The new age of cybercrime – Ransomware as a Service

In March 2021, it was revealed that the University of Colorado and the University of Miami were targets of a ransomware attack by a group called Clop. They stole such data as students’ grades, social security numbers, and patient information. They were able to do this by breaching the servers of a third-party provider – Accellion FTA. Clop then demanded $10 million in Bitcoin under the threat of publicizing the stolen data.

Unfortunately, Clop acted on its threat and soon started to release screenshots of some of the stolen data from both organizations, trying to further increase the pressure to pay the ransom.

In recent years, ransomware attacks have become more frequent and vicious. While there are a number of reasons for that, one of them is the advancement of a new type of criminal service – Ransomware as a Service.

Here we go through what it is, its process, and how to protect your organization against it.

What is Ransomware as a Service (RaaS)?

Ransomwareis a type of malware. It contains a malicious code that takes control of a victim’s data and encrypts it. The attacker then threatens to either delete or expose the stolen data unless a ransom is paid.

The laws of supply and demand apply to the cybercriminal market as well. Ransomware developers can sell or lease their ransomware variants to criminals who can then use the purchased product to target specific organizations and launch an attack. This is called Ransomware as a Service (RaaS) – modeled after Software as a Service.

This model benefits criminals who do not have the technical knowledge and skill required to code malware. With a few clicks on a dark web marketplace, customers can purchase their desired malware, get connected to the developer, and then organize joint ransomware attacks. RaaS models are commonly based on monthly subscriptions, affiliate schemes, pure profit sharing, etc. Ransomware developers even run advertisements and campaigns, and many of their subscriptions offer features that mirror those that are seen in legitimate organizations.

How does RaaS work?

Ransomware developers write custom exploit codes that are transferred to a ransomware affiliate. The affiliate updates the hosting site with the exploit code and finds a way to attack the target. The most common way of doing this is through phishing e-mails. If the victim clicks on the malicious link, the ransomware gets downloaded and spreads through the systems, often dismantling firewalls and breaking past antivirus software. The ransomware encrypts the data, goes through other systems configured to the main one, and changes the settings as well as deletes back-ups – all while the victim is completely unaware. A ransom note is then sent to the victim with the amount to be paid as well as a deadline under the threat of selling, deleting, or publicizing the stolen data.

To avoid getting traced, cybercriminals typically instruct their victims to pay in cryptocurrency. The money is then moved multiple times by a money launderer to conceal the identities of the affiliate and the ransomware developer. The decryption code may be sent to the victim by the ransomware affiliate after the payment has been made but there is never a guarantee of this. In some cases, additional payment demands can be made, and even after fulfilling those, the victim may not receive the decryption key.

How to protect your organization against ransomware attacks

1. Educate your employees on the dangers of social engineering as well as the ways in which their online behavior could lead to security breaches.
2. Have a strong system and hierarchy of user access.  Be very cautious about who you give administrative rights to as those users have the highest level of access to your network.
3. Install powerful anti-virus and anti-malware software and keep it up to date.  Such software is now often classified as “endpoint security” – an approach to the security of computer networks that are remotely bridged to client devices. They are being increasingly encompassed by endpoint detection and response solutions, which, in addition to covering both functions, also detect host intrusions, set up personal firewalls, and more.
4. Regularly audit your system for vulnerabilities.
5. Encrypt your data. Furthermore, develop and implement a data security policy. When approached systematically, it will allow you to identify the types of data your organization stores, whether that data should be stored, which staff members should have which type of access level, evaluate which specific data requires encryption, and implement measures to wipe specific records clean in compliance with relevant regulations – the GDPR, for example.
6. Consider switching data storage from your systems locally, to securely in the cloud.
7. Regularly conduct sensitive data scans to ensure that PII is not being stored in a non-compliant manner.
8. Use monitoring solutions to regularly check whether your organization’s credentials are spotted on any marketplaces.
9. Deploy file integrity monitoring and change detection solutions, which will constantly monitor your files for any changes, helping you identify files that may have been corrupted or otherwise tampered with.
10. Design a strong backup system. Offline backups that are disconnected from your network are the safest way to maintain access to data and not risk having it accessed by attackers. Depending on the size of your data, though, offline backup may not always be a feasible option.
11. Set up security information and event management (SIEM) and security orchestration automation and response (SOAR) systems, which will alert of verified threats and automatically trigger response actions.
12. Make sure you have a security operations center (SOC) or MDR team in place that will respond swiftly and effectively to incoming threats.
13. Purchase cyber insurance, which will cover your organization’s liability in the event of a data breach.

How to respond to a ransomware attack

The FBI strongly discourages organizations from paying a ransom. Government agencies’ cybersecurity reporting is guided by federal and state laws. For example, Florida’s Cybersecurity and Data Breach Law requires certain disclosures to be made when data containing personal information has been breached or accessed without authorization.

While many local governments made the decision in the past to pay the ransom, this may soon no longer be an option as the federal government is looking into the possibility of making or facilitating such payments illegal.

To mitigate the extent of the damage caused by ransomware, isolate the impacted systems.  Disconnect your backup system from the network immediately.  Temporarily block users’ and employees’ access to the network. If you don’t have the know-how to correctly and safely execute these procedures internally, contact a reliable cybersecurity firm, such as Gamma Defense.

Most importantly, do not panic.  Follow your breach protocol, and coordinate with the relevant authorities and cybersecurity agencies.