Devin Partida writes about cyber security and technology. She is also the Editor-in-Chief of ReHack.com.
Ransomware is one of the most significant threats facing organizations today. As cyber crime has risen in the past two years, these attacks have outpaced the rest in frequency and intensity. One of the most troubling aspects of this trend is the increase of ransomware-as-a-service (RaaS).
The ransomware-as-a-service model works like any software-as-a-service (SaaS) solution. Ransomware developers lease ready-made malware tools to buyers, letting virtually anyone perform a sophisticated attack, regardless of their technical expertise. This model makes ransomware more accessible to inexperienced cyber criminals, making the threat more relevant than ever.
RaaS is growing
Ransomware is a profitable undertaking if attacks are successful, so the accessibility of RaaS is an appealing prospect to cyber criminals. Unsurprisingly, this trend has accelerated quickly as more attackers realize this advantage. Almost two-thirds of ransomware attacks in 2020 used RaaS tools.
RaaS attacks have also grown in notoriety. Two key players in the RaaS space, REvil and DarkSide, were responsible for the JBS and Colonial Pipeline attacks, respectively. These were some of the most disruptive attacks in the past year, so the fact that they came from RaaS is concerning.
As cyber criminals see attacks like this and learn how much they can gain from ransomware, RaaS will grow further. Consequently, more attackers will have sophisticated, destructive tools, not just experienced, skilled or successful cyber criminals.
RaaS is threatening
As RaaS becomes increasingly popular, ransomware may become more threatening for some businesses than it was in the past. For the most part, previous attacks have targeted organizations that can afford to pay large ransoms. Now that ransomware is more accessible, that may not always be the case, endangering more businesses.
Smaller, less experienced and skilled cyber criminals may not be interested in big targets. To these attackers, small businesses could still represent a comparatively considerable payday. Now that these criminals have access to ransomware tools, they may target these companies that may not have previously been concerned about it.
Individual hackers are less likely to operate according to a creed or larger goal like hacking collectives. As such, now that these individual threat actors have the same resources as ransomware gangs, no target is off-limits. Hospitals, schools and any other organization with potentially valuable information may find themselves a victim of ransomware.
Businesses can defend against RaaS
While RaaS is a concerning trend, it’s not a hopeless one. Businesses can take several steps to minimize their vulnerability to these attacks. First, organizations like the FBI recommend never paying a ransom, so companies should embrace a policy of decrypting ransomware another way.
Controls like multifactor authentication and network segmentation will limit ransomware’s efficacy. Since most attacks start as phishing, organizations should train all employees to spot attempts and use strong passwords. Installing updates and patches as soon as they’re available will keep businesses safe from old vulnerabilities RaaS tools may target.
Automation is a critical safety step in monitoring and incident response, given the sophistication of some RaaS tools. Only another machine can spot and respond to them fast enough. Security teams don’t need to automate every process, but automated network monitoring and anti-malware measures will go a long way.
The rise of RaaS emphasizes the need for better security
Ransomware-as-a-service will likely only grow from here. As it does, ransomware tools will become more diverse, specialized and widespread, heightening the need for robust cyber security. Businesses in every industry of every size cannot afford to overlook this trend.
The rise of RaaS also comes as part of a larger wave of cyber crime. Companies can no longer rely on legacy tools, notions of security as a trivial aspect of business operations, and the IT team alone. Cyber security is everybody’s responsibility and can affect anyone, as RaaS emphasizes.
If you liked this content, be sure to sign up for the Cyber Talk newsletter, which provides premium expert insights delivered directly to your inbox each week. Subscribe here.