By John Davis, UK & Ireland Director, SANS Institute,

We can now subscribe to any number of convenient services with the click of a button – from movies to music, dog food to diet supplements. Not to miss an opportunity for easy cash, criminals are also turning to the subscription economy to sell their technical know-how. Ransomware as a Service (RaaS) now grants access to ransomware toolkits, presenting sophisticated attacks for purchase by amateur hackers.

Ransomware is now the most significant online threat facing the UK. Tactics have evolved from simple phishing missions to increasingly professional tactics using the latest ‘toolkit.’ Ransomware as a service (RaaS) now offers hackers a slice of the ransomware pie through fully baked subscription models marketed on the dark web, designed to appeal to a range of criminal clients. 

With different levels, RaaS clients may purchase a single attack or sign up for the rough equivalent of a retainer relationship, paying a monthly cryptocurrency fee for advice and assistance – even around-the-clock support for attacks and negotiations with a victim. The client may also share a portion of any payment extracted from a victim with the RaaS provider.

RaaS providers wising up to detection methods

As this model gains traction, more and more ransomware attacks are being carried out using the RaaS model, making it harder to track down assailants. However, attribution is possible. For example, clues such as snippets of malicious code may help authorities trace an attack back to a perpetrator known to be running a RaaS operation. Attackers, when caught, may give up relevant details. From the victims’ perspective, ransomware crimes appear the same, whatever the underlying organisational structure behind them might be. 

RaaS providers are wising up to these breadcrumbs and prefer keeping the client at arm’s length to avoid detection and prosecution. Indeed, it can be harder to prosecute RaaS than conventional ransomware attacks because there are more moving parts, and they may move in several jurisdictions governed by competing laws and authorities. The advent of RaaS and ransomware, generally, have increased the impetus to harmonise regulations and foster law enforcement cooperation in this area.

What IaaS and RaaS providers do have in common is that the latter increasingly are conducting business with the former – taking advantage of the economics of cloud-based computing and storage the same way their victims do. The participation of most IaaS companies is usually unintentional, and the desire to maintain their clients’ data security – and their own reputations for safety – makes legitimate IaaS providers a formidable ally in the war against ransomware and RaaS providers.

Just as in legal and commercial undertakings, ransomware skills are continually honed, and standards are elevated through competition. As RaaS providers raise their game, the stakes for potential targets are also raised. The threats they face will be more acute, at least until cybersecurity professionals and law enforcement raise their game and improve their methods for combating threats.

Securing strong foundations of defence  

Despite numerous high-level warnings about the escalating ransomware threat, many organisations are taking a dangerously reactive approach to security. However, taking a proactive stance on cyber protection should now be considered a foundation of any organisation – large and small. The Centre for Internet Security has shared 18 common-sense Critical Security Controls to defend against attacks, including those sourced through RaaS, and mitigate damage should one occur. There is much overlap among the 18, allowing them to be grouped into four broad measures

• Take inventory of your electronic assets. You can’t protect what you don’t know you have. Take stock of all fixed, portable, or mobile devices that can connect to your technology platforms physically or remotely. This will allow you to spot unauthorised or unmonitored devices and remove them or make them secure. Do the same with software assets, including operating systems, programs, and apps. Review credentials and permissions for each employee, and limit access, via your organization’s and your employee’s personal devices, on-premises and remote, to files, folders, apps, programs, and external websites to those that are appropriate for their duties and no others.
• Monitor access points. Your infrastructure is most at risk of a breach at the points where it meets the outside world. Enhance malware detection and defense techniques, focusing particularly on these points and the means through which a breach is most likely to occur, such as web links and emails. This, plus a rigorous permissions regime, could prevent a considerable expenditure of time and money if Dave from accounting decides to click on the wrong Pornhub banner ad when he is supposed to be processing invoices.
• Anticipate vulnerabilities and respond to threats. Vulnerabilities can be limited but never eliminated, so you should prepare for the worst to ensure the impact is not as bad as it might be. Use industry resources to stay aware of the latest threats and ensure that your operating system and other software are updated, and patches applied when available.  The most significant vulnerability is reusable passwords. Most financial services now require Multi-factor Authentication (such as text messages sent to the user’s registered mobile phone number) for login. Using this simple form of MFA stymie’s over 99% of all phishing attacks.
• Make the most of your human assets. Some vulnerabilities within an organisation may walk on two legs and draw a paycheck, like Dave from accounting. If properly trained and prepared, however, your employees can be an additional factor to aid in thwarting attackers. Their understanding of and reaction to ransomware attacks and other threats should be evaluated and sharpened through the development of security awareness programs that work to change user behaviour when presented with a bogus email or web page.  There should be simulations of threat scenarios to put these procedures and your employees’ preparations – and those of senior management and security officials – to the test.
• Invest in your security team’s skills and tools – there is a lot of press hype about a “cybersecurity staffing shortfall,” but successful security organisations have found that there is more of a skills gap than a headcount shortfall. By upskilling security analysts in critical areas such as cloud security, purple teaming, and machine learning, you get a double benefit: the need for additional staff is reduced, and surveys show that security staff that gets regular training are less likely to jump to another company for a salary increase and expensive attrition is reduced.

Support to stay one step ahead 

Organisations grapple with numerous business-critical issues, from soaring energy prices to talent gaps and supply chain risks. Amid these challenges, criminals are keen to exploit any gaps in defences. Where eyes are turned away from cyber resilience, a data breach is increasingly just a matter of time. Taking proactive steps, with the support of experts who can keep you one step ahead of criminal innovations will give your organisation the proactive resilience it needs to unseat subscription-style cyber attacks.