Behind many cyber attackers are not just loners in dark rooms. Rather, some APT groups see themselves as business companies that no longer act themselves, but only sell their services and technology and collect heavily. That makes money and reduces risk. Here is a brief explanation of how RaaS – Ransomware as-a-Service works.
In IT, products are now primarily offered as services, such as Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS). These consist of a large number of sub-services, which are in turn made available by different providers in terms of the division of labor and professionalization - a successful concept that cyber criminals also take advantage of. Different attacker groups deliver the individual parts of the entire end-to-end ransomware service. These ransomware service blocks are well described and can be easily purchased in different quality levels.
Ransomware-as-a-Service business model
Ransomware-as-a-Service (RaaS) has developed into a real business model with highly professional actors in recent years, not least because the possible attack surface for cybercriminals has increased significantly. It is estimated that in 2020, 64% of all ransomware attacks were carried out using the RaaS approach.
With the boom in remote work and home office, the number of devices used outside the protected company perimeter also increased. In addition, due to the change to cloud-based services and infrastructures, the IT landscapes are becoming more complex and are therefore more difficult to secure. Attackers only need to find a single vulnerability; Organizations need to cover all eventualities and keep up with the latest attack strategies.
RaaS is a professional business
“The RaaS business has become extremely professional in recent years: The criminal providers supply a wide variety of attack tools and individual attack steps as services and attach great importance to service. The tools are offered along with how-to guides for conducting attacks, best practices, ransomware strategies, and even an IT helpdesk,” explains Dr. Sebastian Schmerl, Director Security Services EMEA at Arctic Wolf. "RaaS often offers exactly the kind of documentation and architecture that one would expect from mainstream SaaS offerings, and is a far cry from pop culture's portrayal of the stereotypical, hoodie-wearing loner."
As in the SaaS industry, there are also different pricing strategies for RaaS providers. Some offer their attack services as a one-time purchase, others through subscriptions, and still others use a combination of subscription and a share of the ransom fee paid to the developer after a successful attack. In the latter case, providers are quite picky and only work with customers who have a certain track record. An initial profitability check is therefore carried out.
Why is RaaS so successful?
Cryptocurrencies are a critical factor in the success of RaaS. Because currencies like bitcoin and monero are difficult to trace, they lend themselves well to RaaS payments and ransom demands. In addition, cryptocurrencies are relatively easy to convert into “clean money”, which makes them attractive to malicious actors looking for a quick profit.
To put it simply: RaaS is so successful because ransomware is a powerful means of pressure - keyword "double extortion": IT encryption combined with the threat of data disclosure. In addition, when data is stolen or blocked, companies often do not know what to do in the situation. They often think that paying the ransom is the only option, although the LKA, BKA and BSI strongly advise companies not to do so.
Not only is the use of ransomware an effective attack strategy, RaaS services are also comparatively easy to access, use and adapt. Attackers often use a ransomware platform to manage victims and their statuses, and continuously develop this platform and the individual attack engines. This allows them to easily add new features that make the platform even more “scalable and productive.” Some attacker groups also cooperate in processing victims and share attack engine code.
This is how companies can protect themselves
Although the attackers are organized and highly professional, companies can protect themselves against ransomware attacks. The most important factor in defending against cyber threats is a proactive approach with preventive measures:
- Establishing a security mindset or a security-conscious corporate culture: This begins with education about cyber hygiene and the realization that security is not a state of affairs, but a continuous process. As threats change, threat intelligence should be leveraged to adjust defense strategies and security information resources.
- Employee training to build awareness of the threats and how to spot phishing scams and other red flags. This is particularly important as social engineering attacks are aimed directly at employees.
- Exploit all possibilities to increase data security, for example through more frequent backups. Backups should be stored in separate management areas so that they are not endangered together with the actively used data (air-gapped solution).
- Regular patching of systems, as RaaS attackers often exploit known vulnerabilities and configuration errors.
- Extensive security monitoring to quickly identify cyber attacks and take appropriate action. Detection and Response is also offered as a Managed Detection and Response (MDR) service by providers such as Arctic Wolf.
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.