Do you know what the greatest motivator in 2016 was for cyber attacks?
If you answered “ransom”, you were correct.
Known as the year of ransomware, a whopping 49% of businesses fell victim to cyber ransom attacks. Based on these numbers, IT professionals certainly have cause for concern. Especially when taking into consideration “hacking made easy,” or what we know as Ransomware as a Service (RaaS).
What is Ransomware as a Service?
Modeled after software-as-a-service, RaaS extends hacking to would-be cybercriminals. Drawing in participants with a minimum of script kiddie abilities. They execute by:
- Accessing a darkweb TOR site and registering with a Bitcoin address. From there, they tailor and download their own version of the malware.
- Using multiple Bitcoin addresses to run simultaneous campaigns.
- Employing typical infection vectors for the executable. Targeted spear-phishing, spray-and-pray phishing campaigns, malvertising with contaminated ads on websites compromised with Exploit Kits are available for criminal affiliates. Unknowingly, the malicious files are downloaded, manually hacking Linux servers or brute forcing terminal servers.
In the end, 5%-25% of all ransom collected goes to the original developers. By creating free and easy malware that doesn’t require specialist knowledge to deploy, the ransomware bosses can score big profits with a large number of infections.
The remaining income goes directly to the script kiddies who get a taste of easy criminal profits. With access to hacking-made-easy tools like insider statistics and campaign settings, they can continue to conduct ransomware campaigns with little effort.
Just $39.99 a Month for Our Hacking Made Easy Toolkit!
It sounds like a cheesy infomercial, but hackers understand that hooking prospective evildoers is big business. A cryptoware program called Stampado, being sold on the darknet for $39, even had a YouTube video promoting the RaaS subscription.
While less experienced online attackers might be drawn in by the “hacking made easy” value proposition, more sophisticated actors will go after stable, flexible, and refined vectors.
In the wild, we’ve seen this through the use of a Cerber variant, tied to a $2.5 million dollar a year RaaS ring. According to research reports, the RaaS ring included 161 active campaigns with eight new campaigns launched daily. In July 2016, it was estimated that criminals earned close to $200,000. Victims paid approximately 1 bitcoin ($590) to decrypt files locked by the Cerber ransomware.
Protecting Against RaaS
We urge victims against buckling to extortion if at all possible. Each time a ransom is paid, malicious actors gain resources to do more damage. While sometimes paying for decryption is unavoidable, we suggest taking these steps for the best possible outcomes.
- Use a product that guarantees its protection technology. SentinelOne assures users that if we’re unable to block or remediate the effects of a ransomware attack, we’ll pay for it. We’ll reimburse your company or organization up to $1,000 per endpoint, or $1,000,000 in protection overall for the company.
- Go beyond signature-based endpoints with behavioral detection. Malware authors understand that endpoints identify malware based on structure. By using behavioral detection instead, it can watch the malware’s path and actions before taking steps to protect.
- Backups are essential in neutralizing the threat. Using 10-minute interval snapshots and sending the data to the cloud can provide insurance in the event of an attack.
- Educate end users on Ransomware as a Service. In 2017, it’s likely that we will continue to suffer from ransomware attacks. The first line of defense is a knowledgeable workforce that understands the ramifications of opening a curious email or clicking a malicious ad. By giving them experience through simulated phishing attempts, you can gauge the preparedness of users to spot keepers of ransomware strains.