Ransomware has become a huge problem for businesses, as victims face a choice between paying sizable ransoms or losing control of their data. Ransomware attacks are costing companies of all sizes more than $75 billion per year in recovery costs, according to Datto.
One reason that the problem has become so acute is that it can be so profitable for cyber criminals with minimal risk of getting caught. This has led to a rise in ransomware-as-a-service (RaaS) offerings, which allow criminals with little or no technical knowledge to get into the ransomware “business” and start extorting money from their victims.
RaaS offerings come and go, but some of the most infamous examples include Encryptor and Jokeroo. And, there is no doubt that they are profitable: total RaaS revenues were around $20 billion in 2020, up from $11.5 billion the previous year, according to Crowdstrike.
What is Ransomware-as-a-service?
Ransomware-as-a-service is a specialist offshoot of more general malware-as-a-service offerings, which are not particularly new: ten years ago Russian computer programmers offered “exploit packs” to criminals. These automated hacking tools had everything needed to enable criminals to take over vulnerable computers in a matter of seconds. Some exploit packs were sold with a three- or six-month license, while others were offered as a service, with the authors running and managing the exploit packs on their own servers and renting out access to criminals for about $500 per month or $200 per week.
These exploit packs were a problem, but the advent of ransomware has been a game changer for the malware-as- a-service industry. That’s because while traditional exploit packs let criminals gain control over a victim’s computer, it was still up to the criminal to find a way to profit from that control. Ransomware provides a direct way to try to monetize every single successful infection.
This has led to a division of labor, with unscrupulous programmers providing the tools to infect victims with ransomware, and criminals devising ways to get the ransomware onto victims’ computers — perhaps by sending out phishing emails using botnets that they already control — and also collecting the ransoms and reaping the profits.
Many of the people who offered exploit packs and who are now creating the RaaS offerings are professional programmers who previously had legitimate jobs with large companies, but who prefer to work for themselves and earn a little more money, according to Fyodor Yarochkin, a senior researcher at Trend Micro.
The quality of different ransomware as a service offerings varies widely, with the more sophisticated ones offering customer consoles showing infection statistics, ransom payments, and other “business” information.
However, there is evidence that these programmers are now more involved in the criminal money-making side of ransomware than they were with exploit packs. RaaS offerings are now offered in four distinct ways. Criminals can use the services:
- For a fixed monthly fee
- For a one-time license fee
- On an affiliate basis, with criminals paying a lower monthly fee while the service provider retains about 25% of the ransoms
- On a pure profit sharing or “no ransom no fee” basis.
These last two models show that the people behind RaaS offerings are getting more involved in criminal activity by taking a share of paid ransoms. For that reason alone it is unlikely that these services will decline in popularity.
Also read: Ransomware: It’s a Network Issue Too
What can be done to mitigate the threat of RaaS?
Ransomware-as-a-service is simply a business model for ransomware, so the ways to mitigate the threat posed by these services are no different from the ways to mitigate the threats of ransomware in general. These include:
Phishing awareness training. One of the most common ways for malware to get onto corporate networks is an employee clicking on a malicious link or opening a malicious attachment in a phishing email. It follows that ensuring that all staff members are trained to help them spot phishing emails is the best way to prevent ransomware infections in the first place.
Install effective endpoint protection software. Make sure that all the endpoints on your network are running endpoint protection software that is designed to spot the tell-tale signs of ransomware in operation and stop it. These signs include large numbers of file deletions, accessing of dummy files, and of course unexpected encryption activity.
Use a patch manager. Ensure operating systems and applications are patched in a timely fashion to prevent ransomware exploiting known vulnerabilities. This is important because many ransomware services are not particularly innovative and rely on using unpatched vulnerabilities to infect machines.
Segment your network. Once ransomware infects a computer, it will generally try to spread across your network to infect as many other machines as possible. For that reason it’s a good idea to use network segmentation to isolate infections to as few machines as possible
Back up. Since it is generally not possible to decrypt data that has been encrypted by ransomware (although decryption tools do exist for some specific variants of ransomware), the only way to access your data once it has been encrypted by ransomware is to retrieve it from non-infected backups. That means it is essential to back up your data regularly to multiple devices and locations.
Insure. Cybercrime insurance can help you mitigate the financial risks of ransomware, but be sure that you are fully insured for the losses that may be incurred. A ransomware attack against the New Orleans city government in early 2020 is believed to have cost the city over $7 million dollars. It is understood to have received $3 million from its insurers, which may indicate that the city was underinsured.
Read more: Ransomware Protection in 2021
What to do if your network is infected with ransomware
- Disconnect infected computers from the network and any attached storage systems to prevent the infection from spreading.
- Take a photograph of any displayed ransom notes. This can help you identify the ransomware, and may be needed in order to make a cyber insurance claim.
- Remove the infection or reformat the computer before restoring any data from backups.
- Restore data from backups if available.
- If no backups are available, look to see if a decryption tool is available from a repository such as NoMoreRansom or Heimdal Security’s decryption tool directory. However, encryption tools, when they are successful, only recover 90% of data on average
- If you are still unable to access your data, consider paying the ransom. Paying a ransom does not guarantee that you will get your data back and it is believed that between 5% and 40% of organizations that pay a ransom get nothing in return. Organizations that pay a ransom and receive a decryption tool still lose 7% of their data on average, according to Coveware. Remember that paying a ransom may mark your charity out as a “payer”, thus encouraging further ransomware attacks.
Ultimately the decision to pay a ransom is a business decision. If your organization faces an existential threat due to the loss of data, or if the cost of disruption due to the loss of data is very high, then paying for a 60% – 95% chance of getting the data back may be a sensible business decision.