WyzGuys Tech Talk

Ransomware is a form of malicious software designed to restrict users from accessing their computers or files until they pay a ransom to cybercriminals.  Ransomware typically operates through the crypto virology mechanism by using symmetric as well as asymmetric encryption to prevent users from performing managed file transfers or accessing particular files or directories.  The cybercriminals are using ransomware to lock files from being accessed assuming that the locked files are storing crucial information and we’ll allow them to compel the users to pay the ransom in order to regain access to them.  Ransomware is one of the oldest forms of cyberattacks, dating back to 1989 and remaining amongst the topmost threats we face on a daily basis. The impact that ransomware has is severe, to say the least, with files being encrypted by malicious software, and companies being forced to pay huge amounts of money for the promise that the data taken from them will not be publicly shared.

Ransomware as a Service

Ransomware as a service or RaaS is similar to the SaaS (Software as a Service) and PaaS (Platform as a Service) concepts.  RaaS changes the rules of the game by making sure that the attackers are not forced anymore to learn how to create malware from scratch when they can easily rent or purchase it from a RaaS provider.  Ransomware as a Service relies on an aggregator that can be either a person or a group that is selling or renting malware to interested parties, also called ransomware operators.  RaaS is a quite new concept in comparison with the rest of the industry, but, lately, it has started to get more traction, having a big impact on the businesses that are becoming its victims.  If in the past, coding knowledge was a must for all successful hackers, now with the introduction of the RaaS model, the technical prerequisites are no longer necessary.

The RaaS business model and how it works

To get started you just need to have some expertly coded ransomware developed by skillful ransomware operators, the developers will then need to compel affiliate-networks of distributors to sign up and propagate their malware.  Once the ransomware is developed, it’s modified to a multi-end user infrastructure, thus making the software ready to be licensed to multiple affiliates and allowing these affiliates to either sign up with a one-time fee or a monthly subscription, offering multiple ways in which affiliates can become a part of the business.  The affiliates are then supported with the necessary onboarding documentation containing a step-by-step guide for launching ransomware attacks with the software, and even a dashboard solution that will help them to monitor the status of each ransomware infection attempt with ease. RaaS groups are posting the affiliate opening positions on forums on the dark web, with some ransomware gangs, like Circus Spider and Dark Side only recruiting affiliates with specific technical skills.

How do RaaS attacks work?

Most ransomware victims are breached through phishing attacks, with phishing emails being the most common category of phishing attacks. During these attacks the victims are presented with an email that may seem legitimate, therefore making the victim unknowingly activate a cyber threat.  The affiliates are sending a very convincing phishing email, therefore when a link is clicked, the victims get directed to the exploit site.

Once the victim accesses the exploit website, the malware will be downloaded and the ransomware will move freely throughout the infected system, disabling firewalls and all antivirus software. The attacks rely on finding any vulnerable endpoints, this being able to serve as a gateway to the entire internal network of business.  The ransomware is, at this specific moment undetected, and therefore able to easily encrypt the victim files whilst the victim may be unaware of any data breaches taking place.  When the attackers have completed their action, the extortion game begins with a ransom note, usually written in a TXT file that is placed on the victim’s computer with the sole purpose of providing instructions that the victim can use to pay a ransom price in exchange for the decryption key.

The extortion game does not stop here with cybercrime groups like Maze operating a double-extortion model. This model works by demanding a ransom payment in exchange for a description key and also, threatening to publish the breached data on the dark web if payment isn’t made before the deadline.  Many victims are falling into the attackers’ trap as they are afraid to have exposed the breached information, but the question is – can you trust the attackers to delete all the data stolen from you after paying the ransom?

Some companies decide to take the risk as others are standing strong and facing the attackers.   Unfortunately, without a clear and up-to-date legal framework regarding cybersecurity, it’s extremely difficult to stop the rise in ransomware attacks that we see lately.  To make the ransom payment, victims are instructed to download a dark web browser and pay through a dedicated payment gateway.

Should you pay a ransomware price?

As previously mentioned, the decision to pay or not for ransomware is quite difficult to take.  If you make the payment, you are trusting that the cybercriminals will deliver on their promise of supplying you with a decryption key as well as not leaking your data online.

As you know, any cybercriminal operation is inherently immoral, therefore you cannot be sure that the criminals will uphold a fragment of morality and follow through with their promises.

The Impact of Ransomware on your Business

Ransomware is causing on a daily basis tremendous impacts able to disrupt business operations and also lead to important data being lost. You may be tempted to think the most expensive part of handling ransomware requests is in the value of the ransom itself, but the cost of downtime due to restricted system access can be bringing major consequences and losses as the downtime could vastly outweigh the value of the requested ransom for many businesses.

Ransomware is becoming more and more widespread; therefore, all companies should take the necessary time and resources to revise their cybersecurity goals and focus on the scalable and accurate implementation of ransomware resilience and recovery plans.

How to protect yourself from RaaS?

RaaS is sophisticated, but not infallible, and like any other cyber threat, it can be removed by having a correct and scalable strategy in place.

Backup your endpoints and servers

The best way you can protect your business against ransomware, and every kind of threat for that matter is to have a backup system in place. That way, in case of a ransomware attack, any crucial data can be restored without having to pay the ransom.

Don’t open suspicious attachments or links

Trust your instincts, don’t open an email containing attachments or links coming to you from an untrusted source, as it might be infected with malware.  Keep in mind that even if an email is coming from someone familiar you should remain suspicious.

Patch frequently 

Attacks often happen when hackers can take advantage of breaches in your security grid and an outdated app provides them with the best opportunity so you should make sure that all your apps are up to date.

A Few Thoughts

Even if Ransomware as a Service looks to be on the rise because it’s cheap, easy to deploy, powerful, and requires little to no technical expertise, we need to remember that we can be protected by following a few simple steps like frequent patching, strong AV/AM solution, and remaining vigilant – at all times.

Author Bio – Dora Tudor is a Communications and PR Officer at Heimdal Security. A content creator that is curious about technology and passionate about finding out everything there is to know about cybersecurity.