RaaS, double extortion driving ransomware attacks, pushing up industrial cybercrime

RaaS, double extortion driving ransomware attacks, pushing up industrial cybercrime

Tenable says that the advent of ransomware-as-a-service (RaaS) is one of the main reasons why ransomware has advanced from a fledgling threat into a force to be reckoned with. The service model has significantly lowered the barrier of entry, allowing cybercriminals who lack the technical skills to commoditize ransomware.

In its latest research titled ‘The Ransomware Ecosystem,’ Tenable discloses that “RaaS is a service model, just like Software‑as‑a‑Service, where instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks while relying on third parties, known as affiliates, to do the actual dirty work of gaining initial access into an organization before deploying the ransomware.”

The research also flagged that ransomware has become a self‑sustaining industry. “Previously, attacks were perpetrated by the same ransomware groups that developed and propagated the malware, but the advent of RaaS has attracted multiple players. Each has a vital role, making up what we refer to as the ransomware ecosystem. Outside of the ransomware groups, the other key players include affiliates and initial access brokers (IABs),” it added.

Tenable evaluates that RaaS was just the beginning, as ransomware’s current dominance is directly linked to the emergence of a technique known as ‘double extortion.’

Since double extortion was introduced, most ransomware groups have incorporated it into their attacks, hosting their leak websites on the dark web, Tenable said. “While there have been some efforts to curtail ransomware attacks over the years, such as law enforcement actions to arrest ransomware operators and government sanctions against cryptocurrency exchanges, ransomware activity is unabated,” the report added. 

​​“With RaaS and double extortion, Pandora’s box has been opened, and attackers are finding holes in our current defences and profiting from them,” Satnam Narang, senior staff research engineer at Tenable, said in a media statement. “Globally we see governments confirming that ransomware attacks are a growing concern — from The Australian Cybersecurity Centre, the UK’s Information Commissioners Office, the US’ FBI Cyber Division, and the Bundesamt für Sicherheit in der Informationstechnik (BSI) in Germany, to name a few.”

According to Narang, as long as the ransomware ecosystem continues to thrive, so will the attacks against organizations and governments. “It’s imperative that these entities prepare themselves in advance, so they are in the best position possible to defend against and respond to ransomware attacks. While ransomware groups get the most notoriety and attention for attacks, these groups come and go. In spite of the turnover, affiliates and IABs remain prominent fixtures in this space, and more attention should be given to these two groups in the ecosystem at large,” he added.

The ransomware ecosystem comprises three distinct groups of criminals – IABs, affiliates, and ransomware groups. 

IABs are a specialized group of cybercriminals responsible for gaining access to organizations through various means. The category includes individuals and groups dedicated to this craft. Instead of directly using this access, IABs maintain persistence within the networks of victim organizations and sell it to other individuals or groups within the cybercrime ecosystem. As a result, their fees are very affordable, as they vary between the types of organizations they’ve compromised and the type of access. 

Tenable said that for ransomware affiliates, IABs provide an invaluable service, the cost of which can easily be recouped with ransom payments from victims. Affiliates leverage IABs to help expedite their efforts to infect organizations. Additionally, for IABs, the emergence of RaaS has propelled their services to new heights.

Affiliates compromise organizations by purchasing access through IABs, using common attack vectors such as spearphishing (with malware), brute-forcing Remote Desktop Protocol (RDP) systems, exploiting unpatched or zero‑day vulnerabilities, and purchasing stolen credentials from the dark web, Tenable said. “When a cybercriminal becomes an affiliate for certain ransomware groups, they are often given a playbook of instructions on how they will play their part. These playbooks also include a variety of recommendations on how to breach organizations,” it added. 

Tenable said that ransomware groups consist of various members responsible for developing and testing the ransomware itself, creating and hosting leak websites on the dark web, and managing the negotiation process with each victim. It also covered other tasks, including reverse engineering, administrative work, and even human resources or recruitment. Ransomware groups get the most notoriety and attention for attacks because RaaS is the ‘product’ being marketed and sold in this equation.

RaaS offers an added benefit for affiliates, enabling them to operate independently of any one ransomware group, opening up the opportunity for them to work with multiple groups concurrently. In addition, the autonomy provides stability for affiliates: if one ransomware group disappears into the sunset or is dismantled through law enforcement action, there are others to take its place.

Tenable also plotted a shift from the traditional ransomware attacks that focused on encrypting files within a network to serve as the incentive for organizations to pay up. This method of extortion was very successful. “However, as organizations began to rely on restoring ransomed files from backups, ransomware groups needed another mechanism to extort their victims. This is where double extortion emerged, becoming the catalyst for the extreme profits being earned by ransomware groups,” it added.

The ransomware ecosystem remains vast and constantly in flux as ransomware groups come and go, and affiliates move toward supporting other groups. Despite the turnover, affiliates and IABs remain prominent fixtures in this space. Ultimately, the ransomware ecosystem’s success and survival are made possible through the cooperation of all of these disparate parts.

Organizations are not entirely helpless. Law enforcement and government actions have provided a level of deterrence. For instance, the response by the U.S. to the Colonial Pipeline and JBS attacks put added pressure on several ransomware groups to turn their efforts away from such industries. While that may not deter all ransomware groups, it certainly has led to several groups advising potential affiliates that certain industries are off-limits.

For ransomware affiliates, the way into an organization is largely driven by the approach of the path of least resistance. There are several common attack vectors used to breach an organization’s defenses, including spearphishing, RDP, exploitation of vulnerabilities, purchasing access from IABs, third-party compromises, and recruiting insiders within companies and governments. 

Tenable also detects that Active Directory plays a pivotal role in ransomware attacks. Initial access is how ransomware groups and affiliates gain access to an organization’s network. Once inside, they often set their sights on Active Directory, as gaining domain privileges provides attackers the necessary capabilities to distribute their ransomware payloads across the entire network. 

Besides vulnerabilities, ransomware attackers will also utilize tools in their pursuit of domain privileges, including AdFind, Bloodhound, Kerberoasting, and NTDS dumping, the research added. 

Tenable said that when considering how profitable the ransomware ecosystem is, there will always be an incentive for the players to persist and amplify their activities. While there is no panacea for ransomware attacks, many of the most common ways ransomware groups and affiliates target organizations are known. 

Tenable suggests that organizations can mount the best defense against ransomware attacks by using multifactor authentication for all accounts within the organization, requiring the use of strong passwords for accounts, continuously auditing permissions for user accounts within the organization, and identifying and patching vulnerable assets in the network in a timely fashion. 

Organizations must also review and harden RDP, strengthen Active Directory security by addressing misconfigurations and detecting common AD attack paths, and establish and regularly perform scheduled updates for encrypted, offline backups.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related