How Ransomware as a Service can make anyone a cyber villain and how we can fight back
By Daniela Fernandez, Head of Information Security, PayPal Australia
Last year saw a surge in ransomware attacks, making them one of the most pervasive cyber threats today. One of the more prominent recent attacks was in December 2021, when the private information of up to 80,000 South Australian government employees was stolen by cyber criminals demanding a ransom payment in cryptocurrency.
According to Palo Alto Networks the average ransomware payment reached $570K in the first half of 2021. One of the key reasons ransomware continues to be such a lucrative type of attack is the adoption of Ransomware as a Service (RaaS).
The RaaS model has opened the market to malicious actors and enabled them to leverage effective malware and ransomware tools to execute an attack without significant resources or technical expertise. This means almost anyone with access to the dark web and a relatively small war chest can commission a sophisticated and devastating cyberattack on almost any business or organisation, with small businesses increasingly among those targeted.
What is Ransomware as a Service (RaaS)?
In the traditional model, the cybercriminal, whether an organisation or individual, required the technical capabilities to carry the attack end to end. With RaaS, like a Software as a Service (SaaS) business model, the organisation that develops the ransomware offers the variant for a subscription fee to different buyers.
In some cases, the buyers who want to execute the attack have access to the organisation offering the service, in other cases there's a RaaS operator (broker) who helps identify the different tools required to carry out the attack and facilitate transactions between the providers (spam, botnet, malware) and the buyers.
Cybercriminals offering RaaS have become more sophisticated and mirror legitimate business practices including having a code of conduct, playbooks to conduct attacks, marketing campaigns to attract new buyers and hacker employees and, brochures to highlight benefits of the different subscription options.
How can businesses protect themselves?
There are some basic actions businesses of any size can take to protect against a ransomware attack and reduce your exposure.
- Backup and backup testing: Establish a backup strategy to ensure that your data is backed up regularly and securely. Selecting a backup solution can be overwhelming, so take a risk-based approach when considering how frequently and what data you should backup. It is important that your backups are encrypted and protected to prevent the attackers from infiltrating your backups as well. Similarly, you should test your backup and restore procedures, allowing you to restore services confidently if a ransomware incident should occur. If paying a ransom is not an option for you, the only way to minimise your services downtime in the event of a ransomware attack is to restore your last known backup. So make sure it is good (comprehensive of all the data you need), encrypted, protected (disconnected) and restorable.
- Up-to-date software and security patches
Most ransomware attacks exploit known vulnerabilities for which patches are usually available. Ensure your operating systems are up to date and prioritise patching of vulnerabilities, especially for systems and devices that are internet facing and/or store, process or transmit sensitive data.
- Multi-factor authentication (MFA)
Enable MFA wherever possible, especially in access points that are internet facing, to lower the risk of a successful attack. Multi-factor authentication requires users to provide two or more pieces of evidence to verify their identity, before they can gain access to a website or application. These days, most applications and consumer services offer this capability. Ensure you enable MFA to secure everyday authentication to the services you offer and consume.
- End Point Hardening
Having a strong endpoint security solution in place will help you protect end-user devices that could serve as potential point to access corporate network. Endpoints include any device with internet connectivity such as laptops, tablets, desktop computers and mobile phones.
- Anti-phishing protection
Phishing is one of the most common attack vectors for ransomware and many other types of attacks. Hence, you should detect and block malicious emails, as well as make it easy for users and employees to report suspicious emails so they can be blocked from other users and the domains can be reported in a timely manner.
- Awareness training
Last but not least, empower your staff with the necessary knowledge to identify and report suspicious activities and emails to the correct channels. When it comes to protecting your data and systems, behaviours are just as important as technical controls. Creating a positive cyber security culture and making people the strongest first line of defence can make a huge difference to minimise the risk of any cyber-attack.
How can individuals help fight cybercrime?
With the shift to remote working due to COVID-19, attackers have found more paths to access secure networks. Such paths include taking advantage of weak wireless security settings, out of date operating systems in personal devices (mobile, tablets, printers, computers) that employees use to access the company network, or in corporate devices that are increasingly used for personal activities.
Therefore, in addition to the corporate controls that the organisations put in place, as individuals we should take simple steps to protect ourselves and our families. These steps include:
- Always using secure connections for payment and other sensitive transactions over the internet. Where possible, rely on service providers with a proven track record of strong security and compliance program like PayPal.
- Enabling MFA while using your key applications including social media, digital wallets and email.
- When receiving an email or text messages always make sure that it is sent by a trusted source, and avoid clicking on suspicious links, especially if you weren't expecting such messages (e.g. a parcel you haven't ordered, a bill that apparently you haven't paid, a product you haven't bought)
- If you receive a call from your credit card issuer, bank or online payment solution do not disclose personal or financial information. Take details from the caller including reference number of the case, for example. Afterwards, check the official contact number of the organisation and call that number to verify intent of the call.
It is expected that the RaaS ecosystem will continue evolving, as cyber criminals use the money collected through ransoms to operationalise their business model and fund more sophisticated attacks.
As long as ransomware continues to yield profits for cybercriminals, we will keep seeing new variants and significant increase in the use of RaaS. This might be the reason why governments are working on putting legislation in place to deter malicious actors and stop ransom payments however, it takes time for such legislation to be actively enforced. In the meantime, organisations should familiarise themselves with the concepts and impacts of ransomware, prepare to prevent such incidents and respond effectively to possible attacks.
The content and information provided is for general informational purposes only. You should always obtain independent technology, business, tax, financial and legal advice before making any business decisions.