Combatting Ransomware as a Service (RaaS)

Named by many as the “cyber-attack of the year,” the recent Colonial Pipeline ransomware incident caused more than just business disruption – it inflicted considerable economical damage, reminding us how fragile our digital infrastructure is.

While this attack was the highest-profile ransomware incident of 2021, it was far from the only one. In May, a massive ransomware attack crippled the Irish health system while a similar incident occurred in Australia’s Northern Territory where the government had to shut down for three days at the beginning of the year.

So, what makes ransomware now so prevalent and why are critical government infrastructures targeted so often? The answer may have less to do with evolving technology and more to do with areas of opportunity for threat actors, as ransomware attacks are quickly becoming the most lucrative type of cybercrime.

From one-offs to Ransomware as a Service (RaaS)

Until recently, ransomware attacks were mostly one-offs, with criminals targeting lower-profile companies that couldn’t afford to lose data or weather the bad press that would follow. However, as the digital economy became more prevalent, solitary attacks transformed into large-scale extortion operations. Thus, ransomware slowly migrated to what model analysts call “Ransomware-as-a-Service” or RaaS. Ransomware as a service (RaaS) is a subscription-based model that enables intermediary hackers to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.

The emergence of Darkside and other RaaS operators

With the creation of these RaaS business models in place, groups such as Darkside now lease their ransomware technology to affiliates instead of executing the high-profile attacks themselves. To support their efforts, Darkside utilizes their own press center to announce these high-profile attacks while also attracting new collaborators to further their cause. To make things more complicated, these RaaS vendors also employ obscure “data recovery” companies to facilitate the ransomware payment processing to cover the tracks for all involved in the scheme.

While the Colonial Pipeline attack did prompt authorities to take action, it’s unlikely these attacks will decrease. Government infrastructure, as well as large companies, have one thing in common that makes them attractive to cyber criminals: they are highly likely to negotiate. For such companies (financial institutions, for example), every day offline can lead to residual losses greater than any ransom. This is why researchers estimate that almost two thirds of last year’s ransomware attacks were in fact RaaS, with new ransomware schemes appearing each month, including novel threats such as Avaddon and revised versions for the “classic” Ryuk and REvil platforms.

Why RaaS attacks are likely to succeed

While most security solutions have advanced anti-ransomware capabilities, these types of attacks are rarely aimed at a single system. In fact, the vast networks of servers that power today’s remote economy act as a catalyst for attackers who use every accessible weak point to get in. Another important aspect to consider is the human layer. Individuals are most vulnerable to attacks through targeted spam/phishing campaigns and social engineering.

Often acting as APTs, advanced persistent threats, ransomware threats use multiple methods to get in and stay there:

  • E-mail is still quite popular with RaaS providers using scripts, archives, format exploits, and macros to bypass the vigilance of some systems.
  • Malicious URLs can contain exploit kits, as well as legitimate, but compromised websites. Malvertising is also a common method of uploading such kits into shared systems.
  • Social media files and applications have also become common ways to spread ransomware. Often, due to privacy concerns, these systems are less monitored when it comes to individual employees.
  • Other methods include infected storage mediums (USB drivers, external HDDs) as well as direct attacks on vulnerable machines, including those running unsecure HTTP servers. Large cloud systems often have legacy endpoints that are neglected during regular security checks.

Once in, most ransomware will not show any signs of infection immediately. It will create an entire ecosystem based around encrypting valuable files from your systems, generating decryption keys for them, and connecting you to a payment processor that will mediate the ransom. Newer ransomware platforms, such as those used in RaaS, often have the latest versions of their binaries tested against multiple antivirus engines. With this technology in place, the software is then able to calculate when to strike taking into consideration both the period it takes for AV engines to detect their presence and the time it takes for analysts to understand the encryption method.

Recommended RaaS defense strategies

The most important step is to boost the early detection capabilities of your security solution. This can be done through several methods:

Using a URL filtering service

URL filtering devices will constantly block not just malicious URLs, but also the IPs of the domains and servers behind them. Advanced URL filtering services can, even if an URL has already been accessed, stop any data or file coming from it from communicating with its main server. In the case of ransomware, this effectivelyprevents file encryption and key generation.

Advanced Threat Control (ATC)

ATCs will help proactively detect both ransomware and zero-day threats. Based on advanced heuristics and machine learning, ATC systems operate on a “zero-trust assumption,” permanently monitoring vulnerable applications and processes. ATC relies on behavior characteristics, rather than signature and binary detection.

This means that malware and ransomware are not just prevented from getting in but also from acting if they were somehow “invited” into the system. Hijacking applications, injecting code into other processes, accessing restricted server or disk space, and creating auto-start entries in the registry are just some of the malware-specific actions that are blocked.

Advanced anti-malware

Advanced anti-malware is an absolute must for any security solution. While many users already have an antimalware engine, it’s worth looking for a few features that will also help proactively fight malware. Process emulation, proactive detection, and continuous monitoring are among them, as well as the ability to deploy solutions on multiple operating systems and infrastructures.

Our solution

Aside from its impeccable track record and countless awards, Bitdefender is deeply involved in protecting companies from ransomware and its devastating effects. In fact, earlier this year, our team reached out to companies affected by ransomware and offered assistance with free decryptors and damage mitigation.

Our solutions include a best-in-class URL Status platform that can process more than 15,000 URL requests per second, with an average response time of under 100 milliseconds. Additionally, our Advanced Threat Control SDK can augment existing defenses and drastically reduce the risk of successful attacks. Both of these solutions can easily complement our famous Antimalware SDK that can be seamlessly integrated with all security products.

Learn more about how to enhance security capabilities with Bitdefender’s technology licensing solutions.