New threat on the block: Ransomware-as-a-Service

The risks of ransomware have been well publicised in the last few years, but cyber security analysts around the world have recently seen this type of attack evolve into Ransomware-as-a-Service (RaaS), a more industrialised business model that is worth understanding if you’re responsible for security in any industry.

Ransomware groups are understood to use two methods of operation, either direct attack or RaaS. The latter has increased the risks for organisations trying to defend themselves because now a greater number of threat actors potentially has access to the tools they need to infiltrate IT networks. Even relatively low-skilled groups or individuals can get their hands on malicious software and direct it at whichever organisations they wish.

The three stages of a RaaS cyber-attack

If you read our blog about the brief history of ransomware, you’ll know that RaaS basically breaks down the traditional model of a ransomware process into three modules:

1. The first group finds a way to breach or compromise an organisation
2. The second develops the tools and software to break in
3. The third carries out the infiltration, steals and/or encrypts any data and demands payment.

Each group pays fees for any services they buy from other groups and/or splits the money they make from the organisations they attack. The model spreads the workload, the risks involved and any financial rewards. There’s no new sophisticated technology here, it’s simply a different way that threat actors are working together as they amend their tactics, techniques and procedures (TTPs).

A new criminal business model

RaaS is a much more industrialised set-up that some observers have even described as a whole new cybercriminal business model. Now that criminal groups specialise in a single area rather than attempt to manage all the stages themselves, they can invest their energy and time into mastering one specific act of the whole crime.

But it also means that less skilled groups and those without much experience can simply purchase ready-made tools from other groups and apply them to their chosen targets. Whereas ransomware used to be opportunistic, RaaS has enabled gangs to be more precise with their campaigns.

And because it has lowered the barrier to entry, it has also potentially opened up opportunities for people with other agendas. Say, for example, that someone holds a deep grudge against an organisation and wants to inflict harm on them and perhaps extort money at the same time. Now they can buy the specific tools and services they need and try to conduct the final part of the cyber-attack themselves. However, the majority of evidence points at these crimes being committed by people looking for quick and easy profits.

Harder to trace the tracks of a threat actor

The nature of the RaaS model also makes it more difficult to identify the unique signatures that cybercriminals leave behind for digital forensics teams to find. The hallmarks found following a RaaS cyber-attack will be blurred by up to three different sets of ‘fingerprints’ at the crime scene instead of the one set that would have previously provided evidence of a single group.

Microsoft, which invests more than $1 billion into cyber security every year and tracks scores of unique ransomware families and hundreds of unique threat actors, has even gone so far to say that RaaS has ‘redefined our understanding of ransomware incidents’.

That said, RaaS is still fairly new and, as with almost everything in cyber security, it’s continually evolving, so we’re bound to see new developments unfold in the coming months and years. Time will tell whether RaaS will eventually prove to be the dominant modus operandi for all cybercriminal groups or if it will only be a temporary trend that will fail to be effective for the longer term for as yet unknown reasons.

Cyber security is a risk management challenge

All this might be interesting if your job is to help defend your organisation, but RaaS really shouldn’t be anything more to worry about than usual. At its heart, cyber security isn’t really a technology problem. It’s a risk management problem, and one that involves people using technology, building partnerships and communicating to resolve the problem together.

The fundamental risk management practices that can be applied to cyber security will help to minimise the chances of a RaaS cyber-attack: good cyber hygiene, cyber security awareness training, offensive security and a strong Security Operations Centre (SOC) and the capability to protect the growing number of components of the whole IT ecosystem.

Criminals always want to take the easiest route to make a quick profit, so it’s worth the effort to make it as difficult as possible for them, and to ensure that the new cybercrime economy does not pay.

Learn more about ransomware and what you can do about it

To find out more about ransomware trends, who the main ransomware groups are and whom they are targeting, take a look at our recently published related blog, ‘New ransomware extortion tactics emerge’.