So, you have a firewall monitoring service, email protection that scans every inbound email for malicious content, and decent endpoint protection software by a well-recognized name.
You have a strong password policy, you’ve implemented multi-factor authentication for administrative accounts, and you perform cybersecurity awareness training for your employees every year. You’re doing “pretty good” with cybersecurity. You’re confident that you’re protected from most threats because you have the basics covered.
Then BAM! Seemingly out of nowhere, you get hit with ransomware.
The organization comes to a sudden halt.
Hopefully, you caught the ransomware in time to shut down the most critical systems before it spread. Hopefully, your backups are configured properly and air-gapped so you can recover your systems. Hopefully, the attackers haven’t stolen any NPI data, or at least are asking for a relatively small ransom. You’re confused, angry, and worried … your accountholders will be too once they find out.
The inevitable questions begin. How could this happen? Who did this? Why did they target us?
Unfortunately, this scenario is all too common. According to the FBI’s Internet Crime Complaint Center (IC3), the number of reported ransomware crimes in 2021 was 50% more than those reported in 2020; 82% more than in 2019. These numbers only reflect the incidents reported directly to IC3, but the trend matches what we’ve seen around the country.
The increase in financial loss from ransomware reported to the IC3 is even more concerning. The year 2020 saw a staggering 325% increase over 2019 with reported losses in 2021 increasing another 69%.
The trend is very clear – ransomware attacks have become much more common and devastating in recent years with no signs of slowing down.
So why is this happening? What has changed and how does it impact you?
The main reason for this increase in attack frequency and impact is ransomware-as-a-service (RaaS), which is a much bigger, and more insidious, threat than the name might imply.
RaaS does not refer to a piece of software or website used for ransomware attacks. In the simplest definition, RaaS is the concept of pay-for-use malware where cybercriminals rent/buy ransomware tools instead of developing those tools themselves. But when cybersecurity professionals talk about RaaS, we’re really talking about the full-fledged (albeit illegal) business model that has developed. Microsoft® has called it a “cybercrime gig economy,” which is a perfect description.
In the past, if a cybercriminal wanted to profit from ransomware, they’d have to develop malicious software capable of automatically exploiting common, known vulnerabilities and self-spreading to as many organizations as possible. They would need to develop a method of accepting the ransom payment along with several other underlying components of the overall attack. This level of development is not trivial, which is why successful, auto-spreading ransomware like WannaCry and NotPetya have made headlines but are rare.
With RaaS, however, a cybercriminal simply buys what they need to attack exactly who they want. They can pay for specific targets such as “all financial institutions with compromised admin credentials or exposed RDP access.” The attacker then uses the software purchased from a RaaS operator to fully compromise those financial institutions and execute the ransomware payload. The RaaS tools even conveniently include payment processing and victim communication modules. The attack is now targeted and executed as a business transaction where every member of that cybercrime gig economy gets paid for their contribution and expertise. Of course, their payment comes from the ransom that you pay to get your data back.
This RaaS ecosystem of affiliates is so dangerous because the components of a successful attack are divided among different criminals profiting from their specific area of expertise.
The person (or group) targeting your organization doesn’t need hacking or software development skills. They only need the motivation for profit and the money to pay for the information and tools. The person that originally found and exploited the vulnerability (called an access broker) doesn’t care who you are or how big your organization is. They simply add your company’s name to a list of compromised targets and move on to find the next vulnerable network. They’ll be paid for their “research” by selling the target lists. And of course, the RaaS operators are nothing more than illegal software shops getting paid for the use of the tools they’ve developed. But their software is very good at what it does because they are focused – they don’t waste time finding targets, compromising networks, or negotiating with victims.
So, how do you protect your organization from the sophisticated and growing threat posed by RaaS? Check out my part 2 post on how to protect your organization from Raas.
For more information about reducing risk and fraud, visit our risk and fraud page.
.svg)
