sign in sign up
<<
Home , DarkSide (hacking group), Hacker group

The Rise of RaaS -as-a-Service

In this whitepaper we offer a primer on examples of ransomware development, and its impact along the attack lifecycle. We focus on averting negative organizational outcomes, including business interruption, data loss, and business impact. We offer ways you can reduce risk on your own, and make a case for incorporating AI-enabled, intelligent MDR into your cybersecurity strategy. We provide additional resources to help you achieve your goals.

CONTRIBUTORS:

Adam Mansour Sean Hittel Will Ehgoetz Certified Ethical & Distinguished Senior Head of Sales Engineering Security Engineer Threat Hunter 1 Introduction

For decades, ransomware attacks The factors leading to this around the globe have grown in prediction are as follows: sophistication. As bad actors have reaped the profits of these crimes, i: Ransomware has been challenging to deal with since it began, and there’s no sign of that they have grown more organized changing. Ransomware itself is not a virus, so and competitive, operating in some it’s not what anti-virus protection looks for. ways like legitimate businesses, That means many preventive technologies remain ineffective in thwarting it. Ransomware or “criminal enterprises”, offering remains profoundly disruptive and has a “service.” At the same time, proliferated precisely because it works — they have also become more businesses will pay malicious actors to remove extortionate in their threats and it and release the ransomed data. demands to victims. ii. Changes to the distribution of ransomware and to the tactics used by ransomware actors have After surveying the cybersecurity increased both its availability and potential for harm. landscape for 2021 and beyond, we believe there will be a further iii. Changes to ransomware technology itself are escalation of ransomware in the making it more potent. Ransomware is now medium to long-term. potentially capable of being deployed in virtual, cloud, and containerized environments.

We call this the rise of “Ransomware-as-a- Service” (RaaS). The goal of this whitepaper is to offer a primer on some examples of ransomware development, and its impact along the attack lifecycle.

Our focus will be on helping you avert negative organizational outcomes, including business interruption, data loss, and business impact. We will offer some (at times, restrictive) ways you can reduce risk without machine-speed capabilities, and make a case for incorporating AI-enabled, intelligent MDR in your cybersecurity strategy.

2 | ActZero - The Rise of RaaS 2 A Brief History of Ransomware: A Timeline Over the past decades, there have been significant milestones that helped shape the technology, tactics, and marketplace of ransomware, leading to the rise of the increasingly business-minded RaaS actors we describe in this paper. Some of these notable events are as follows:

1989 THE FIRST ATTACK:

Dr. Joseph L. Popp, an evolutionary biologist, released AIDS Trojan (also known as PC Cyborg) to 20,000 individuals and medical institutions via infected floppy disks disguised as legitimate AIDS education software. In reality, it was one of the earliest pieces of Trojan and the first known ransomware attack. AIDS Trojan encrypted C: drive file names, preventing users from accessing their files until they paid a “lease” to PC Cyborg Corp. in order to “renew” the so-called “software.” AIDS Trojan used symmetric encryption, making it relatively easy to decrypt, and Popp relied on a PO box to receive the extorted payments. Though rudimentary, this set the stage for decades of increasingly refined attacks.

1992 ANONYMIZING PAYMENTS:

Sebastiaan von Solms and David Naccache published a paper titled “On Blind Signatures and Perfect Crimes.” They proposed how systems designed to “protect the identity and privacy of a user in electronic payment and service networks” might have prevented a kidnapper from being caught when he withdrew the ransom payment. Now, it’s common practice for criminals to demand payment in cryptocurrencies, especially Bitcoin.

1996 STRENGTHENING ENCRYPTION:

Inspired in part by the damage AIDS Trojan might have caused had it not relied on weak symmetric encryption, Adam L. Young and Moti Yung published a paper called “: Extortion-Based Security Threats and Countermeasures.” In it, they predicted the “potential threats and attacks that rogue use of [public-key] cryptography can cause when combined with rogue software.”

