Ransomware as a service: A successful business model

Posted On: October 12 , 2023
Written By: Saif Bhoja

As Ransomware groups continue to grow, they become increasingly sophisticated and organised, developing help centres for victims to claim their data end even creating job postings on the dark web. It does seem these groups intend to stay rooted within the cyber landscape by integrating business-like strategies.

What is ransomware and how does it impact us?

Ransomware is malicious software deployed by an adversary to block access to integral data or systems until a sum of money is paid.

Fast-forward from the first recorded ransomware attack in 1989, larger scale operations are now in place targeting organisations across the globe. Ransomware has become a lucrative business model for criminal groups as they can extort millions of dollars at a time.

How have ransomware attacks developed?

We are now seeing actors within this sector offering a two-tier supply chain; developers who build ransomware software and buyers of the ransomware kits who carry out the attacks, this is also known as ransomware as a service (RaaS). RaaS offers less skilled attackers to get started quickly and affordably. This indicates there is an interest for solo attackers or small startup groups of attackers wanting to gain a share of the lucrative ransomware market.

A whopping 493.33 million ransomware attempts were detected in 2022. The average cost of a ransomware attack is $1.85 million per incident and by 2031 it is predicted a ransomware attack will occur every two seconds. Ransomware kits are easily accessible and can be purchased for as little as $40.

How sophisticated are these ransomware groups?

RaaS has developed into a full-time business, even offering tier-based subscription models licensing their software to other hackers to broaden their operations and increase profitability. It has even been noted groups are hiring HR personnel to further recruitment efforts, usually even creating job postings on the dark web. To top things off, these groups even have support lines set up for victims to facilitate the payment process, gain access to lost data or answer any queries.

Why does this Matter?

Within this threat landscape we have novice hackers who wish to test their capabilities however, you also have much larger and organised groups such as Lockbit and Black Cat who target large payouts involving high profile companies.

It is observed that ransomware attackers are shifting from larger targets and focusing on smaller organisations with potentially less mature cyber security postures. In H1 2023 57% of victims from the Lockbit hacking group, which included Royal Mail and Taiwan Semiconductors, were organisations that had up to 200 employees. Small businesses also incorporated close to half (45%) of all Black Cat attacks within this same period (Infosecurity Magazine:2023).

With more organisations moving to a cloud-based system, the landscape of vulnerabilities for endpoints/devices is shifting along with it. Cyber teams have adapted to the decentralised nature of the cloud however, unpatched vulnerabilities or misconfiguration continue to be primary targets for ransomware attackers seeking entry points into a network. Additionally, there is a misconception that cloud service providers are responsible for protection of their cloud-based data however this is false. Many cloud service providers highlight in their terms of use that a customer’s data is their responsibility to protect. Storing data in the cloud does not automatically make it safe from ransomware, additional protection is required.

How to Protect Yourself

Recovery of systems or data from a ransomware attack can be difficult and costly, as a result it is best to set up preventative measures. The best way to remain protected is to incorporate a defence in depth (DID) structure. This is a strategy utilising multiple layers of security measures to protect digital assets and information, rather than relying on a single line of defence such as a firewall and anti-virus software. DID recognises that no individual security solution is perfect, it provides redundancy in the event of vulnerabilities or failures.

There are additional measure that can be taken which include:

- Enabling multifactor authentication (MFA) – Credential theft being the apex of attacks adding an extra layer of protection to users and accounts is essential.
- Backing up data – Storing a number of backups and in at least two different file types is advisable. Keeping a copy in an offsite location will limit the impact of systems being locked down.
- Keeping systems updated – It is essential to keep software and applications updated to avoid any existing vulnerabilities being exploited by attackers.
- Verifying emails before opening them – Phishing emails are rampant and are leading causes of infiltration to a network. Organisations should ensure they have strong email protection to detect such emails.
- Following established security frameworks – It is advisable to follow frameworks created by government agencies such as UK National Cyber Security Centre (NCSC).

Conclusion

It is evident that ransomware groups are becoming more sophisticated and have developed an organised approach much like any legitimate business. There is a market for developers to create ransomware software fuelled by a demand for buyers wishing to join the ever-growing tail of hackers emulating larger groups such as Lockbit and Black Cat.

Being classed as a small business does not make an organisation exempt from attacks and trends indicate that this is a growing area of concern. That being said, it is essential for organisations of all sizes to implement stringent policies and include a defence in depth approach to securing their data.