Skip to main content

Ransomware-as-a-Service: The next big threat to business

ransomware
(Image credit: Pixabay)

Covid-19: A catalyst for cybercrime  

The introduction of remote working in response to the Covid-19 pandemic has led to a spike in cybercrime. Many organizations have implemented teleworking overnight and were ill-prepared for threats that dominate the realms of cyberspace. Some remote workers are still unfamiliar with security concepts and controls, IT staff continue to be overwhelmed, business leaders are focused on survival over security and teleworkers continue to use unsecure, home networks. 

Although the pandemic has led to huge cost savings for businesses removing the need for physical office spaces, some home networks still lack the security controls and detection mechanisms of corporate networks, leading to vulnerabilities in IT infrastructure. Meanwhile, even for those employees using VPNs, many remain unfamiliar with additional security protocols needed to ensure proper use. 

The rise of Ransomware-as-a-Service

The recent wave of ransomware attacks across the globe has led to the emergence of Ransomware-as-a-Service (RaaS) - a strategy where ransomware developers lease ransomware variants to customers. This business model provides technology to non-tech savvy criminals to launch ransomware attacks through a paid service. 

Ransomware is part of a diverse family of malware and is designed to prevent organizations from accessing their data and computer systems until a ransom is paid. During an attack, a malicious actor will deploy malware inside a target organization and from there, the software will be manually directed at a storage repository or present itself as dormant whilst it gathers information about of the critical value data (CVD). Once the determination has been made, the malware uses a private key or complex encryption algorithm to encrypt the CVD. Once encrypted, the data is almost impossible to decrypt through a “brute force attack”. The victim organization can either restore their data from backup or face paying the attackers’ demands. Once the ransom has been paid, the private key is provided (presumably) to the victims and the file can be decrypted.

How to respond to RaaS attacks 

Since RaaS often functions in a way that prevents normal business operations, it is important that companies think about their recovery strategy. They need to resume business as soon as possible while leveraging the lessons learned to ensure that they are smarter and better positioned to defend themselves.  RaaS has lowered the bar for entry for cybercriminals meaning that our understanding of how these types of crimes are carried out should likewise evolve.  If we fail to evolve with it, we risk leaving companies more vulnerable than ever. 

Human involvement remains a constant consideration in how to safeguard against cyber threats. People are the ones that create the opportunities for exploitation.  They configure their systems and networks, deploy software, configure it, and support it.  Whether unintentionally by an employee making a mistake, or deliberately by an insider threat or external assailant, it is a human being that is typically the root cause of the vulnerability. 

There are five root causes to consider when combatting the success of cyberattacks. These solutions also require the consideration of people and their cooperation, interacting seamlessly together.   Firstly, laziness continues to prevent necessary action in many businesses. Creating proper security frameworks requires persistent levels of attention and effort. Most organizations simply do not have these implemented in order to successfully defend their systems.  

Secondly, missing patches remains a high risk to security, especially in data breaches. Without a comprehensive patch management program to prioritize, deploy and test vendor patches businesses are leaving themselves wide open to a wide range of attack vectors. Lack of patching has been the most common attack vector for years and promises to remain so in the future with the breaches at a record high. 

Thirdly, detecting intruders quickly is just as important as trying to keep them out. Success is not necessarily in the deployment of security controls; it is having them adequately calibrated to identify cybercriminals’ activities on company systems. Many companies struggle to get this right because they set the wrong success criteria.

Fourthly, to identify a breach an organization needs to establish a baseline. Security teams should focus on classifying what normal activity looks like for both their networks and their users. This will enable teams to spot abnormal behavior. When system administrators use a baseline, they gain an in-depth understanding of what is considered “normal” in their daily operations and can identify malicious activities more quickly. 

Finally, and by no means last, logging should be a top priority for businesses of all sizes. If companies are not using logging systems to monitor activity, then it is almost impossible to properly detect nefarious activity. Audit logs specifically help to determine what, when, where and how intruder activities took place, and as such need to be stored in a secure, remote location to prevent tampering.

Post-Covid-19 cybercrime defense  

To detect and prevent attacks successfully in today’s cyber-age, it is essential to remember that attackers seldom strike the systems that are being monitored. Instead, they focus on the least obvious routes to access data, such as a non-administrative network segment with a path to the domain controller. Most data breaches tend to involve exploitations of system neglect, including missing patches, misconfigurations and open ports.

Since it is almost impossible to stop ransomware attacks altogether, companies need to focus on detecting intruders quickly to minimize unnecessary risk. Future frameworks post-Covid-19 to expel intruders need to have proper protocols around reactionary response to attacks, the specific steps needed to isolate the attack and restrictions around access.

As part of this framework, companies need to understand and investigate their existing security vulnerabilities before and after attacks. By understanding the breakdown of the intruder’s entry to their systems, they can properly fill any security gaps and incorporate their learning into bolstering their security posture.

Protecting the most vulnerable 

The proliferation of payment card data in the retail industry, combined with making security concessions for the purpose of greater customer convenience, create a recipe for breaches. Whilst the PCI DSS has increased the overall security posture of these organizations, they remain the most popular targets among attackers.

The best way to pinpoint the industries that are most at risk of cyberattacks in the future is to examine the transfer of money in each sector and see how these sectors are managing their digital transformation. In addition to retail the biggest targets today include food and beverage, hospitality, pharmaceutical companies, government agencies and law firms. Any organization that possesses valuable data and processes large sums of money, makes them a target as their data has significant black-market value. 

Business email compromise (BEC) continues to be one of the easiest and most effective attacks used around the world. Attackers will create an email address with the name of a company executive and send out a blast email to everyone in the company asking them to perform some activity - granting access to files, shares or transferring funds are popular requests, waiting to see if anyone bites.  While the success rate may be low, it only takes one human error for the attacker to gain access.

Chris Pogue, Head of Strategic Alliances, Nuix