2005 EVOLUTION OF RANSOMWARE:

May 2005 saw the release of Trojan.Gpcoder, considered by some to be the “first modern ransomware.” One news article from the era described “the swiftness and thoroughness” of an attack demanding $200. Over the following years, the intricacy of such operations would only increase, along with the price tag for complying with demands.

ActZero - The Rise of RaaS | 3 With bad actors increasingly focused on the most lucrative 2011 A CRIMINAL MARKETPLACE:

targets, the future of ransomware A dark web black market called Silk Road launched, could further turn toward attacks becoming the most sophisticated and extensive criminal marketplace on the Internet at the time. All aimed at the cloud, virtual manner of illicit goods and services were obtainable on the Silk Road. It became a clearinghouse for malware environments, and infrastructure- of all kinds, including password stealers, keyloggers, remote access tools, and ransomware. For the as-a-service (IaaS). first time, ransomware and its distribution became centralized and readily available to malicious actors lacking the programming abilities to design malware of their own.

2012 CUSTOMIZED ASSAULTS:

Reveton was unleashed in the EU; infected computers locked out users and displayed a fraudulent message purporting to be from law enforcement. These communications were tailored to the location of individual users, and demanded they pay fines for fictitious crimes. Users were often alleged to have downloaded pirated software or child pornography. Some variants even displayed footage from a victim’s webcam to convince them they were being surveilled by police.

This individualized approach was an early indicator of ransomware actors leveraging business tactics to further their illicit agendas. Also of note were the embarrassing (or worse) criminal accusations levied at victims, as this introduced a psychological element to ransom demands beyond the threat of denied access to files.

2013 END OF THE SILK ROAD:

U.S. authorities shut down Silk Road, motivating the rise of cell-based hacking groups suddenly lacking a centralized marketplace in which to operate. This fragmentation paved the way for such groups to essentially “freelance,” offering Ransomware-as-a-Service. In 2020, Forbes reported that advanced tools, “complete with free updates and technical support,” were readily available for lease on a variety of forums. The separation of ransomware creation from its infiltration and deployment now means a would-be cybercriminal doesn’t even “need to be a programmer to use these tools; they really are off-the-shelf packages.”

2015 PUNITIVE DOXING:

Chimera was distributed via targeted emails or malicious links in phishing campaigns, especially to small companies. More than simple ransomware, Chimera was an example of “doxware” — beyond locking a victim’s files, Chimerathreatened to release (or “dox”) the files on the Internet if the ransom was not paid. This risk of data release was a marked escalation in the consequences of not meeting the demands of cybercriminals, and has since become common practice.

In a bizarre twist that incorporated both industrial espionage and pyramid schemes, the creators of a subsequent ransomware program publicly released the keys to Chimera, in an effort to sabotage their competition. Taking another cue from legitimate business, these rivals offered a profit-sharing affiliate deal for people who distributed their new malware.

4 | ActZero - The Rise of RaaS 2017 RANSOMWARE AS CYBERWARFARE:

NotPetya was used in a global cyberattack, primarily targeting Ukrainian banks, ministries, newspapers, and electricity firms. Other infections were reported in , Germany, , Poland, , the United Kingdom, the , and Australia. While masquerading as ransomware, NotPetya could also completely wipe or rewrite files in a way that couldn’t be undone through decryption. NotPetya is especially notable because of the involvement of state-level actors using ransomware as a tool of cyberwarfare. Security researchers, Google, and the U.S. and Canadian governments laid the blame for the NotPetya attacks at the feet of the Russian government, who allegedly operated through the hacking group of Russia’s military intelligence service, the GRU.

2018 FURTHER EVOLUTION:

Though first discovered in 2014, the malware continues to be one of the most pervasive cybersecurity threats in the wild, and one that has evolved from a simple banking Trojan to a platform for distributing other kinds of computer viruses. In 2018, a new variant of Emotet appeared that included the ability to install other malware to infected machines, such as the Ryuk ransomware, which came to prominence beginning in 2018. Massive outbreaks of Emotet in late 2019 and throughout 2020 have led the U.S. Department of Homeland Security to classify Emotet as one of the most costly and destructive active today, affecting governments, businesses, organizations, and individuals. Incidents cost bigger targets like SLTT governments up to $1 million to clean up.

2020 REAL THREATS FROM VIRTUAL ENVIRONMENTS:

With the rise of cloud computing and virtualization, it was only a matter of time before ransomware evolved to attack from within virtual computers, too. A recent example is the Ragnar Locker ransomware, which employs a tactic called “living off the land” (LotL). With this technique, bad actors succeed by relying on the native architecture of an environment, rather than the introduction of foreign tools to do the dirty work, since a system’s own whitelisted toolkit won’t set off alarm bells. In the Ragnar Locker case, bad actors used legitimate software administration tools to appear as a full virtual machine on targeted devices, thus masking their presence before deploying ransom demands.

2021 AND BEYOND:

The pace of malware innovation appears to be increasing, as and security teams race to stay ahead of one another. Technological advances and the continued shift to a distributed workforce should further necessitate the need for modern security solutions.

With bad actors increasingly focused on the most lucrative targets, the future of ransomware could further turn toward attacks aimed at the cloud, virtual environments, and infrastructure-as-a-service (IaaS). For business-minded hackers, such targets would promise the most bang for their Bitcoin, as a successful assault against an enterprise-level IaaS provider would hold the most possible victims hostage with a single attack. Given the downtime costs and reputational damage a ransomware attack can have, hackers will see IaaS providers as likely to pay larger ransoms to regain access to their files and their clients’ files. We also expect to see a further increase in long-cycle attacks that leverage LotL tactics. (For more on this, see our 2021 predictions whitepaper.)

ActZero - The Rise of RaaS | 5 3 Following Ransomware Across the Attack Lifecycle Traditional anti-virus protection often provides a false sense of security, despite being of little use against modern ransomware. The reality is that companies without proper detection software combined with human threat hunters may be compromised for weeks or months before malicious actor breaks cover. Hackers are capable of testing their ransomware and other malware against all sorts of defenses before they deploy. The longer such intrusions go undetected, the more damaging they can prove, as adversaries move laterally through systems, gain deeper access, and entrench their positions

Here, we’ll explore how ransomware plays across the attack lifecycle, highlighting in particular the places where the “as-a-service” component has changed (and continues to change) the landscape of ransomware attacks.

1 Reconnaissance and Targeting

2 Initial Compromise THE LIFECYCLE Command and Control of ransomware can 3 be broken down into 4 Lateral Movement six stages: 5 Target Attainment

6 Exfiltration, Corruption, and Disruption

Reconnaissance and Targeting

The earliest incarnations of ransomware were pushed out in a “spray-and-pray” fashion. These were broadly targeted ransomware attacks that relied on identifying specific vulnerabilities to exploit, automatically. The problem for the attackers with that approach was that victims who tended to be susceptible to these specific vulnerabilities tended not to be very profitable. What is Grandma going to pay to unlock her desktop, even if she wasn’t the beacon of backup-management you hope your IT manager is?

Then, in an effort to maximize profitability, criminals shifted to more specific targeting of small to medium- sized businesses. Spear-phishing attacks aimed at specific employees gained hackers access to the most valuable assets and data in corporate systems. As ransomware tacticians evolved, they moved from automated payloads to “hands-on-keyboard” attacks, releasing payloads only after they had spread through the environment — ensuring maximum business disruption and a greater likelihood of getting paid.

6 | ActZero - The Rise of RaaS The newer technique of leveraging “hypervisor-specific ransomware” blurs the lines between a targeting shift and a technological shift. By utilizing virtual environments, hackers can further obfuscate their efforts until the consequences of a breach will be truly devastating. We predict this shift will also occur with ransomware that specificallytargets containers.

Initial Compromise

The ability of hackers to bypass prevention technology and perimeter defenses has been aided by a number of tactics and technologies. Traditional tactics include social engineering attacks, which simply trick humans into handing over access to an organization’s sensitive information. An example of a social engineering attack is the spear-phishing of credentials from specific individuals. As we discuss in our 2021 cybersecurity predictions whitepaper, the technology surrounding deep-fakes and other ploys is in a race against detection software. Additionally, the isolation caused by working remotely could also make it harder for employees to verify communications as legitimate.

Technological hacks can include exploits of shell scripting that have allowed not just the disabling of anti- virus protections, but the hollowing out of anti-virus protections, so that it appears to administrators that they are still running when they have actually been limited or otherwise compromised. Microsoft describes a criminal gang that “typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet.” Another source reports that specialized network access sellers “typically develop an initial vulnerability and then sell their work in underground forums” to ransomware actors looking to speed up the infiltration process

Command and Control

Trojans still play a role in facilitating persistence and preparing the spread in the next stage. The devious ways in which they may propagate — from items in the startup folder, to edits to the registry, to scheduled tasks — have enabled some truly long-cycle plots for hackers, which we’ll talk about more in later stages.

Lateral Movement

With the separation of ransomware creation from its infiltration and deployment, lateral movement might be the primary task of someone who’s purchased RaaS tools and/or initial access. Part of ensuring maximum disruption and leverage means releasing the ransomware all at once, on as many machines and critical pieces of infrastructure as possible. To do this, infiltrators must persist and spread undetected within an organization’s environment and across systems. RaaS means some bad actors are able to specialize in tactics such as these long-cycle attacks.

Target Attainment

Ransomware-as-a-Service enables hackers to focus on particular targets through specialization. These “consumers” of RaaS — the bad actors who no longer need to spend the time developing their own ransomware and are thus able to devote themselves to shouldering the risk inside a compromised system — can specify the target during the reconnaissance phase. They may encounter opportunistic new targets during the lateral movement phase.

ActZero - The Rise of RaaS | 7 Exfiltration, Corruption, and Disruption

With successful ransomware infections, one can expect exfiltration (unauthorized copy or transfer of data), corruption (encryption of files and databases), and disruption (attempts to suspend an organization’s activities). The victim’s assumption should be that data was exfiltrated. In recent years, however, it’s been disruption that’s received the most attention from victims and security companies alike.

Locking up critical assets can profoundly affect the operations of any organization. Ransomware attacks have become ubiquitous, targeting governments and businesses in both the public and private sectors.

The following are a few examples:

• In December 2019, New Orleans declared a state of emergency after its digital infrastructure was crippled by a ransomware attack. Other U.S. cities, including Pensacola, Fla.; St Lucie, Fla.; and Galt, Calif., were also attacked with ransomware the same month.

• In April 2020, IT services giant Cognizant acknowledged a ransomware attack in which its network had been infected with Maze ransomware, which exfiltrated data. The cost to remediate the damage done was estimated at $70 million.

• Magellan Health, a Fortune 500 company, announced a ransomware attack and data breach that saw 1.7 million files impacted, including the personal information of both internal and external customers.

A recent report revealed that the number of victimized organizations paying a ransom to attackers rose from 14% to 39% in 2019. By 2020, the average ransom sum paid had ballooned to over $178,000.

The FBI strongly discourages ransom payments to bad actors because there is no guarantee that once they are paid they will actually decrypt your files. They also warn compliance “encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity,” demonstrating it’s a lucrative business.

And a business it is. The knowledge that a specific hacker group won’t decrypt following payment could impact the group’s return, in terms of fewer ransoms paid. The top groups indeed have reputations that they guard closely — in late 2020, the Maze cartel actually announced it was “retiring” from ransomware. In a post, the group warned that any future use of the Maze “brand” or “work methods” should be considered a “scam.”

8 | ActZero - The Rise of RaaS 4 RaaS Helps Ransomware Spread Several factors have helped RaaS become such a prevalent threat:

• The evolution of ransomware, in both technology and tactics.

• The disruption (and subsequent fragmentation) of the black market for ransomware. Increased competition has lead RaaS kits to become available for as little as $50.

• The obfuscated communications channels for ransomware and the existence of geographies that are largely unassailable by international law enforcement. This can leave threat actors free to operate with impunity, while refining their specialized skill set and scaling their operations.

We’re also seeing business concepts from other industries making their way into ransomware, spurring a boom in the illegal industry as ransomware becomes more profitable and more diffuse.

BUSINESS CONCEPTS

• LAUNCH ANNOUNCEMENTS: Wired reports that the makers of a new ransomware program announced their entry into the market with a “press release.” It stated, “We created DarkSide because we didn’t find the perfect product for us.” This claim is so familiar from the announcements of legitimate products that it almost sounds hackneyed.

• ACCESS RESELLERS: Today, ransomware gangs can partner with “initial access brokers” — hackers who have already done the heavy lifting of gaining access to systems but who have yet to act on their access — and simply pay for entry points in the collections of compromised systems these initial access brokers have amassed. These brokers often specialize in one or another type of attack vector. The most popular are compromised RDP endpoints, hacked networking devices, and computers already infected with malware.

• AFFILIATE PROGRAMS: Taking a page from online retailing giants, malicious actors can now use affiliate programs in a bid to maximize revenue. The DarkSide gang, for example, issued a call looking for affiliate partners. Each prospective affiliate receives a version of code with their unique ID embedded within a crypto-locking malware, which they can then introduce to potential victim systems. The affiliate then shares a percentage of any ransom paid that is associated with their unique ID number.

• CONTACT SUPPORT: As if calling help desk services weren’t arduous enough, imagine reaching one run by your extortionist. Business Insider offers multiple stories of ransomware actors offering technical assistance to their victims, including a group with a support forum “only available to those who have paid the ransom.” Wired tells of a support line answered by a “chipper representative” offeringdiscounts and troubleshooting. Hackers will offer walk-throughs of how to buy and transfer bitcoin to them, offer alternative payment methods, or provide free decryption of a single file to prove they possess the decryption key. For groups peddling RaaS, promising technical support to their prospective clientele is also common.

• CORPORATE RESPONSIBILITY PLEDGES: Of course, it’s important that one believes in the values of their criminal associates. After COVID became a pandemic, the Maze cartel “promised to not target hospitals and medical facilities.” And that press release from the makers of DarkSide pledged the new group would not count hospitals, schools, and nonprofits among potential targets.

ActZero - The Rise of RaaS | 9 It is tactics like these that have allowed the ransomware industry to scale and for RaaS to become a viable model for would-be extortionists. The positioning of ransomware as a purchasable service like any other has allowed those who lack the aptitude or resources to do the hacking themselves to have a turnkey solution for getting into the ransomware game. It also allows ransomware designers to profit from their creations without necessarily having to shoulder the risk of The separation of ransomware deploying them. designers — those with the time, The separation of ransomware designers — those with the time, “ budget, and software development budget, and software development skills more interested in money than skills more interested in money risk — from ransomware deployers — those willing to take the risk with than risk — from ransomware limited up-front investment — has made RaaS a viable and growing deployers — those willing to take industry. For those interested primarily in cash and not in the the risk with limited up-front notoriety or recognition that investment — has made RaaS a comes from authoring a successful ransomware tool, or for organized viable and growing industry. crime rings that want to use the proceeds of ransoms to fund other criminal activities, RaaS is an attractive, low-cost option.

Consider, for example, the Cerber ransomware. Sold on the dark web, this RaaS offered an affiliate model, with the program’s authors getting 40% of the take from any successful ransomware attack made with the software. Despite this seemingly large cut, the RaaS appears to have been a popular choice for bad actors, as Cerber ended up spreading through over 200 countries.

