The Rising Threat of Ransomware as a Service (RaaS)

Security Boulevard Logo

As seen on Security Boulevard

It comes as no surprise that, as last year came to a close, Microsoft was tracking more than 50 unique active ransomware families and more than 100 threat actors that were using ransomware in their attacks.

After all, ransomware is still a familiar, destructive and sometimes costly foe; 2022 ended with the Sandworm gang launching Monster ransomware attacks on Ukraine and a series of warnings from the Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center about Royal ransomware that Darren Guccione, CEO and co-founder of Keeper Security, said “are putting human lives at risk. These attacks range from simple to sophisticated, but share a common outcome: Bad actors wreak havoc once they’ve made their way past an organization’s defenses.”

And ransomware is particularly dangerous because it can be used as a cover for more nefarious activities. “A lot of these guys make it look like they’re doing it for ransom, but they’re really doing it for other reasons,” said Threater CTO Pat McGarry, pointing to the energy industry where victim companies may pay the ransom, but the attackers “have already gotten what they wanted” to “come back in later to effectively cyberattack an energy infrastructure or IoT infrastructure.”

Ransomware has spread like wildfire, fueled in large part by ransomware-as-a-service (RaaS), which lets threat actors share their malicious know-how and lend their talents and expertise to other similarly minded miscreants, the Microsoft Security Intelligence group said. “The RaaS ecosystem continues to evolve and expand with numerous players bringing varying techniques, goals and skillsets,” Microsoft Security Intelligence recently tweeted.

“By offering a simple, turnkey solution to would-be hackers, RaaS it has made it easier than ever for anyone with a little bit of tech savvy to launch a ransomware attack. This has led to an explosion in the number of incidents, with businesses of all sizes falling victim to this form of attack,” said BullWall CTO Jan Lovmand.

“More incidents means more companies paying up, fueling the profits of the actors and making this type of attack even more attractive to those looking to cash in,” said Lovmand.

“RaaS unites every threat actor in the world to leverage their specialties and unique capabilities to, essentially, create a super threat entity. The impacts of RaaS cannot be understated,” said Lovmand. “Just as telegraph allowed for faster communication and led to the expansion of the American frontier, RaaS is facilitating the spread of ransomware against our best efforts.”

Though threat actors continue to “use phishing for initial access, [but] they’ve shown increased reliance on other techniques,” Microsoft researchers tweeted. “One of the most common is the use of malvertising to surface links leading to various first-stage malware that eventually deliver ransomware or other payloads.”

The security researchers noted that a threat actor tracked as DEV-0569 “uses malicious ads to distribute Batloader, which then delivers post-exploitation tooling associated with DEV-0846, ultimately leading to the deployment of Royal ransomware.”

And others, like DEV-0882 and DEV-0671, were observed exploiting “new patched vulnerabilities, including those in Exchange Server” in an effort to “deploy Play and Cuba ransomware, respectively,” which Microsoft said “highlights the need to urgently apply security patches as soon as possible.”

Among the techniques gaining steam in more recent attacks is “is the use of FakeUpdates leading to post-compromise activity by DEV-0243 involving the use of Blister to load embedded Cobalt Strike Beacon payloads,” Microsoft said. “FakeUpdates is a malware family that poses as software updates, typically browser updates, and arrives via malicious ads or drive-by downloads, stressing the importance getting of updates directly from vendors or official app stores, in addition to strong network protection.”

A number of payloads—Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta and Royal, which is giving health care such a fit—were found in “some of the most prominent ransomware payloads in recent campaigns,” the Microsoft researchers said.

“By the time you detect the payload it’s frequently too late. Even detecting the loader being dropped is late. You’ve got to be earlier in the kill chain with the ability to see and handle things that are often less obvious,” said Kevin Hanes, CEO at Cybrary.

“This takes a combination of technology and trained people. Unfortunately, many organizations don’t get that combination right and are not placing enough emphasis or investment in training their cybersecurity team,” said Hanes.

Microsoft researchers explained that defense strategies “should focus less on payloads but more on the chain of activities that lead to their deployment.”

The number one thing organizations should do, McGarry said, is “update your software, please. It’s not hard to do.” Otherwise, “you’re going to be a statistic.”