e Staying ahead of RaaS: Extortion-as-a-Service - Equate Technologies %

Staying ahead of RaaS: Extortion-as-a-Service

Jun/29/2022

Last month, in their annual survey – The State of Ransomware 2022 – Sophos showed that 80% of Australian organisations were hit with ransomware in 2021. The advent of Ransomware-as-a-Service (RaaS) has changed the threat landscape again. Now, bad actors with limited knowledge of coding can access ransomware on a lease or subscription plan – enabling cyber criminals with the tools and intent to quickly shut down operations and extort money from high-value corporate targets.

Affiliate networks of no-coders

Criminal hackers have historically always been coders – it’s been an imperative to be able to adjust, adapt, and tailor their approaches for the best results. But, by building affiliate networks, there’s now a broader reach for bounty hunters and the breadth, depth, and volume of attacks are growing and impacting victims greater than ever before.

How do Ransomware-as-a-Service, or RaaS, attacks work?

RaaS uses the same principles as any other ransomware attack. The difference is only that now, non-coders can be threat actors too, and the coder threat actors have levelled up their marketing and business strategies.

Unsurprisingly, phishing is often the first line of attack as our front-line staff fall foul due to convincing text messages or emails. And whilst we’re all getting wiser and smarter in spotting a scam, the approaches are increasingly more believable.  We’ve become more used to spotting those badly-composed emails, or a dodgy-looking logo or email address – it’s now harder than ever to identify a scam.

What happens next varies significantly. Most likely critical infrastructure, sensitive documentation, and/or operational systems become inaccessible or compromised.

Eventually, once the panic has had time to set in, you’ll be offered an ‘out’ by means of a decryption code, to be sent to you once a sum of money is paid via an untraceable currency before a (fast-approaching) deadline.

How can you defend against RaaS attacks?

This really depends on your organisation’s maturity, size, and risk profile.   There are more than one set of “3 Ps” in security, but if you can’t do anything else, Patching, Passwords and People is your way forward.

Patching – Keep systems and technologies up to date.

Passwords – Change default passwords and enforce complex passwords and Multi-Factor Authentication (MFA) tied into a Privileged Access Management methodology.

People – Train people to be your first line of defence rather than the weak link in the chain. If you make it easy for humans to do the right thing, they will almost always do it.

Once your 3 Ps are covered, you should then implement:

  • A good Asset and Vulnerability Management program – to understand what you have, and where you’re exposed.
  • cyber security framework – for the basic standard in cyber security, choose the ACSC Essential Eight Maturity Model, or for more sophisticated set-ups, the NIST framework will be your go-to.
  • A quality detection methodology and tooling – such as MITRE ATT&CK.
  • Tested processes which enable your organisation to effectively respond to events and incidents.

And finally – always use an expert. The cyber universe is hard to keep up with and organisations shouldn’t be bogged down in keeping track of it.  Instead, they should be focused on what they do best, whether that’s ensuring their business is running profitably, providing services in the public sector, educating students, providing healthcare, etc.  Instead, find a partner to be the backbone of your security operations to ensure that you keep trading for the long term.

Engaging a partner is an investment, yes, but when compared to the crippling commercial impact of a cyber security breach, the investment can pay dividends in days.