10 | ActZero - The Rise of RaaS 5 Post-Disruption Changes In many ways, modern RaaS has become truer to the word “ransom” in its name. Actors no longer merely hope that victims will value their access and data enough to pay for decryption — they now largely rely on outright extortion. Ransomware will hold you, your data, and your systems hostage. More than that, those operating the ransomware have the capability to hold your organization’s reputation hostage.

‘Subscription’ Models COMMON TACTICS

As discussed above, business concepts from other industries have a way of making it into ransomware. Some hackers have attempted to push a subscription model on their victim, in which they must make recurring payments to avoid consequences.

There is a misconception that during a ransomware attack, data is merely encrypted. In fact, data is often copied and exfiltrated prior to the actual attack. This ensures continued leverage over the business and compliance with the blackmailer’s demands, including recurring payments for access to your own data and systems.

Such subscription payments hint at an unpleasant truth about ransomware: there’s no guarantee that the hackers won’t hit a target again or make subsequent demands. There’s no proof bad actors will unlock systems or suddenly respect stolen data. This is part of the reason why law enforcement says never to pay. It’s difficult to determine whether systems were “only” encrypted, or whether sensitive information was also exfiltrated in that process. Paying a ransom might not be a simple one-and-done brush with malicious actors, but the beginning of an ongoing and unwanted relationship. This not only compromises an organization’s security posture and ability to conduct business, but presents serious, long-lasting danger to its reputation.

Public Shaming and Embarrassment

As consumers and shareholders grow more aware and concerned about cybersecurity and its impact on their lives — with some going so far as to call data privacy a human right — public disclosure of a security breach can have a lasting impact on your business. Sometimes, disclosure comes from malicious actors publicly shaming a company for refusing to pay a ransom. They can do this by releasing troves of stolen data on the dark web, which can be devastating to a business.

People may forgive a data breach you make them aware of. But, if the news their personal data has been compromised comes from a hacker and not you, your customers may feel that you failed to protect their data and that you betrayed them by attempting to cover up the hack. In one study, 87% of respondents said they would not do business with a company if they had concerns about its security practices. The implications for your business cannot be overstated.

Name-and-shame tactics were successfully employed by the Maze cartel before their “retirement.” When companies failed to meet ransom demands, Maze posted their names and stolen data on an infamous website. The ploy was quickly adopted by other criminals.

ActZero - The Rise of RaaS | 11 It is clear that ransomware attacks have serious compliance implications for affected companies, and breaches that occur during attacks have attendant mandatory disclosure protocols according to a number of industry, cybersecurity, and privacy compliance frameworks. Companies trying to meet Cybersecurity Maturity Model Certification (CMMC) requirements who were publicly declared in a name-and-shame campaign could find a material impact on their certification level. Such a breach could affect their eligibility to secure contracts with the U.S. Department of Defense or the defense industrial base sector.

Backups Are No Backup

What was once a solid element of cybersecurity hygiene — conducting frequent backups and being prepared with a disaster recovery strategy to recover from breaches — is no longer an adequate defense. Technological improvements to ransomware attacks can allow malicious programs to identify and eliminate or encrypt your backups, so hygiene alone is no magic bullet.

Trickbot is a good example of this kind of functionality. Trickbot, one of the most prolific distributors of malware since its debut in 2016, can drop something akin to the Ryuk ransomware into a system. There, it spreads through the network, infecting as many endpoints and servers as possible and specifically targeting and encrypting backups in addition to a company’s data.

12 | ActZero - The Rise of RaaS 6 Steps you can take Though there is no stopping the development of ransomware or its RaaS distribution market, there are ways you can protect yourself and mitigate risk. Here are a few popular but insufficient defenses against ransomware:

• Outcome-based: this approach to cybersecurity emphasizes agreed-upon outcomes between client and provider for (usually) a flat-rate fee. This promises safety for the client while also providing cost certainty — but it is important to ensure such a package leave you completely protected.

