Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Martin Zugec

Unlearning the RaaS Model: How ransomware attacks are evolving

An abstract image of a lock against a digital background, denoting cybersecurity.

In recent years, ransomware attacks have surged, becoming the most notorious cyber threat. According to a recent survey of 1,200 cybersecurity professionals, more than half of all respondents (57 percent) experienced a data breach or data leak in the last 12 months (many as a result of a ransomware attack), a six percent increase from the previous year when asked the same question.

This rise underscores the evolving tactics of cybercriminals who employ models such as Ransomware-as-a-Service (RaaS) and ‘double extortion’ techniques to steal data and hold organizations hostage for payment.

The RaaS approach was assimilated for a brief period of time from the Software-as-a-Service (SaaS) model where users or, in this case cybercriminals, paid for access to ransomware or other malware kits for launching attacks. However, this version of RaaS is no longer relevant.

Starting with 2016, the RaaS model has been based on a profit-sharing scheme inspired by the gig economy. It's not about enabling less technically skilled individuals to take part in cybercrime anymore - but substituting generalists with cybercrime specialists. Let's think Uber, Airbnb and others – the model involves independent contractors, income variability, online platforms, tax-based payments, and flexibility. These attributes apply also to the RaaS model.

RaaS Affiliates: The Real Threat to Businesses

In the newer RaaS model, we see two different types of personas: operators and affiliates. The operators, are the developers that specialize in creating and maintaining ransomware code and infrastructure which are then packaged into RaaS kits and sold (or rented) to other cybercriminals, known as RaaS affiliates. Affiliates, who may not possess the technical expertise to develop their own malware, leverage these kits to launch attacks against organizations, making it much easier to capitalize on the main benefits of ransomware – a quick payout and ROI.

Think of affiliates as independent contractors who possess expertise in other areas of cybercrime such as social engineering, breaching systems, and evading detection using a myriad of hacking tools and techniques. Their goal is to compromise the organization, and once inside – gain intel, move laterally, extract data, and finally deploy the ransomware. At the end of a successful operation the operators and affiliates split the profits. Affiliates don't waste time and resources building their own ransomware. Instead, they focus efforts on the most lucrative part of the scheme: launching attacks and collecting ransoms. This streamlined approach allows them to target a wider range of victims and potentially rake in more profits.

There are several trends we have identified which highlight the most significant changes in ransomware tactics and emphasize the pressing need for advanced cybersecurity measures.

Data exfiltration coupled with encryption has become a key tactic for ransomware groups to double extort their victims. In addition to encrypting data and demanding payment for its release, cybercriminal steal sensitive information to blackmail victims. This method pressures organizations to pay up to prevent the public release of confidential data, which can include customer information, intellectual property, and financial records. Many times, they will even skip the data encryption step altogether as it draws far less law enforcement attention than shutting down a business’s operations.

The manual hacking phase is at the core of the current ransomware operations, so it demands more consideration than the actual data encryption, which serves as the final payload. While the hacking stage can span days, weeks, or even months, the encryption process only takes a few hours. Thus, most effort is invested in hacking rather than encryption.

A concerning trend involves attackers exploiting vulnerabilities in internet accessible edge devices and applications. They're shifting focus from targeting specific companies to known weaknesses in popular platforms, allowing them to act much faster and gain access to hundreds or even thousands of victims quickly. For instance, the Log4j flaw (2021) took about a month to weaponize after its discovery. Today, attackers exploit new vulnerabilities in popular platforms within 24 hours.

Supply chain expansion is another key trend that will continue throughout the course of 2024 and beyond. Compromised contractors, vendors, or other businesses within a network can serve as entry points for attackers, leading to the initial compromise of larger organizations. This expansion of attack vectors highlights the interconnectedness of modern business operations and the need for comprehensive supply chain security.

Considering that cybercriminals are constantly developing new tactics, and the lines of consumer and business security continue to blur with the hybrid work model, exposing organizations to increasing risks, there are steps which businesses can take to help prevent ransomware threats.

The primary goal is to bolster defenses against manual hacking operations. This is ensured by establishing robust security operations, either in-house or via managed detection and response (MDR) services. These operations involve continuous monitoring through security teams and tools like endpoint detection and response (EDR) or extended detection and response (XDR), complemented by ongoing security enhancements. Employee empowerment to spot and report suspicious activities, coupled with MDR services providing expert cybersecurity, round-the-clock monitoring, advanced detection, response capabilities, and proactive threat hunting, significantly strengthens the security posture, making it much harder for attackers to succeed through manual hacking.

From a technology perspective, businesses should also focus on a multi-layered approach to security that covers endpoints as well as networks, key applications such as email and cloud environments – the entire footprint. It’s important to remember no single solution will prevent a successful ransomware attack, but the more barriers in place and opportunities for detecting and removing a threat especially in the early stages the better.

We list the best access control systems.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.