Cybersecurity Awareness Month 2023 Series
Individuals looking to launch costly attacks on large organizations don’t need to be skilled hackers. Thanks to ransomware as a service (RaaS), prospective attackers can easily equip themselves with the necessary tools and techniques.
The newfound accessibility to cybercrime has led to a 11.3% increase in the number of RaaS and RaaS-related groups. Trend Micro research found that the number of victim organizations surged in the first half of 2023 to 2,001—a 45.3% increase compared to the last half of 2022.
Sources: RaaS and extortion groups’ leak sites
This article will provide an overview of RaaS, its common families and techniques, and tips on how to prevent ransomware attacks and strengthen your cybersecurity posture.
What is Ransomware as a Service (RaaS)?
Credited as one of the reasons causing ransomware attacks to grow, RaaS, based on the SaaS model, involves selling or renting ransomware capabilities to buyers (called affiliates). Among the key players in this ecosystem are the operators, those who develop and sell the ransomware. They are usually part of a larger group with designated roles.
The following are some unique traits about RaaS:
- Most RaaS operators recruit affiliates who perform the ransomware attack
- RaaS operators split the ransom amounts with their affiliates (splits can vary from a little to a lot, depending on how much the RaaS operator supports the attack)
- Ransomware kits can be very sophisticated to quite limited
- If law enforcement does make arrests, it typically will be the affiliates, not the RaaS gangs
How does ransomware as a service work?
RaaS operators figured out quickly that they couldn’t scale their operations alone, and the affiliate model had worked in the past in other areas of cybercrime. This allows them to scale globally and give them an ability to reap more profit without the overhead. The more people that purchase the ransomware, the more attacks, and victims.
Therefore, marketing and recruitment are just as important in the underground world; RaaS operators have invested as much as USD$1 million in recruitment efforts.
To ensure they can recruit affiliates, many RaaS operators have had to improve their offerings, since there are many competitors out their nowadays. This means more sophisticated tools, interfaces that allow the affiliate to track and manage their attacks, and even lists of potential victims they can supply to their affiliates.
However, this isn’t a free-for-all. To increase the chances of a big payout, RaaS operators or affiliates are very selective when choosing a target. For example, Trend Micro research observed many public and private group discussions about avoiding specific countries like Taiwan, due to strict anti-money laundering policies that make it difficult to purchase cryptocurrency to pay the ransom.
RaaS operators are also taking a bigger role in picking victims as high-profile accounts could garner attention of governments and/or LEA; a direct result of the Colonial Pipeline attack.
Ransomware families used by RaaS operates and affiliates
The RaaS model has been adopted by most modern ransomware families. Our 2023 midyear cybersecurity report found 14 new ransomware families, compared to 10 in the first half of 2022.
In the first half of 2023, three RaaS threat actors stood above the rest: LockBit, BlackCat, and Clop.
Sources: RaaS and extortion groups’ leak sites
Here’s a deeper look at some of the most prevalent RaaS families in 2023 thus far:
LockBit
LockBit has been active since 2019 and recently morphed into LockBit 3.0 or LockBit Black, becoming a more formidable threat since incorporating double extortion into its playbook.
Trend Micro reported 1,844 LockBit detections in the first half of 2023. Unsurprisingly, several prolific attacks have been traced back to LockBit. One in every six ransomware attacks targeting U.S. government offices was traced back to the ransomware family. And in January, Royal Mail, the UK’s largest mail delivery service, suffered from a LockBit attack that effectively halted its international export services.
BlackCat
By March 2022, BlackCat had successfully compromised at least 60 organizations. In 2023, BlackCat’s high-profile victims included Reddit and NextGen Healthcare.
It gained initial notoriety for being the first professional ransomware family created in the Rust programming language, which is notoriously secure and capable of concurrent processing.
Now, they are known for their triple-extortion technique. Aside from exposing exfiltrated data, ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDos) attacks on their victims’ infrastructure to coerce them to pay the ransom. In June, operators announced and launched Sphynx, a new variant with evolved detection evasion and speed capabilities.
Clop
Clop, sometimes stylized as Cl0p, gained notoriety for compromising high-profile organizations in various industries using multilevel extortion techniques.
Clop actors claimed to have compromised 130 organizations in a mass ransomware attack using Fortra’s GoAnywhere file transfer software by exploiting a vulnerability. Notable victims included the City of Toronto and the Community Health Systems (CHS), which is compromised of 80 hospitals.
They were also responsible for a widespread data-theft attack exploiting a zero-day vulnerability in MOVEit Transfer, a secure file transfer platform. The attack affected over 2,000 organizations and more than 62 million customers, and reports in July said they were expected to make upwards of $100 million.
How to prevent ransomware attacks
Ransomware remains, and always will be, a threat against businesses of all sizes.
Connections between other ransomware and APT groups have been noted. MalwareHunterTeam tweeted many similarities between Black Basta and Conti, while Trend Micro Research found correlations between Black Basta and QakBot.
SolidBit
Trend Micro Research analyzed a sample of a new SolidBit ransomware variant targeting users of popular video games and social media platforms. It’s been disguised as different applications, include a League of Legends account checker tool, and an Instagram follower bot, to lure in victims. The malicious actors behind the malware variant have also posted a job advertisement on an underground forum in June 2022 to recruit potential affiliates for their ransomware as a service activities. Affiliates stand to gain 80% of the ransomware payment as a commission.
How to prevent ransomware attacks
Ransomware remains, and always will be, a threat against businesses of all sizes. Organizations can no long take a reactive approach to cybersecurity. As ransom demands increase significantly, cyber insurance carriers have mandated strict anti-ransomware security controls for organizations applying for or renewing coverage. Consider these 5 security practices to prevent ransomware attacks:
5 steps to defend against ransomware
1. Leverage cybersecurity frameworks from the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST) for thorough guidance on prioritization and resource management, as well as filling any gaps that could be exposed by attackers.
2. Leverage a unified cybersecurity platform to remove lack of visibility and security gaps caused by disparate point products. Choose a platform that continuously monitors the entire attack surface for early signs of an attack and using advanced detection techniques such as AI-powered technologies, machine learning, and XDR.
3. Follow a zero trust approach to network security by implementing Zero Trust Network Access (ZTNA) technology. ZTNA protects the network by validating access at a point-in-time by checking that patches are installed, the app is domain-connected, etc and authenticating the user’s identity via multifactor authentication (MFA). It will also continuously monitor the user and device for risky behavior and terminate access if detected.
4. Regularly back up your files: Practice the 3-2-1 rule by creating three backups in two different formats with on stored offsite.
5. Train and test your defense strategy by cultivating a security-aware culture. This includes developing and conducting regular security skills assessment and training, as well as red team exercises and penetration tests.
Next steps
To continue improving your attack surface management against RaaS operators, check out the following resources: