Ransomware as a service is the new big problem for business

Easy-to-use ransomware as a service schemes are booming, accounting for almost two-thirds of ransomware campaigns during the past year, warn researchers.
Written by Danny Palmer, Senior Writer

Ransomware as a service is proving effective for cyber criminals who want a piece of the cyber-extortion action but without necessarily having the skills to develop their own malware, with two out of three attacks using this model.

Ransomware attacks are still proving extremely lucrative, with the most well-organised gangs earning millions per victim, so many cyber criminals want to cash in – but don't have the ability to code and distribute their own campaigns.

That's where ransomware as a service (RaaS) comes in, with developers selling or leasing malware to users on dark web forums. These affiliate schemes provide low-level attackers with the ability to distribute and manage ransomware campaigns, with the developer behind the ransomware receiving a cut of each ransom victim's pay for the decryption key.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Researchers at cybersecurity company Group-IB have detailed that almost two-thirds of ransomware attacks analysed during 2020 came from cyber criminals operating on a RaaS model.

Such is the demand for ransomware as a service, that 15 new ransomware affiliate schemes appeared during 2020, including Thanos, Avaddon, SunCrypt, and many others.

Competition among ransomware developers can even lead to the authors providing special deals to wannabe crooks, which is more bad news for potential victims.

"Affiliate programs make this kind of attack more attractive for cybercriminals. The tremendous popularity of such attacks made almost every company, regardless of their size and industry, a potential victim," Oleg Skulkin, a senior digital forensics analyst at Group-IB, told ZDNet.

"Companies had to provide their employees with the capability to work remotely and we saw an increase in the number of publicly accessible RDP servers. Of course, nobody thought about security and many of such servers became the points of initial access for many ransomware operators," said Skulkin.

However, despite the success of ransomware attacks and RaaS schemes it's possible to help protect against falling victim to them with a handful of cybersecurity procedures – including avoiding the use of default passwords limiting public access to RDP.

"RDP-related compromise can easily be mitigated with the help of some simple but efficient steps like the restriction of IP addresses that can be used to make external RDP connections or setting limits on the number of login attempts within a certain period of time," said Skulkin.

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

Organisations can also help protect the network from ransomware and other attacks via the use of multi-authentication to limit the access an attacker can get if they do breach an account, while applying security patches as soon as possible after they're released prevents criminals from being able to exploit known vulnerabilities.

All of this can help prevent organisations from falling victim to ransomware attacks in the first place – and cut off the need to pay ransoms and encourage ransomware schemes.

"As long as companies pay ransoms, determined only by attackers' appetite, such attacks will continue to grow in numbers and scale and are likely to become more sophisticated," Skulkin concluded.


Editorial standards