Ransomware is not a new threat for businesses. It is one of the most commonly talked about cyber security issues facing companies today. This comes with good reason. It is very profitable for cyber criminals and the barrier of entry is getting smaller and smaller. Because of the ability to make money fast, many online criminals have grown curious on how to get in on the action but did not know where to start.
As any entrepreneur would tell you, where there is a business problem there is a creative entrepreneur developing a solution. Enter Ransomware-as-a-Service (RaaS).
“Ransomware will continue to both dominate headlines and cause havoc in 2020. The complexity of the attacks and the packaging of Ransomware-as-a-Service will continue to increase, while organizations grapple with both prevention and implementing practices to respond appropriately. Responses by organizations will be split between those who recover from backups, and those with more limited options who opt to pay the ransom”—Danny Allan, Vice President of Product Strategy, Veeam *Source Forbes
Ransomware-as-a-Service is similar in ways to the Software-as-a-Service (SaaS) model in that users pay a subscription fee for use of the platform (think above board SaaS products like Salesforce, Dropbox, DocuSign, Zendesk, Adobe).
RaaS’s subscription-based malicious model enables rookie cybercriminals to launch ransomware attacks without the difficulty of having to know how to code. RaaS allows non-technical cybercriminals the ability to create their own ransomware with ease. RaaS users can set the ransom amount, payback terms, deadlines and other features.
Once ready, the cybercriminal can focus on having the right person in a company take the wrong action.
How does the RaaS game work?
The object of the game is to successfully launch a ransomware attack on a small-to-medium sized business, hold sensitive and critical information hostage and get paid.
The game is won when the victim pays the ransom.
Within this game we have four players.
- Cybercriminal #1 – role is to write the ransomware code
- Cybercriminal #2 – role is to distribute (sell/rent) the ransomware code
- Cybercriminal #3 – role is to choose a ransomware code and launch an attack (there can be hundreds of Cybercriminal #3 players in this game for every Cybercriminal #1)
- Company employees – role is to defend their company’s survival
Cybercriminal #1 and #2 can be the same player and for the sake of this scenario it is easier to keep them as one player now known as Chief Cybercriminal.
The Chief Cybercriminal is like a franchisor. Beyond writing and selling the ransomware code, they also provide cybercriminal #3 with technical know-how and step-by-step information on how to launch a ransomware attack. Once the attack is successful and the game is won (meaning the victim paid the ransom) the collected money is split between the Chief Cybercriminal (coder & service provider) and cybercriminal #2 (the attacker).
Like other Software-as-a-Service providers, the real difference in this game is that there can be many cybercriminal #3s utilizing the platform at the same time. This is one of the key factors leading to the continued exponential growth in ransomware attacks on small and medium sized businesses.
Now those proficient at utilizing the ransomware attack weaponry can focus on their craft of phishing and exploit kits, allowing the Chief Cybercriminals focus on their craft of coding. Specialization is another factor increasing the success rate and number of ransomware attacks.
What weapons does Cybercriminal #3 (the attacker) deploy?
The cybercriminal is a real person sitting behind an actual computer somewhere in the world. Because this person is a specialist, they have the time to study and research before deploying their attack. Consider a salesperson prospecting their future client. This individual may check out the company’s website, look at LinkedIn profiles of key employees, read articles and posts from employees and about the company… really build an understanding of who they are building a relationship with. The cybercriminal’s early approach in this game may look quite similar.
If the cybercriminal #3 deploys a highly targeted strategic approach they will most likely leverage a phishing strategy. With these attacks they will write enticing (both written and visual) emails to employees with the purpose of gaining important information to support the attack, or to have the malware activated in the employee’s computer.
If the cybercriminal #3 deploys a spray and pray approach they will invest some of their future game winnings in an exploit kit. An exploit kit is designed to automatically and silently exploit vulnerabilities on the victim’s machines while the victim is browsing the web.
The most effective cybercriminal #3s will deploy a mix of both strategies simultaneously.
The future of Ransom-as-a-Service
“In 2020, we will see, at minimum, a 300% increase in RYUK-related ransomware attacks, and most of those attacks will be focused on U.S. small businesses. Ransoms on small businesses will jump to $150,000 to $300,000 per event on the low end, causing a spike in U.S. small business bankruptcies and closures. About 2 out of every 10 small businesses attacked will have no choice but to halt operations for financial reasons. Another reason we'll see a spike in attacks on small U.S. businesses is the sheer volume of these businesses running outdated windows servers with known vulnerabilities”—Zohar Pinhasi, CEO, MonsterCloud Cyber Security *Source Forbes
This vicious model is wildly profitable for the Chief Cybercriminal, so much so that there are advertisements populating on the dark web for RaaS solutions.
Any business owner can see why this model is growing in popularity. Instead of having to be the product developer, builder and lead salesperson, this model allows for specialization and leads to economy of scales.
Each of the code writer, ransomware platform provider and attacker can focus on what they do best. And once a product is built and available on the platform, there can be hundreds of attackers utilizing the product instead of the original writer of the code.
What should businesses do?
There have been countless articles suggesting tactics and strategies to reduce the risk of cyber crime on a company’s operations. We wrote this one on protecting your company assets and this one on understanding and recognizing phishing scams. Will implementing all of this end the threat for good? No.
Here is the pain point and reality: malicious coders, some of the best in the world, are spending their time writing attack commands specifically designed to exploit vulnerabilities in the very best company IT plans.
Training staff is critical, investing intelligently in IT will drastically reduce risk… but there is almost no way to eliminate the risk without rendering your business operation ineffective (you could cease emails, digital file storage and computers/smart phones but that will probably cease your business operation too).
Cyber insurance is a risk transfer tool designed to compliment your IT strategy. It is in no way intended to replace investing in IT and security, employee awareness training or any other risk mitigation strategy.
Except for very specific circumstances, cyber insurance should be a standalone policy and it should be purchased through an insurance brokerage that specializes in cyber insurance wordings and coverage.
I invite you to have a conversation with us on cyber insurance. By knowing the price of insurance, what cyber insurance covers and how it works compared to other insurance solutions (for example, you get access to a breach coach as soon as a breach occurs) companies can make an informed decision.