The professionalization of the ransomware economy is growing as Ransomware-as-a-Service (RaaS) has not only significantly lowered the barriers for even novices to execute a cyberattack successfully but has also connected security researchers with ransomware groups. With security researchers on the payroll, extortion groups can sell off various tools to execute cyberattacks. These are off-the-shelf offerings, requiring minimal technical expertise to operate, allowing cybercriminal gangs to specialize in different attacks because they can buy the exact tools needed to solve a specific task.
The proliferation of RaaS platforms further complicates law enforcement efforts by enabling a broader range of individuals to participate in illicit activities, which causes the number of attacks to ramp up and criminal ransomware networks to decentralize. It is now commonplace for extortion groups to target small and medium-sized (SME) businesses. They have scant security resources and risk severe penalties if an attack is disclosed due to expanding data and cybersecurity regulations.
SMEs also tend to rely heavily on third-party software, making them susceptible to software supply chain attacks such as the file-sharing attacks we saw from Clop. And their staff awareness and policy enforcement are likely to be less. In fact, recent reports suggest Lockbit, Clop, and BlackCat, as well as relative newcomers such as 8base, are all now restricting their big-game attacks and instead going after SMEs.
Reduced RaaS price points
However, RaaS is fast becoming a victim of its own success. As the UK’s National Cyber Security Centre (NCSC) explains in its recent Ransomware, extortion and the cybercrime ecosystem report, RaaS groups usually demand approximately 45% of the ransom, but that figure has been dropping rapidly due to a proliferation in the number of groups now in the market.
Early indications are that initial access brokers (IABs) are under pressure to cut price points on the information they sell about infected breach-ready environments. This will inevitably push threat actors to commoditize their extortion and ransomware operations even further, forcing them to play a numbers game and target a larger number of smaller organizations to net the same profits as before. One positive note on the continuing commoditization of ransomware operations is that the techniques used are shared across actors and thus become easier to detect at scale.
Moreover, we can expect collaboration between ransomware groups to increase as Generative AI paves the way for the creation of convincing phishing scams and malware. Attacks will become even more focused, scraping information from online sites to build attacks that take advantage of the poorly equipped SME, who is more likely to roll over and pay.
For SMEs, the commoditization of RaaS points to attacks becoming more numerous and sophisticated. We can expect the sophistication of techniques and tactics deployed to increase, which further stresses the need to improve cyber hygiene and threat detection and response capabilities. In order to equip themselves, it is therefore necessary to understand the stages involved in a ransomware attack and how defenses can help.
Understanding how an attack manifests
A RaaS attack allows perpetrators to skip the initial steps of a ransomware attack, like reconnaissance, malware development, and gaining initial access. They choose a ransomware type and then buy access. For example, there are 178,000 vulnerable SonicWall firewalls on the internet, which extortion gangs can buy tools and infrastructure to and exploit from RaaS operators.
Adversaries try to maintain a foothold in the victim’s network through persistence while masking the attack to avoid detection. Evasion may take the form of disabling security products, clearing and disabling logging, obfuscating the payload, or utilizing system utility to achieve the execution of payloads, for example. It is common for the attack to move laterally across the network because moving to other hosts in the network allows threat actors to establish a presence, access sensitive information, and accomplish their goals.
The attack can then enter the next stage: credential access or discovery. The latter is used to gather as much information as possible about the target, including the target’s infrastructure and assets, to identify vulnerabilities and weak points in the network, which can then be used to plan and execute more advanced attacks. The final step sees the command and control (C&C) server give the ransomware instructions to execute, although in some instances, exfiltration is carried out throughout the compromise.
Defense options as RaaS ramps up
Adding threat intel to the existing arsenal, alongside sound cybersecurity practices, such as regular backups, network segmentation, employee training, and healthy statistics in detection engineering, can help organizations stay ahead of the curve. Having a practice for prioritizing and contextualizing alerts is also helpful in detecting an attack. A Managed Detection and Response (MDR) solution could prove beneficial if resources are stretched.
Deploying threat detection and response (TDR) solutions can also help organizations quickly identify and respond to ransomware attacks, and TDR is no longer out of reach for SMEs. A next-generation Security Incident and Event Management (SIEM) with threat-hunting capabilities and pricing based on servers, rather than data volumes, can help detect and investigate threats, and keep costs predictable.
Such platforms can also be combined with Security Orchestration Automation and Response (SOAR), which is highly effective at stopping ransomware attacks. It can enable the business to automate the investigation of suspicious emails, for example, and only escalate those necessary, preventing alert fatigue. And as SOAR utilizes playbooks that directly map to the tactics, techniques and procedures (TTPs) attackers use, it can isolate the exploit early on. In terms of response, SOAR can also guide the team through the remediation process using case management to advise on possible recovery avenues.
Prevention is always better than a cure, which is doubly true in the case of ransomware because paying the ransom will not necessarily make the problem go away. The attackers may choose to publish the data anyway. What’s more, as the breach has still occurred, the business will still need to disclose the breach to affected parties and the relevant authorities. But, by taking a comprehensive approach to ransomware detection and prevention, organizations can significantly reduce the risk of falling victim to these devastating attacks in the first place.