“As-a-Service” offerings can be found everywhere in IT. Cyber criminals have also adapted this service idea and have been offering ransomware-as-a-service, RaaS for short, for some time now. This means that less sophisticated attackers can also carry out ransomware attacks. The number of attacks increases so much. An analysis by Arctic Wolf.
As a Study by the digital association Bitcom eV shows, 2020 percent of all companies were affected by ransomware attacks in 21/88. The boom in remote work, home office, cloudification and networked IoT devices is playing into the hands of the attackers, as these trends increase the attack surface and offer new gateways.
In such attacks, the cyber criminals break into the corporate systems and steal and/or encrypt certain information. In order to be able to decrypt this data again, a ransom is then demanded. In addition to the considerable financial damage caused by the payment or the recovery processes, such attacks can also lead to enormous reputational damage. A majority of these attacks (estimated 64 percent) are already taking place using the RaaS method – and the trend is rising.
A Service from the Dark Side
In the case of RaaS offerings, ransomware groups such as Conti, REvil or RagnarLocker and their splinter groups and successors provide the appropriate tools or platforms as well as supplementary services such as instructions, best practices and even an IT helpdesk. Although the group names are highly volatile, the actual actors often remain the same. They act in a highly professional manner and have nothing to do with the common hacker cliché of the hoodie-wearing lone wolf. In fact, they can hardly be distinguished from reputable companies: with their own human resources department, bonus programs and awards for “Employee of the Month”, as recently a hack showed.
Cyber gangster with corporate structure
The services can usually be found via the deep or dark web. The providers sometimes differ greatly in what they offer. Just like with reputable service providers, the RaaS gangs also offer everything a (criminal) heart desires, from the simple purchase of ransomware to a subscription model. The providers also offer different models when it comes to the pricing strategy – from a one-off payment upon purchase to leasing models and shares in the ransom.
Cryptocurrencies such as Bitcoin, Monero and Co. are a key success factor for RaaS attacks, as they are difficult to trace and can be “laundered” comparatively easily. As such, they are excellent for RaaS payments and ransom demands, and it is unlikely that the recent Cryptocurrency price decline a lot will change. The falling prices are simply compensated in the negotiation phase with the victim.
What to do when things get serious?
The encryption of the systems and the threat of publishing the captured data, such as customer information, product details and financial data, can threaten the existence of companies. This is what makes RaaS so attractive and makes ransomware an incredibly powerful bargaining chip in the hands of cybercriminals. If a ransomware attack was successful, many companies are often at a loss at first. Desperate and helpless, they often have no other choice than to meet the ransom demand - although the LKA, BKA and BSI strictly advise against it, so as not to additionally finance organized crime and create motivation for further crimes. But how should companies react?
After the attack, rest counts
dr Sebastian Schmerl, Director Security Services EMEA, Arctic Wolf
First of all, keep calm! The acute attack is not the right time to assign blame. Rather, it is now time to work together and not act hastily. The relevant authorities should be informed immediately (they are also available to provide advice). If a company already has a contingency plan in place, it should be followed. The next step is to analyze and reflect on the situation and then to initiate the necessary countermeasures. If the internal resources and expertise are lacking in this exceptional situation, companies can also turn to the professional help of external security service providers such as Arctic wolf fall back on.
- The first step is to clarify the current situation. This means the implementation of Incident response- Measures to stop the further spread of the incident.
- Once the status quo has been clarified, they must extent of damage and the recovery options be determined. Which backups are still available and need to be taken offline? What services are affected, what data is encrypted, and what recovery actions need to be taken?
- Once these questions have been answered, the third step is to Threat Intelligence information to gather together, ie all information about the attackers, the malware used and similar incidents.
- In the fourth step, the Business case set up – should the ransom demand be met or not? All aspects should be weighed up very carefully: the company's capital, possible reputational damage, lawsuits, etc.
- In the fifth and final step, we get down to business: the Negotiations with the cyber criminals. There are two points to note here: Negotiations are being made with criminals, ie there are no guarantees. Nevertheless, politeness is required in order not to annoy the other person unnecessarily.
Ransomware: Prevention is better than cure
Regardless of whether the ransom was paid or not, the case should be well processed in order to better position the company in the future. After the attack, all systems should therefore first be carefully scanned and cleaned, and the log-in data of all users should be reassigned. In addition, intensive hunting or public, dark and deep web monitoring should follow to ensure that no data has really been published.
Last but not least: Better safe than sorry! “The best protection against ransomware attacks is good preparation. Security gaps and system weaknesses should be closed with regular patches and comprehensive security monitoring should be carried out. As is so often the case, the biggest weakness is the human factor. The most important measure is therefore to train employees regularly and thus establish a security mindset in the company. If the company lacks the necessary internal resources for this, they can turn to trustworthy security experts - such as Arctic Wolf - who support them in implementing these security measures. If all of this is taken into account, the company is well prepared for an emergency.” according to Dr. Sebastian Schmerl, Director Security Services EMEA, Arctic Wolf.
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.
Matching articles on the topic