolen company data can also contain employees’ personal information.
Why cybercriminals love RaaS
- Lowered entry barriers
- Minimal technical expertise to deploy ransomware
- Easily concealed identities
- Only requires a laptop, credit card, and access to the dark web
- Abundance of work in the RaaS gig economy
Ransomware is an ever-evolving threat. Up to 43 trillion threat signals are analyzed every day. The cyber intelligence community, consisting of threat hunters, forensic investigators, malware engineers, and researchers, can specialize in vulnerabilities, threat actors, ransomware, supply chain risk, social engineering, and geopolitical issues.
Intelligence is gathered on cyber behaviors, tactics, tools, and techniques to gauge the end-to-end scope of attacks and operations. Especially when launching, organizations can struggle to keep cybersecurity top of mind. Until an organization has been threatened or extorted, there may have been zero security reviews or intelligence gathering to protect employees, customers, and partners.
How to protect companies
Any security vulnerabilities become a welcome mat for cybercriminals. The solution is integrated threat protection across devices, identities, apps, email, data, and the cloud.
Here are the three major strategies to block RaaS attacks:
- Have a defense and recovery plan. Companies must adopt a Zero Trust approach. This entails fully authenticating, authorizing, and encrypting every access request. In addition to screening access, a zero-trust approach secures your backups and protects your data.
- Protect all identities. Network credentials should be almost impossible to access. Once in, cybercriminals make lateral movements to evade detection as they sneak through company data to find assets to exfiltrate or destroy.
- Prevent, detect, and respond to threats. Focus on comprehensive prevention, detection, and response capabilities with integrated security information and event management (SIEM) and extended detection and response (XDR). Understand typical attack vectors, including remote access, email, work channels, endpoints, and all accounts.
Focus should not only be on outside-in protection. Practice good cyber hygiene with guarded data security, information protection, and insider risk management.
Invest in current endpoint protection for advanced algorithms that can work in the background. Perform regular daily or weekly backups and store these backups on separate devices in different locations. Also, test backups regularly for retrieval properties.
If you have not already done so, create and maintain a rigorous patch program. Invest in advanced anti-phishing protection and user training.
Last but not least, make employees accountable for their part in building a culture of security. This includes regularly updating passwords, not visiting outside websites during working hours, and attending regular webinars on cybersecurity.
ThriveDX understands the threats present in the cyberworld. Learn how you can be part of the solution and the future of cybersecurity today by checking out the classes you need to upskill and empower your world.