Trace Id is missing

Ransomware as a service: The new face of industrialized cybercrime

Two arrows being superimposed on a line and pointing towards each other in different path

 Cybercrime’s newest business model, human-operated attacks, emboldens criminals of varying ability.

Ransomware, one of the most persistent and pervasive cyber threats, continues to evolve, and its latest form presents a new menace to organizations worldwide. The evolution of ransomware doesn’t involve new advances in technology. Instead, it involves a new business model: ransomware as a service (RaaS).

Ransomware as a service (RaaS) is an arrangement between an operator, who develops and maintains the tools to power extortion operations, and an affiliate, who deploys the ransomware payload. When the affiliate conducts a successful ransomware and extortion attack, both parties profit.

The RaaS model lowers the barrier to entry for attackers who may not have the skill or technical wherewithal to develop their own tools but can manage ready-made penetration testing and sysadmin tools to perform attacks. These lower-level criminals can also just buy network access from a more sophisticated criminal group that has already breached a perimeter.

Although RaaS affiliates use ransomware payloads provided by more sophisticated operators, they are not part of the same ransomware “gang.” Rather, these their own distinct enterprises operating in the overall cybercriminal economy.

Advancing the capabilities of cybercriminals and growing the overall cybercriminal economy

The ransomware as a service model has facilitated a rapid refinement and industrialization of what less capable criminals can accomplish. In the past, these less sophisticated criminals may have used commodity malware they either built or purchased to perform attacks that are limited in scope, but now they can get everything they need—from access to networks to ransomware payloads—from their RaaS operators (for a price, of course). Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services.

This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.

Discovering and exploiting network vulnerabilities…for a price

One way RaaS operators provide value to their affiliates is by providing access to compromised networks. Access brokers scan the internet for vulnerable systems, which they can compromise and reserve for later profit.

In order to be successful, attackers need credentials. Compromised credentials are so important to these attacks that when cybercriminals sell network access, in many instances, the price includes a guaranteed administrator account.

What the criminals do with their access once it has been achieved can vary wildly depending on the groups and their workloads or motivations. The time between initial access to a hands-on keyboard deployment can therefore range from minutes to days or longer, but when the circumstances permit, damage can be inflicted at breakneck speed. In fact, the time from initial access to full ransom (including handoff from an access broker to an RaaS affiliate) has been observed to take less than an hour.

Keeping the economy moving – persistent and sneaky access methods

Once attackers gain access to a network, they are loathe to leave—even after collecting their ransom. In fact, paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals, who will continue trying to monetize attacks with different malware or ransomware payloads until they are evicted.

The handoff that transpires between different attackers as transitions in the cybercriminal economy occur means that multiple activity groups may persist in an environment using various methods disparate from the tools used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a remote access tool such as TeamViewer to operate its campaign.

Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.

Another popular attacker technique is to create new backdoor user accounts, whether local or in Active Directory, that can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.

Flow diagram explaining how RaaS attacks are planned and implemented

Facing the most elusive and cunning adversaries in the world

One of the qualities of RaaS that makes the threat so concerning is how it relies on human attackers who can make informed and calculated decisions and vary attack patterns based on what they find in the networks where they land, ensuring they meet their goals.

Microsoft coined the term human-operated ransomware to define this category of attacks as a chain of activity that culminates in a ransomware payload, not as a set of malware payloads to be blocked.

While most initial access campaigns rely on automated reconnaissance, once the attack shifts to the hands-on-keyboard phase, attackers will use their knowledge and skill to try to defeat the security products in the environment.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy. This human decision-making means that even if security products detect specific attack stages, the attackers themselves don’t get fully evicted; they attempt to continue if not blocked by a security control. In many instances, if a tool or payload is detected and blocked by an antivirus product, attackers simply grab a different tool or modify their payload.

Attackers are also aware of security operations center (SOC) response times and the capabilities and limitations of detection tools. By the time the attack reaches the stage of deleting backups or shadow copies, it’d be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: investigating detections like Cobalt Strike before the ransomware deployment stage and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary.

Hardening security against threats while avoiding alert fatigue

A durable security strategy against determined human adversaries must include detection and mitigation goals. It’s not enough to rely on detection alone because 1) some infiltration events are practically undetectable (they look like multiple innocent actions), and 2) it’s not uncommon for ransomware attacks to become overlooked due to alert fatigue caused by multiple, disparate security product alerts.

Because attackers have multiple ways to evade and disable security products and are capable of mimicking benign admin behavior in order to blend in as much as possible, IT security teams and SOCs should back up their detection efforts with security hardening measures.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.

Here are some steps organizations can take to protect themselves:

 

  • Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement.
  • Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed.
  • Harden the cloud: As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Security teams should focus on hardening security identity infrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud admins/tenant admins with the same level of security and credential hygiene as Domain Admins.
  • Close security blind spots: Organizations should verify that their security tools are running in optimum configuration and perform regular network scans to ensure a security product protects all systems.
  • Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.
  • Evaluate the perimeter: Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as , can be used to augment data.
  • Harden internet-facing assets: Ransomware attackers and access brokers use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. They also rapidly adopt new vulnerabilities. To further reduce exposure, organizations can use the threat and vulnerability management capabilities in endpoint detection and response products to discover, prioritize, and remediate vulnerabilities and misconfigurations.
  • Prepare for recovery: The best ransomware defense should include plans to recover quickly in the event of an attack. It will cost less to recover from an attack than to pay a ransom, so be sure conduct regular backups of your critical systems and protect those backups against deliberate erasure and encryption. If possible, store backups in online immutable storage or fully offline or off-site.
  • Further defense against ransomware attacks: The multi-faceted threat of the new ransomware economy and elusive nature of human-operated ransomware attacks require organizations to adopt a comprehensive approach to security.

The steps we outlined above help defend against common attack patterns and will go a long way in preventing ransomware attacks. To further stiffen defenses against traditional and human-operated ransomware and other threats, use security tools that can provide deep cross-domain visibility and unified investigation capabilities.

For an additional overview of ransomware complete with tips and best practices for prevention, detection, and remediation, see Protect your organization from ransomware, and for even more in-depth information on human-operated ransomware, read Senior Security Researcher Jessica Payne’s Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself.

Related articles

Cyber Signals Issue 2: Extortion Economics

Hear from frontline experts on the development of ransomware as a service. From programs and payloads to access brokers and affiliates, learn about the tools, tactics, and targets cybercriminals favor, and get guidance to help protect your organization.

Expert Profile: Nick Carr

Nick Carr, Cybercrime Intelligence Team Lead at the Microsoft Threat Intelligence Center, discusses ransomware trends, explains what Microsoft is doing to protect customers from ransomware, and describes what organizations can do if they’ve been affected by it.

Protect your organization from ransomware

Get a glimpse of the criminal players who operate within the underground ransomware economy. We’ll help you understand the motivations and mechanics of ransomware attacks and provide you with best practices for protection as well as backup and recovery.

Follow Microsoft Security