Combatting ransomware-as-a-service

Christian Have at Logpoint explores RaaS and explains why decentralisation is increasing the threat

 

Ransomware-as-a-Service (RaaS) has made ransomware become big business. Professionalisation has monetised each aspect of a ransomware attack, with security researchers often now employed by extortion groups to develop off-the-shelf components. This then allows organised criminal gangs (OCGs) to construct different attacks and lowers the barrier to entry for novice attackers. 

 

But increasingly, we’re seeing the decentralisation of OCGs, particularly in the wake of a crackdown by the authorities. LockBit, for example, was famously taken down in February by the NCA and FBI in Operation Cronos only to resurface a week later, although the sting did see the recovery of LockBit decryption tools which have since been made available on the No More Ransom portal. 

 

Downward pressure on the market combined with the prolific availability of toolkits means RaaS is fast becoming a victim of its own success and is becoming commoditised. The Ransomware, extortion and the cyber-crime ecosystem report by the NCSC notes that typically a group would take a 45% cut of the ransom but that figure has been falling due to oversupply. Initial Access Brokers (IABs), who provide information on breach-ready environments are also having to cut their asking price.

 

Keeping a low profile

Consequently, ransomware groups are keen to operate below the radar and are attacking more widely. If we look at LockBit, which is estimated to have attacked 1,700 organisations in the US over the past four years, amassing $91million according to the FBI, it’s now said to be making ransomware demands less than £1m per victim since its resurrection, for instance. IABs, too, are having to sell more and so are keen to increase the number of targets. 

 

These drivers mean RaaS is now frequently used to target SMEs who have far fewer resources so are less protected and who will often choose not to disclose a breach to avoid incurring financial penalties from the regulators. However, this is not a wise move.

 

The Ransomware: The Cost to Business Study 2024 found that, of the 84% of organisations who agreed to pay, 78% were hit again and the majority (63%) were asked for even more money the second time around. Just under half (47%) got their data back and none had the assurance that their data wouldn’t still be sold on the black market.

 

In addition, we’ve seen BlackCat leverage regulations to apply pressure on a victim to pay by filing an official non compliance complaint to the SEC.

 

Further tipping things in the OCG’s favour is the emergence of GenerativeAI which is being used to scrape information from websites and social media to create highly convincing phishing attacks that provide the toehold for ransomware execution.

 

These are now becoming part and parcel of the RaaS toolkit which, unlike a traditional ransomware attack that moves from reconnaissance through to malware development and initial access, effectively skips these stages in an off-the-shelf offering.

 

Repelling RaaS

So how can organisations defend themselves against these attacks? Firstly, decentralisation emphasises the need for security teams to move beyond traditional methods of identifying security breaches based on known Indicators Of Compromise (IOCs).

 

Instead, adopting an approach focused on detecting Tactics, Techniques and Procedures (TTPs) is more sustainable, because it takes the threat actor’s dynamic methods and emerging threats into account. 

 

Threat intelligence, along with effective cyber-hygiene i.e. a regular backup plan, network segmentation, security awareness training and detection engineering can pay real dividends. In fact, the NCSC report acknowledges that “most ransomware incidents are … the result of poor cyber-hygiene”. 

 

In addition, being able to prioritise and place alerts in context can also ensure attacks are detected and significantly decrease the number of false positives. For those without the inhouse resource, a Managed Detection and Response (MDR) solution can help in this regard. 

 

Threat detection and incident response (TDIR) solutions are no longer out of reach for the SME. Next-generation Security Incident and Event Managements (SIEMs) now come with threat-hunting capabilities with pricing based on nodes rather than data volume, helping to ensure that spend is predictable.

 

It’s also possible to combine a SIEM with Security Orchestration Automation and Response (SOAR) which utilises playbooks that directly map to the TTPs attackers use by utilising a framework such as MITRE ATT&CK. This ensures exploits are caught and prioritised for attention. Should the attack escalate, SOAR can utilise case management to advise on possible remediation and recovery options, helping get back to business as usual.

 

The ransomware market may be fragmenting and the era of behemoth groups coming to an end. But it’s vital that organisations don’t become complacent about the threat this poses.

 

What we are now seeing is in some ways more dangerous and insidious. RaaS has become so commoditised that its available to all, marking every organisation as a potential target. And GenAI will see RaaS attacks scale to a hitherto unimaginable degree, with phishing attacks customised in every language and the ability to zero in on an individual due to personalisation.

 

It’s for these reasons that businesses must take pre-emptive action and put systems and processes in place today to avoid paying, in some shape or form, tomorrow.

 

---

 

Christian Have is CTO at Logpoint

 

Main image courtesy of iStockPhoto.com and AndreyPopov