• Kernel level: a successful attack at the kernel level means a threat actor can fatally compromise an OS, so it can make sense to defend against these kinds of incursions. The problem is that PC vendors, including Microsoft, already expend vast resources to protect the kernel, so you’ll need to ask what more you might be able to add to their efforts.

• A security operations center: even the best SOC — one ingesting telemetry from various sources like endpoints, network appliances and access points, and security technologies like firewalls — still takes time to review an alert and take action. Because ransomware can now spread laterally through patient, long- cycle attacks that give an adversary deep access to a system, the payload can rapidly hit multiple targets at a speed even the best humans cannot match.

This is why machine-speed response, using automatic rules based on vast amounts of data in order to avoid false positives and disruptive responses, are becoming a necessity to effectively combat ransomware. It’s important to emphasize that, given the speed at which encryption happens, AI-enabled responses (or at least those that operate at machine speed) are fast becoming required to respond once a ransomware attack occurs. And we’ve seen why preventive technologies are inadequate. Through the new RaaS

And as you consider how best to protect yourself, it’s paradigm, where hackers can worth noting some defensive tactics that no longer work. access services to acquire Geo-blocking, for example, no longer works the way you expect. Through the new RaaS paradigm, where already infected machines, and hackers can access services to acquire already infected through the growing network of machines, and through the growing network of and redirects that allow hackers to conceal where they’re botnets and redirects that allow operating from, the notion of blocking access to your hackers to conceal where they’re network based on geography offers minimal protection. operating from, the notion of Additionally, the utility of signature-based tools isn’t blocking access to your network what it once was. Ransomware developers don’t make viruses any more; they make virus makers. This enables based on geography offers threat actors to be truly zero-day, thus rendering minimal protection. signature detection ineffectual.

ActZero - The Rise of RaaS | 13 The following are practical measures you can enable on your own to improve your protections against ransomware and other modern security threats:

1 Harden your systems

At the core, many malicious activities must be carried out by programs run by executables or scripts to quickly encrypt files or communicate with control servers. These actions require exploits to work, but still have to follow fundamentals to actually run.

There are steps you can take that have nothing to do with protection software or spending money on networking tools or monitoring. All systems can be hardened against attack, which limits the effectiveness of any software or network communication sent to the system — even with compromised credentials. These settings do not require too much complex knowledge or experience to use to your advantage. Look for guidance from vendors on software restrictions policies such as Microsoft’s Software Restriction Policy or Linux AppArmor policies.

These investments tend to pay off at the most critical moment: during a zero-day exploit’s last step of executing malicious exfiltration or destruction. Additional investments try to get to the stages of the attack before this moment.

Guidance and assistance implementing these policies is job #1 for a virtual Chief Information Security Officer (vCISO) such as those at ActZero.

14 | ActZero - The Rise of RaaS 2 Ensure your prevention technology is configured correctly

Make sure you have the most current updates installed, especially now with more people working from home. With employees connecting into your systems from multiple networks (most of which will have other non-work users accessing them, and configuration that can’t be controlled uniformly), there is an increased risk of a breach across the board.

Tune your firewalls carefully, setting up your exception rules, your trusted executables, and your traffic permissions to balance intrusion protection with the access to required information that your (mostly remote working) staff require to do their jobs. Similarly, make sure your SIEM rules are optimized for the event types and triggered responses you want, so the correct alerts are flagged while not bogging down the work of your colleagues.

3 Practice good security hygiene

Make sure you have antivirus and anti-malware software installed on your system, and that they’re up to date to detect the latest known signatures. Require strong passwords at a minimum and, better still, multi-factor authentication on your endpoints. Consider device encryption — again, especially with more people working from home. Make backups regularly.

