Ransomware-as-a-Service: The Cloud Model Escalates Ransomware Attacks
Cybersecurity teams know that any technology is not only vulnerable to a cyberattack but also that threat actors will eventually use that technology to launch attacks. Take the cloud, for example. Cybercriminals are using cloud services to their advantage with ransomware-as-a-service (RaaS).
In a recent report from Venafi, the authors found that “In addition to a variety of ransomware at various price points, the research also uncovered a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks,” the report said. “Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.”
Ransomware is an increasingly important part of the proficiency of organized cybercrime, and thanks to this new “affiliate” model of ransomware, the attacks are increasing in frequency and sophistication, resulting in greater damage for the victims, said Joseph Carson, chief security scientist and advisory CISO at Delinea.
Understanding Ransomware-as-a-Service
For Ransomware-as-a-Service (RaaS) to be successful, Carson said in an email interview, multiple parties are required to play different roles.
Creators of ransomware software make it available to a network of cybercriminals, who then target victims and deploy the ransomware. Once the cybercriminals collect their ransom, they pay a royalty back to the original creator. There are also often criminal ‘helpdesks’ and ‘end user support’ services that collect royalties by negotiating the ransom demand and providing the victim with assistance in purchasing bitcoins or other popular cryptocurrencies used to pay the ransom.
“In this model, the creator of the ransomware has broader opportunities for success with minimal risk,” said Carson. “If one affiliate is detected or ransom isn’t paid, there are many other opportunities to make money. The downside, of course, is that all partners need to play their role and not inform on, or leave a trail back to, the others.”
How RaaS Changed Ransomware Attacks
Ransomware has long been a popular type of cyberattack, but RaaS has revolutionized the game, increasing the scale and impact of the attacks. And it has enabled more opportunities for less technically-savvy criminals to engage in the activity.
“Previously ransomware was used to infect individual systems, or spread opportunistically to adjacent computers on a network,” said Alex Holland, senior malware analyst with HP Wolf Security, in an email interview. “Today, ransomware affiliates have shifted their focus to compromising larger enterprise networks.”
Intruders take longer to select and understand a target’s infrastructure, enabling them to extend an intrusion to vulnerable points in a network to maximize disruption and the potential pay-out, Holland explained. “One of the reasons why RaaS has been so successful is its high scalability. Unlike in the past, ransomware operators are no longer limited by the capability and resources within their immediate circles because RaaS has enabled them to outsource part of the attack life cycle.”
Beyond RaaS
RaaS is high profile because ransomware is high profile. However, cloud platforms have been used to distribute malware for quite some time. Threat actors turn to trusted public cloud platforms as a way to weaponize consumer confidence in those services, setting up accounts on free tiers, which are used to host malware and launch attacks with zero financial output.
RaaS is just one type of “malice-as-a-service” platform, and this represents the progression and the continued evolution of the malware business.
“As industries mature, organizations specialize and develop competitive advantages,” said Louai Abboud, adversarial collaboration engineer at LARES Consulting, via email. “The malware business is no exception. That’s what this is—a business.”
Fighting RaaS
RaaS providers have technical support teams, language support teams, dedicated developers and so on, Abboud added. “RaaS providers complicate the security teams’ jobs because they reduce the overall effort and operational burden of developing complex malware. They can even enhance anonymity and operational security by decoupling the attacking entity from the delivery entity, complicating attribution.”
To protect networks from RaaS-derived attacks, security teams must develop detection systems to alert when activities are occurring to reduce the breach ‘dwell time’—that period before an attack is detected and when the attacker may have stealth access to data without leaving a trace.
But that’s easier said than done. “The parallels between ransomware-as-a-service and legitimate cloud platforms are striking,” said Holland. “In the last five years we have seen ransomware shift to service and platform models resembling businesses in the gig economy, with ransomware operators tapping into a growing pool of freelance hackers offering their services in exchange for commission.”
Cybercriminals will continue to find ways to abuse legitimate cloud services as a way to deliver malware, until they find something even more effective and shift their tactics again.
