Ransomware has cemented itself as one of the greatest threats to global organizations today. Ransomware is now a self-sustaining industry. Prior to Ransomware-as-a-Service, attacks were perpetrated by the same ransomware groups that developed and propagated the malware, but RaaS changed the scope of cybercrime, attracting multiple players — each with their own role — making it a whole new ecosystem on its own. In an interview, Satnam Narang, Senior Staff Research Engineer, Tenable talks about the ransomware ecosystem, the threat actors within and RaaS as a business model.
- What makes Ransomware-as-a-Service (RaaS) a thriving underground business? How does the RaaS business model work?
Ransomware-as-a-Service (RaaS) has proven to be lucrative for cybercriminals who don’t have the technical skills to develop their own malware or the infrastructure behind it. This has lowered the barrier to entry for a would-be cybercriminal. Ransomware operators provide the ransomware, and the infrastructure and recruit affiliates who are responsible for breaking into networks in order to distribute the malware.
Like any business, ransomware operators use marketing and advertising tactics to recruit affiliates to participate in their programs. The affiliate program includes offers to insiders within corporations, promising to give them millions in exchange for deploying ransomware within their organizations. The low technical barrier of entry, and affiliate earning potential, make RaaS models attractive.
- What does a ransomware ecosystem’s structure look like? Who are the players and what are their roles?
The ransomware groups are the most recognizable members of the ecosystem. They develop the ransomware, handle the infrastructure behind hosting stolen files and negotiations with victims.
Affiliates are the backbone of the ransomware ecosystem because they’re the ones doing the dirty work to infect organizations in a variety of ways. Affiliates compromise organizations by purchasing access through Initial Access Brokers or by using common attack vectors such as spearphishing (with malware), brute-forcing RDP systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web. The success of most ransomware groups is largely due to the advent of affiliate programs.
Initial Access Brokers or IABs are a group of cybercriminals who specialize in gaining access to an organization’s IT infrastructure. As their name implies, they’ve already gained initial access to organizations using similar techniques as affiliates. These brokers offer access to the highest bidder. Affiliates can purchase access to an organization from a broker or ransomware groups might develop a working relationship with a broker directly.
- How do ransomware groups bid against each other to attract affiliates?
Ransomware groups are very generous when courting and recruiting affiliates. Affiliates earn the bulk of ransom payments, taking a cut that ranges between 70% to 80% of the total ransom. Some ransomware groups have become more aggressive with their offers to attract affiliates, such as the ALPHV (a.k.a BlackCat) ransomware group. It offers a 90% cut to affiliates. Considering the growing number of ransomware groups, it makes sense for groups to be aggressive in order to recruit affiliates. For instance, some groups like LockBit go out of their way to highlight their fast encryption speeds as a selling point for why an affiliate might want to work with them compared to the competition.
Recently, we saw that LockBit has positioned itself as the top ransomware group operating today based on its volume of attacks in recent months as the Conti ransomware group disbanded and its members found homes elsewhere in other ransomware groups or extortion-centric groups.
- The commodification of extortion tactics and techniques has led to an industrial revolution of global cybercrime. What are the most common attack pathways RaaS groups use?
Ransomware affiliates are driven by finding the path of least resistance to breach an organization’s network. There are several common attack vectors used to breach an organization’s defenses such as:
Spearphishing: It is the most common initial attack vector where threat actors send crafted emails to victims that include malicious attachments or links to external websites that host malware. The malware used in spearphishing is most often a trojan designed to download secondary and tertiary malware components.
Remote Desktop Protocol: Since RDP is publicly accessible, attackers use scripts to brute force their way into these systems, targeting weak passwords. It is such a common attack pathway that RDP is referred to as the Ransomware Deployment Protocol by many in the industry.
Exploiting vulnerabilities and misconfigurations: Ransomware groups covet zero-day vulnerabilities, but more often than not, the groups and affiliates leverage known and unpatched vulnerabilities across a wide spectrum of software solutions. These could be vulnerabilities used as part of malicious documents, or vulnerabilities found in perimeter devices like Secure Socket Layer VPNs or Active Directory misconfigurations.
Third-party compromise: Since organizations enlist third party software vendors, it expands the threat landscape. Ransomware actors look for vulnerabilities in third party systems. For instance, Cl0p ransomware group leveraged multiple vulnerabilities in the Accellion File Transfer Appliance, an application that gives organizations a way to transfer files, to steal data from at least 50 organizations.
Malicious insiders: Ransomware groups in the past have made explicit offers to members of organizations and government agencies to help facilitate attacks. For instance, LockBit 2.0 ransomware group offered “millions of dollars” to insiders that would provide credentials for corporate email accounts, RDPs and VPNs or were willing to self-infect their corporate devices with malware.
- Why do ransomware attacks continue to rise despite best efforts to curtail them?
Simply because there’s so much money to be made for all involved in the ransomware ecosystem. Ransomware groups are ephemeral. We have seen multiple ransomware groups disappear over the years, either of their own accords or as a result of government and law enforcement action. We also hear numerous reports that newer groups include members of past ransomware groups. For instance, REvil was the successor to the infamous GandCrab ransomware outfit, while Conti is considered the successor to Ryuk. When certain groups are dismantled, new groups capture the attention of affiliates seeking new partnerships.
It’s the third parties like affiliates and IABs that make ransomware attacks a persistent threat to organizations.
- How can organizations defend themselves against the rising threat of ransomware?
No organization is truly safe from ransomware attacks, be it a large enterprise or a startup. Since the ransomware ecosystem operates like a business, the best strategy would be to make the cost of perpetrating an attack too expensive for threat actors. Establishing deterrence requires excellent cyber hygiene. Organizations can adopt the following measures to fortify themselves against the threat of ransomware:
- Use multifactor authentication and strong passwords for all accounts within your organization.
- Continuously audit permissions for user accounts within your organization.
- Identify and patch vulnerable assets in your network regularly.
- Review and strengthen Remote Desktop Protocol.
- Strengthen Active Directory security by continuously monitoring AD, detecting misconfigurations and common AD attack paths.
- Regularly perform scheduled updates for encrypted, offline backups.
- Use appropriate antivirus, and anti-malware software to identify malware on the network.
- Train employees about common attack vectors and the importance of cybersecurity.
- Plan for attacks, and establish incident response plans by creating tabletop exercises.