4 Have an incident response plan

What happens if your defenses fail and there’s a breach? Who does what and when? What are the first steps? A comprehensive incident response (IR) plan should focus on identification of the kind and nature of the attack, along with containment, eradication, and recovery. An IR plan should deal with the data and technology ramifications of a breach such as a ransomware attack — malware detection, data theft, hardware damage, and service outages. You should also anticipate a postmortem on the incident and the lessons learned.

5 Practice fire drills

Your security posture and your IR plan are only as good as your last test. You can’t defend against ransomware or other cyberattacks if you don’t know where your weaknesses are and how vulnerable your infrastructure is to a potential breach until these are uncovered during a simulated attack.

6 Have a software restriction policy

Ransomware often depends on an executable initiating the encryption process. By limiting which applications can execute, and how they can do so, you can seriously constrain an attacker’s ability to act on a given endpoint. Such a policy takes time to set up, and must be updated as new software is added, but it is a powerful tool to limit unexpected executables from running on your machines.

Our clients can discuss SRPs and other measures like these with one of our virtual CISOs, or threat hunters. As it becomes harder for software systems to authenticate users securely, the use of SRPs helps reduce the vulnerability of passwords to interception (as in a man-in-the-middle attack) or brute-force dictionary attacks. With user passwords vulnerable to phishing attacks, SRP protocols help reduce one of the common ways RaaS actors gain entry to systems.

ActZero - The Rise of RaaS | 15 How MDR Can Help

While it’s possible to defend against RaaS on your own, it’s a lot of work and requires specialized expertise. Managed detection and response (MDR) providers can help initiate capabilities like these, and more, for your organization as your vCISO. ActZero provides value in the comprehensiveness of our protection options, so that you don’t need to worry about gaps in your defenses.

ActZero MDR looks at more than just outcomes. It operates at the kernel level (with minimal use of system resources), and offers machine-speed automated responses to known disruptive impacts, which are then validated by our expert human threat hunters.

ActZero believes that inspection at the level of the endpoint should be an organization’s first line of defense. Many organizations lack this critical defense. In fact, in 2018, (77%) of organisations infected by ransomware “were running out-of-date endpoint security at the time of the attack”. We predict that the market will shift more than ever towards endpoint- centric threat detection and response in 2021.

16 | ActZero - The Rise of RaaS 7 Conclusion Despite the new sheen of professionalism, the rise of RaaS has only increased the danger posed by ransomware. Competition in the lucrative market has made ransomware affordable and ubiquitous. Specialization and fragmentation means even criminals without advanced programming skills can be the “hands on the keyboard” for sophisticated assaults on organizations. And as a business centered around disruption, the tactics of bad actors are becoming increasingly vicious as they seek new ways to exert pressure on victims.

Defending against this business-minded approach to ransomware is difficult, but not impossible.

Due to the rise of RaaS, ransomware is iterating at accelerating speeds — but the cycle of continuous improvement goes both ways. As ransomware gets more advanced, the tools to combat it also continue to evolve. More and more, we see the need to rely on machine-speed automated responses to deal with the instant payload nature of ransomware and the unprecedented number of attacks that RaaS makes possible. How long will it be until individual IT teams can no longer keep up?

The industry must shift away from simple prevention and toward detection and response. Proactive, not reactive measures like hygiene and remediation are necessary for effective security now, given the long dwell times and long-cycle attacks posed by ransomware.

AI-enabled machine-speed of MDR, guided by expert human threat hunters, provides the most secure defense for organizations looking to combat this growing threat.

ActZero - The Rise of RaaS | 17 Interested in hearing what ActZero’s MDR service can do to help your organization defend against ransomware?

Request a demo today.

TORONTO MENLO PARK SEATTLE 207 Queens Quay, Suite 820 2882 Sand Hill Road, Suite 115 925 4th Ave., 20th Floor Toronto, Ontario M5J 1A7 Menlo Park, California 94025 Seattle, Washington 98104

ActZero ActZeroAI ActZero.ai