Ransomware-as-a-service is evolving: Here is what companies need to know

Like every other area of cybercrime, ransomware has evolved significantly since it made global headlines in 2016 and 2017 with the Petya and WannaCry attacks. No longer is ransomware characterised by largely opportunistic attacks against poorly secured computing systems. The ransomware model has advanced into highly organised crime and state-sponsored attacks to incorporate targeted intrusions that have proven extremely difficult to stop. Yet, as worrying as the headlines might sound, there are also new and effective ways for businesses to protect themselves in today’s threat landscape.

The world’s most dangerous cyberattackers, including those sponsored by nation states and large corporations, continue to evolve in line with the times. In no case is this better exemplified than with the rise of ransomware-as-a-service (RaaS). RaaS mimics the enormously popular software-as-a-service (SaaS) model used by many of the world’s technology providers, which is why it continues to be extremely successful.

With the RaaS model, ransomware developers recruit less talented cybercriminals over dark-web marketplaces to help expand their reach in return for a cut of the proceeds. These recruits, who typically have little or no knowledge of hacking themselves, rely on social engineering tactics to dupe unsuspecting victims into downloading the malware. Many of these scams are carried out via email, but any popular communications or business collaboration platform is a potential medium for spreading malware. In 2020, for example, a ransomware group targeted Microsoft Teams users with fake ads while millions of people were working from home during the pandemic. Earlier this year, WhatsApp also suffered a breach when malware was spread to user’s contacts, prompting them to “download an application to win a mobile phone”. 

Although spam filters and other standard enterprise security measures generally do a decent job of protecting businesses against mass ransomware campaigns, the same cannot be said of the more sophisticated ones. These attacks tend to involve targeted intrusions carried out by skilled hackers and scammers. In fact, RaaS has itself evolved from trying to get as many novice cybercriminals on board as possible to onboarding skilled attackers in the capacity of organised cybercrime syndicates.

In many ways, ransomware groups mimic the practices of legitimate organisations. They rely on readily available public information to learn more about their potential victims, just as businesses use the same information for targeted advertising. According to a recent report by the FBI, cybercriminals tend to step up their attacks during significant financial events, such as mergers and acquisitions or an IPO. After all, information like stock valuations, are readily available in the public domain.

After using publicly available information to determine which organisations to target, criminals will then focus on which individuals to target within those companies. Among the more obvious targets are corporate executives and other C-suite members, but the truth is that anyone is a potential target.

Before launching their attacks, smarter criminals study these targets using publicly available information on social media and other platforms. By building a comprehensive profile of their victims, they can better masquerade as a trusted individual, similarly to how legitimate companies use such information to strengthen customer relationships. Finally, they will launch their attacks via a platform the intended victim uses regularly while under the guise of someone they know – such as a friend or colleague.

Cybercriminals rely on targeted social engineering attacks to spread many forms of malware, but ransomware presents one of the most lucrative opportunities. However, they also realise that relying on encryption ransomware alone is not likely to result in a substantial profit now that most organisations have systems in place to counter such threats.

In their effort to stay ahead of their victims, ransomware developers are now shifting the focus to double-extortion. In a double-extortion attack, sensitive data is exfiltrated from the victim’s machine before it is encrypted. This allows threat actors to make the additional demand that their victims pay up in order to prevent their sensitive data from being published online. The first double-extortion ransomware attacks were carried out only in 2019, when the Maze gang launched its RaaS platform on the dark web.

In light of the rapidly growing trends of RaaS and double-extortion, organisations need to be especially vigilant in protecting their communications from unauthorised access. Some of the most dangerous attackers deliberately target popular business communication platforms in an effort to build trust. For example, a phishing message sent via Microsoft Teams is much less likely to come across as suspicious than a spam email from someone the target doesn’t even know. As such, businesses should adopt a zero trust approach to security whereby access is always verified, and all communications are encrypted.