July 19, 2024

When you have comprehensive security, the future is yours to build. Learn about the strategies and solutions to secure your vision from Microsoft Security experts.
Did you know that over 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cybercriminals have become emboldened by the underground ransomware economy.
And yet, many threat actors are working within a limited pool of ransomware groups. Although ransomware is a headline-grabbing topic, it’s ultimately being driven forward by a relatively small and interconnected ecosystem of players. The specialization and consolidation of the cybercrime economy has fueled ransomware as a service (RaaS) to become a dominant business model — enabling a wider range of criminals to deploy ransomware regardless of their technical expertise. This, in turn, has forced all of us to become cybersecurity defenders.
When Microsoft is developing threat intelligence, we don’t just rely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We also observe end-to-end events as they occur. This has allowed us to identify patterns in cybercriminal activity and turn cybercrime into a preventable disruption to business. Once businesses can address the problems and network gaps that industrialized tools rely on to succeed, they can better strengthen their cybersecurity position. Here are some of our top tips.
Understanding how RaaS works
Before you can defend against ransomware, you must first know how it operates. Ransomware is not targeted. Instead, ransomware takes advantage of existing security compromises in order to gain access to internal networks. Cybercriminals have adopted a maximum-efficiency approach when it comes to ransomware. In the same way that businesses hire gig workers to cut down on costs, cybercriminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.
This flourishing RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage as well as payment infrastructure. What we think of as ransomware “gangs” are in reality RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.
RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more “affiliates,” as they refer to the users of their service, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the dark web for penetration testing tools or out-of-the-box malware can join this economy.
So, what does this mean for enterprises?
A new business model can offer fresh insight
This industrialization of cybercrime has created specialized roles in the RaaS economy, such as the access brokers who are responsible for selling access to networks. When companies experience a breach, there are often multiple cybercriminals involved at different stages of the intrusion. These threat actors can gain access by purchasing RaaS kits off the dark web, consisting of customer service support, bundled offers, user reviews, forums, and other features.
Cybercriminals can pay a set price for a RaaS kit while other groups selling RaaS under the affiliate model take a percentage of the profits.
Ransomware attacks are customized based on configurations of the target networks, even if the ransomware payload is the same. They can take the form of data exfiltrations, as well as other impacts and, because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. For example, infostealer malware steals passwords and cookies. These attacks are often treated with less severity, but cybercriminals can sell these passwords to enable other, more devastating attacks.
However, these attacks follow a common template. First, there is initial access via malware infection or exploitation of a vulnerability. Then, credential theft is used to elevate privileges and move laterally. This industrialization has allowed prolific and impactful ransomware attacks to be performed by attackers without sophistication or advanced skills.
Reporting on ransomware may seem like an endless scaling problem but in reality, there is a finite set of actors using the set of techniques.
Strategies for businesses to deploy
Now that we understand the mechanics behind RaaS, there are several preventative measures that companies can take.
Ultimately, ransomware has been made easier by threat actors’ industrialization of tools and ability to target organizations without needing highly-specialized skillsets. But by implementing foundational security best practices and monitoring their credentials, companies can make it that much harder to fall victim to a ransomware attack.
For more information on ransomware, check out the full Cyber Signals article and explore more threat intelligence insights on Microsoft Security Insider.
Copyright © 2022 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.


About Author