Industries worldwide have been observing a surge in sophisticated and high-impact ransomware attacks in the past few years. Nations across the globe saw an alarming 105% increase in ransomware cyberattacks last year1. A key factor fueling the rise in frequency and severity of ransomware attacks is Ransomware-as-a-Service (RaaS) model, which operates much like SaaS and involves selling or renting ransomware capabilities to buyers, who then launch the attacks.
The RaaS business model makes it easier for attackers to run a fully functional and independent ecosystem of organized ransomware attacks with minimal technical skills and knowledge. This in turn has facilitated ransomware to spread quickly to more targets over the years. Gone are the days when a hacker behind a ransomware attack used to be a person with advanced skills and technical knowledge of IT infrastructure and programming. The RaaS model allows anyone to subscribe to such services that facilitate the usage of ransomware for targeted attacks on any organization. As a subscription-based model, RaaS also provides users with tools and software to execute such attacks with high-paying rewards that are collectively distributed among all the players involved.
Key actors in Ransomware-as-a-Service model
RaaS has developed to become a well-oiled business model. It is user-friendly, easy to adapt and requires minimal expertise. It is extremely convenient to reach out to respective groups, gain access and launch attacks at the click of a button. But a mature business model like this cannot just run on its own, there are many players involved that help in successful execution of such attacks. A few major ones are listed below:
- Access Broker: As one of the initial steps, the access broker scans the client environment and searches for organizations that may have vulnerable devices or servers exposed to the internet. For example, RDP-enabled machines which are publicly exposed are constantly exploited by the ransomware gangs. Once they spot such vulnerabilities, they gain access, compromise them, and leave a backdoor by getting inside the network. Access brokers then publicly advertise this network access on dark net to sell this information to affiliate groups.
- RaaS Affiliation: The affiliate group receives access to the RaaS platform and tools as well as the information about the organization’s vulnerabilities to launch the attack. The RaaS affiliation is responsible for tasks such as the lateral movement in the network, privilege escalation, and ransomware deployment. These groups then exfiltrate the data from the organization’s network and run the ransomware payload.
- RaaS Operator: The operator is responsible for keeping the RaaS platform up and running by developing and maintaining tools and automation and hosting the website for consumption by ransomware groups. Ransomware operators are the owners of malware source code and are also responsible for other tasks such as recruiting affiliates, setting up the payment portal, assisting in negotiations and managing a dedicated leaked site.
Top RaaS operators and their core tactics
The past few years have seen a shift towards the RaaS business model with high success rates and new groups being created every day. The number of RaaS and extortion groups grew by 63.2% in the first quarter of 2022 over the same period the previous year2. (Read our earlier blog for more details on Ransomware gangs) Some of the top ransomware operators and their core tactics are listed below:
- REvil: Also known as Sodinokibi, REvil is a ransomware gang that typically operates on a RaaS business model by recruiting affiliates that distribute ransomware on its behalf. The financially motivated ransomware group is infamous for demanding high ransom payments and conducting several high-profile attacks. REvil generally gains access to the networks by exploiting the web and software vulnerabilities or by sending phishing emails. It also takes advantage of data readily available through other leaks to gain unauthorized access. For instance, in one of the most popular attacks on Kaseya software provider, REvil targeted a vulnerability in its remote computer management tools to launch the attack. The ransomware attack infected over a million devices and the group agreed to offer a universal decryption key for a ransom payment of $70 million in Bitcoin.
- LockBit: LockBit is another cybercriminal gang that operates on RaaS model, one that has evolved over the years. After compromising a single host, LockBit scans the whole network to infect other accessible devices. The double extortion model used by LockBit locates and exfiltrates data before encrypting which gives the group an upper hand while negotiating with the organizations. In such cases, the sensitive data can get published publicly even if the organizations try to restore data from backup and refuse to pay the ransom. LockBit’s new and evolved versions include automatic encryption of devices across the domains along with recruiting insider threats from within the targeted organizations. These tactics have been attempted by LockBit against organizations in Chile, Taiwan, and the UK.
- DarkSide: A relatively new player in the RaaS business, DarkSide is quite organized and professional in running their model with facilities such as a contact number or a help desk for negotiations with victims. The group claims to target only large and high-profit organizations through their attacks. Before deploying the ransomware, the group tries to infiltrate and move laterally across the organization’s network to steal credentials, uninstall security and backup software programs, and terminate the processes to gain access to user files. DarkSide mainly targets Domain Controller (DC) to carry out a fully developed attack operation which puts the whole network environment at risk. For instance, in the DarkSide’s most significant attack – the Colonial Pipeline hack, the RaaS group took control of the IT network and disabled several systems that temporarily shut down the pipeline operations.
Other prevalent ransomware operators that have been highly active for the past few years include Conti and BlackCat. Conti, through one of its most effective and aggressive Ransomware operations, was able to hack more than 40 organizations within a month’s period. Its most famous operations include attacks on the City of Tulsa network, Ireland Health Services, and the ransomware data leak during the recent Ukraine invasion. BlackCat on the other hand is infamous for using the unconventional ‘Rust’ programming language to stabilize the code and target Windows and Linux devices. The RaaS was responsible for attacks on OilTanking GmbH and two major universities in the US.
Common vulnerabilities exploited by RaaS attack
The frequency of RaaS attacks shows no signs of slowing down. In the coming years, with the advancements in technology, it will become easier for RaaS platforms to execute more successful and targeted attacks. A recently published joint report from Cyber Security Works, Securin, Cyware, and Ivanti notes that the number of vulnerabilities associated with ransomware attacks has grown to 310 in the first quarter of 20223. It is therefore essential for organizations to stay on alert and take proactive measures to avoid losing critical data, customers’ trust, and millions of dollars to ransomware attacks. Some of the common vulnerabilities exploited by ransomware attackers are listed below:
- User and access: Phishing email with malicious links is one of the most common tactics used by ransomware groups to gain initial access into the organization’s network. Other vulnerabilities such as recycled passwords, dictionary passwords, unprotected personal devices, outdated anti-virus or use of public internet can work as bait for ransomware attackers. Lack of awareness about what a threat looks like can lead to employees falling prey to attacker’s tactics and downloading malicious files which could lead to a quick spread of ransomware in the network environment.
- Network: Open ports, weak network policies, configuration errors, unpatched servers, excessive admin privileges, out-of-date security certificates, and end-of-life hardware are critical network-level vulnerabilities that can throw open the door to ransomware actors. Many organizations fail to deploy strong defense mechanisms like robust endpoint protection and threat detection measures that are necessary to block cyberattacks.
- Operating system: Outdated software or unpatched operating systems (OS) are an easy target for cybercriminals. Irregular updates to software, SQL injection and malicious software can result in open vulnerabilities that are quickly discovered by attackers. Using decades old hardware systems that are no longer supported for updates also contributes to the rapid spread of attacks.
How to Protect Your Organization from Ransomware
To strengthen the security defenses and safeguard the network environment from disruptive ransomware attacks, regular audits of the systems and proactive detection and analysis are among the key measures for any organization. Maintaining a defense-in-depth security program, undertaking ransomware readiness assessment, conducting ransomware simulation, and performing frequent backups of critical data are some of the best practices that can help fend off ransomware attacks. Proper training and awareness programs for employees are also necessary to improve their preparedness to detect and respond to attacks.
SISA’s Ransomware Prevention Services use a two-pronged approach of continuous improvement and learning to help organizations prevent ransomware attacks. These include Ransomware Prevention Learning Sessions to spread awareness, Ransomware Prevention Audits to assess security gaps and Ransomware Simulation Exercise to test the security defenses.