As security risks have grown more sophisticated over time, so have the methods of ransomware deployment. The multi-faceted approach being employed now by many bad actors makes tracking and defense much more difficult.
The concept of “ransomware as a service” (RaaS) has taken ransomware mainstream. Ransomware developers, also called RaaS operators, take on the work of developing and maintaining ransomware tools and infrastructure.
They package their tools and services into RaaS kits that they sell to other hackers, called RaaS affiliates or proxies. The ready-made ransomware kits have made it possible for even individuals with limited technical skills to carry out attacks with devastating consequences.
Most operators use a variety of different revenue models to sell their kits, says cyber advisory and solutions firm Optiv:
- Monthly subscription: RaaS affiliates/proxies pay a recurring fee — sometimes as little as $40 per month — for access to ransomware tools.
- One-time fee: Affiliates/proxies pay a one-time fee to purchase ransomware code outright.
- Affiliate models: Affiliates/proxies pay a monthly fee and share a small percentage of any ransom payments they receive with the operators.
- Profit sharing: The operators charge nothing up front but take a significant cut of every ransom the affiliate/proxy receives — often 30-40%.
RaaS operators and affiliates are often observed working across multiple groups. Initial access brokers are often used to purchase access into victim networks. These brokers could easily provide organizational access to more than one threat actor, intensifying the damaging results to the victim.
SecurityInfoWatch.com recently spoke with James Turgal, a former 22-year veteran of the FBI and Vice President of Cyber Risk, Strategy and Board Relations at Optiv, about the inner workings of RaaS and how organizations and corporations can defend against these threats.
SIW: How long has RaaS been on the radar with cybersecurity officials and law enforcement before it became a mainstream threat?
Ransomware has been around probably 20 or 30 years. There were many attacks that law enforcement was either thwarted or prosecuted, which forced ransomware to move into the criminal underworld.
RaaS involves multiple layers -- access brokers who compromise networks and maintain persistence. It's then handed off to an operator and coders who are developing the tools to do this. They hand it off again to another affiliate who launches the ransomware payload and then possibly another person who does the exfiltration.
The criminal groups have moved to this affiliate model because law enforcement has been able to track them back. Sometimes the actual access brokers have no idea who the operators or affiliates are, or who is launching the malware. They don’t make as much money on the initial hit, but this gives them more anonymity and allows them to hit and attack a larger number of victims.
SIW: Why are so many companies becoming vulnerable to this practice?
Turgal: Let’s take Black Cat as an example. Black Cat is a type of ransomware used by the ransomware affiliates, but it’s written in Rust, which is a new, unconventional programming language. Many entities on the defensive side haven’t seen this type of programming. The RaaS guys are smart and well-funded, especially the nation-state proxies, and they are evolving at an alarming rate -- much faster than our defensive capabilities are evolving.
Sometimes the whole RaaS process can take weeks or months, so an operation center doesn’t necessarily see this massive spike of activity. The criminals know what SOCs and other tools out there do. There’s also the concept of “living off the land” where they get initial access, brokers get into the system and hand it off to the guys that move laterally. It’s their exploratory time.
These are hands-on keyboard attacks. Threat actors are literally behind the keyboard making decisions about what to launch or not launch based upon what they find in your ecosystem. It’s done in real time, as opposed to 10 years ago when some threat actor would get into a system and just launch self-exploratory code. That's machine-based decision making. RaaS is human-based decision making.
SIW: You’ve advocated for increased training for companies to help reduce vulnerabilities. What does training look like for a threat like this?
Turgal: With RaaS, if that threat is coming at you in different ways, there has to be an initial access broker. You've got to take your defense down to its initial parts and make sure your actual configurations are what they need to be. This is difficult for very large organizations. But if you look at the numbers, bad actors are going after small- to medium-size organizations and corporations because they know some of them don't have IR teams and are relying on third parties.
You must start at the basics and secure the access piece, as well as use multifactor authentication and make sure there is good password hygiene. I know that sounds stupid, but that’s exactly how they're getting in, through stolen credentials. Stolen credentials is the number one area in which these initial access brokers are getting in. Phishing is certainly another one, but phishing leads to credential theft.
JAMES TURGAL
The other problem is that most small- to medium-sized corporations focus on protecting themselves via backups. They will spend money for something that’s less labor intensive, so they don’t have to employ as many IT or cybersecurity staff. That’s a terrible way to approach this because threat actors know that. During their exploratory stage they’re launching tools inside the organization ecosystem to explore and identify every database, what's running on that and where the data is going. That's why you see them locking down backups.
SIW: How do we improve defensive capabilities, and what are the tenets of an incident response plan that security teams must implement?
Turgal: I’m a big proponent of preparing for the worst. There are basic protections through blocking and tackling, strong passwords, and understanding who has privileged access to your system and limiting the number of people with access and patching.
I’ve asked corporate boards what their patching strategy and your average days to patch, and you'd be surprised what the answers are. If you take the top 25 known vulnerabilities out there that CISA lists on its website, they’re still being attacked to this day and we've known them for 15 years.
You must also think about incident response differently. Assume you’re being attacked and practice your response. Have an incident response plan and understand what’s in it. How would you react during this type of attack?
The IT and cyber staff should practice how they would go about decoupling certain systems from their ecosystem to limit the damage, and then know what system comes back up first, then second and so forth.
If you’re able to afford it and understand it, have containerized backups that are offline and off property, whether it’s cloud-based or not.
SIW: What do you see happening in the cyber insurance market? How is it evolving with the threats?
Turgal: Seven or eight years ago, cyber insurance was relatively new. It was mostly for the larger corporations, but the insurance companies that were offering it didn't have the people inside to understand what needed to be done by an actual insurer to make sure they could function. They had to have a certain level of higher cyber hygiene, a configuration package, a patch management strategy and multifactor authentication.
This has changed in the last five years. Now you get a questionnaire from a cyber insurance provider with 300 or 400 questions based on frameworks. If you can't answer those, then you're either not going to get insured or your premiums are going to be very high, commensurate with your lack of cyber hygiene. The cyber insurance market has really evolved to the point where they now understand what the threat actors are after and what companies should be doing to protect themselves.
