Cybercriminals are leveraging an as-a-service delivery model to distribute malware. This approach helps attackers infiltrate local networks, encrypt data and extort money.
These attacks can be damaging for victims and lucrative for criminals. The perpetrators of ransomware target industries that hold sensitive data, such as the healthcare industry
1. Cybercriminals have become more sophisticated
Cybercrime continues to evolve and become more common. These attacks are increasingly devastating for businesses and individuals, resulting in data loss, downtime, and important financial losses.
Ransomware is a form of malware that locks a victim out of their own information or systems and demands a payment to regain access. This year, targeted ransomware attacks are gaining popularity among criminals.
Attackers target large companies, critical systems, and supply chain with the goal of extorting cash and stealing confidential data. The attackers are also using leaked NSA exploits in order to move laterally through the systems that they target.
Using legitimate remote access tools like TeamViewer to maintain persistence in a compromised environment, RaaS affiliates can retain their attack foothold and operate a broader series of campaigns on the victim’s network. Due to this, it is difficult to protect yourself against a targeted ransomware. Security must be approached holistically, taking into account all attack phases.
2. The Rise of Ransomware-as-a-Service (RaaS)
Cybercriminals who use ransomware-as-a-service programs can quickly and easily access and deploy compromised systems. Then, they can monetize access to systems by demanding payment from victims. The ransom payments can be anywhere from a few hundred to several million dollars depending on the potential profit and availability of systems or data.
Attackers can monetize access to valuable data by stealing it or exfiltrating it, and also by double-extortion. Double-extortion involves paying to unlock the data and then threatening to leak the data if their victim does not pay again. The attackers also target industries with higher payouts, as they are more willing to pay for access to systems and data.
In a gig economy model, attackers are offered a percentage of the ransom payments they generate. RaaS providers are encouraged to create more efficient malware in order to maximize their shared profits. RaaS programs are dynamic, so affiliates may switch to a different payload when the program they were using is shut down. Unit 42, for example, has noticed that DEV0504, a ransomware attacker who primarily used DarkSide until 2021 when it was shut down, is now using the Conti RaaS.
3. The Rise of Ransomware-as-a-Service (RaaS) in the Cloud
The ransomware-as-a-service (RaaS) model has made it easier for attackers to deploy malware and gain access to compromised networks. RaaS companies sell pre-installed ransomware programs that are easy to use. The providers offer different revenue models. For example, they can charge a flat-rate monthly fee or take a portion of the profits from an attack.
Attackers usually deploy ransomware opportunistically to any network that they gain access to. Some attackers target certain industries like healthcare or government organizations because they can obtain higher payouts and valuable data from them. However, certain attackers choose to target industries like the healthcare industry or government organizations as they can get higher payouts from them and valuable data.
Prior to RaaS, criminals who wanted to launch ransomware attacks had to be proficient in programming to access and create the code. RaaS has opened these attacks to criminals who lack coding proficiency and have more time to devote to other cybercrime activities. To prepare your organization, it is important to monitor the threat environment and be aware that different attacker groups exist. Unit 42, for example, has observed a RaaS group using Cobalt Strike and LockBit 2.0 to compromise targets.
4. The Rise of Ransomware-as-a-Service (RaaS) on the Dark Web
Cybercriminals can buy ransomware-as-a-service (RaaS) kits on the dark web that include code, tools to automate attacks and a variety of attack configurations. RaaS packages can also include technical support and features like bundled offers, discounts for large volumes, or community forums. These are all similar to the ones found on business portals. Microsoft revealed that the attackers behind the 2021 Colonial Pipeline attack were actually an affiliate who used a DarkSide Payload as part of the RaaS Kit known as DEV-0401.
Some RaaS operators also sell malware other than ransomware such as loaders, botnets and infostealers. These modules are used to steal information, breach networks and extort firms with a data-recovery fee. In some cases, the primary attackers will partner with affiliates for RaaS to attack targets in exchange of a portion of any extorted money. It democratizes the cyberattacks and makes it cheaper and easier for bad actors without developing malware to enter into the market.