Unlearning the RaaS Model: How Ransomware Attacks Are Evolving
Ransomware attacks have increased in recent years and have become the most notorious cyber threat. According to a recent survey of 1,200 cybersecurity professionals, more than half of all respondents (57 percent) have experienced a data breach or data breach (mostly as a result of a ransomware attack) in the past 12 months, a six point increase from the previous year when the same question was asked.
This increase underscores the changing tactics of cybercriminals, who are using models such as Ransomware-as-a-Service (RaaS) and “double extortion” techniques to steal data and hold organizations hostage in exchange for payments.
The RaaS approach was briefly adopted from the Software-as-a-Service (SaaS) model, where users or, in this case, cybercriminals paid for access to ransomware or other malware kits to launch attacks. However, this version of RaaS is no longer relevant.
Since 2016, the RaaS model has been based on a profit-sharing scheme inspired by the gig economy. It is no longer about enabling less technically skilled individuals to participate in cybercrime, but about replacing generalists with cybercrime specialists. Think Uber, Airbnb and others: the model includes self-employment, income variability, online platforms, tax payments and flexibility. These characteristics also apply to the RaaS model.
Technical Solutions Director at Bitdefender.
RaaS Partners: The Real Threat to Business
In the newer RaaS model, we see two different types of personas: operators and affiliates. Operators are the developers who specialize in creating and maintaining ransomware code and infrastructure that are then packaged into RaaS kits and sold (or rented) to other cybercriminals, known as RaaS affiliates. Affiliates, who may not have the technical expertise to develop their own malware, use these kits to launch attacks on organizations, making it much easier to take advantage of the core benefits of ransomware: a quick payout and ROI.
Think of affiliates as independent contractors who possess expertise in other areas of cybercrime, such as social engineering, breaching systems, and evading detection using a variety of hacking tools and techniques. Their goal is to compromise the organization and, once inside, gather information, move laterally, extract data, and ultimately deploy the ransomware. At the end of a successful operation, the operators and affiliates share the profits. Affiliates don’t waste time and resources building their own ransomware. Instead, they focus their efforts on the most lucrative part of the scheme: executing attacks and collecting ransoms. This streamlined approach allows them to target a wider range of victims and potentially rake in more profits.
Spotlight on Ransomware Trends in 2024 and Beyond
We have identified a number of trends that highlight the most significant changes in ransomware tactics and emphasize the urgent need for advanced cybersecurity measures.
Data exfiltration combined with encryption has become a key tactic for ransomware groups to double-extort their victims. In addition to encrypting data and demanding payment for its release, cybercriminals steal sensitive information to blackmail victims. This method pressures organizations to pay to prevent the public release of sensitive data, including customer information, intellectual property, and financial data. Often, they skip the data encryption step altogether, as it draws far less attention from law enforcement than shutting down a company’s operations.
The manual hacking phase is the core of today’s ransomware operations, so it requires more attention than the actual data encryption, which serves as the final payload. While the hacking phase can take days, weeks, or even months, the encryption process only takes a few hours. Therefore, most of the effort is put into hacking rather than encryption.
A worrying trend involves attackers exploiting vulnerabilities in internet-facing edge devices and applications. They are shifting their focus from targeting specific companies to known weaknesses in popular platforms, allowing them to move much faster and quickly gain access to hundreds or even thousands of victims. For example, the Log4j vulnerability (2021) took about a month to exploit after it was discovered. Today, attackers are exploiting new vulnerabilities in popular platforms within 24 hours.
Supply chain expansion is another key trend that will continue through 2024 and beyond. Compromised contractors, vendors, or other companies within a network can serve as entry points for attackers, leading to the initial compromise of larger organizations. This expansion of attack vectors highlights the interconnectedness of modern business operations and the need for comprehensive supply chain security.
Cybercriminals are constantly evolving new tactics and the lines between consumer and corporate security are blurring due to the hybrid work model. This exposes organizations to more risks. Businesses can take steps to prevent ransomware threats.
The primary goal is to strengthen defenses against manual hacking operations. This is achieved by establishing robust security operations, either internally or through managed detection and response (MDR) services. These operations include continuous monitoring via security teams and tools such as endpoint detection and response (EDR) or extended detection and response (XDR), complemented by ongoing security enhancements. The empowerment of employees to flag and report suspicious activity, combined with MDR services that provide expert cybersecurity, 24/7 monitoring, advanced detection and response capabilities, and proactive threat hunting, significantly strengthens the security posture, making it much more difficult for attackers to succeed through manual hacking.
From a technology perspective, companies should also focus on a layered approach to security that spans endpoints, networks, key applications like email, and cloud environments – the entire footprint. It’s important to remember that no single solution will prevent a successful ransomware attack, but the more barriers and opportunities there are to detect and remove a threat, especially in the early stages, the better.
We list the best access control systems for you.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here:
