InfoSec Insider

Defeating Ransomware-as-a-Service? Think Intel-Sharing

Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, explains the rise of RaaS and the critical role of threat intel in effectively defending against it.

The Colonial Pipeline ransomware attack put a glaring spotlight on the ransomware scourge – and, in particular, on the rise of ransomware-as-a-service (RaaS). That attack was perpetrated by DarkSide, a RaaS platform that purportedly first surfaced last August.

While the group now claims they’re done operating, this incident has given the industry at large a greater taste for just how crippling RaaS can be. And it’s definitely not going away. DarkSide might be done, but there are an unknown number of organizations waiting in the wings to strike.

That said, it’s possible to defeat it, with better sharing of threat intelligence with law enforcement and security practitioners.

Remote Work and Ransomware-as-a-Service

The threat landscape today is being shaped largely by two factors: The move to telework as a result of the pandemic (which expanded the attack vectors) and the rise of RaaS, which has made attacking even easier. RaaS makes it possible for just about any bad actor to launch a successful attack – no special skills or experience are needed. They simply purchase premade ransomware tools created by a skilled ransomware developer.

That developer either sells a subscription to the ransomware or agrees to take a percentage of whatever the would-be ransomer makes. This means that they don’t need as much technical know-how to get in on this cybercrime business. And it’s a great deal for the nascent criminal; they stand to make millions of dollars without needing specialized skills. No wonder RaaS has become so popular.

It should be noted not all RaaS providers are created equally. Some of the more established providers require large deposits. It’s not uncommon to see a request asking for in excess of $100,000 in deposits. RaaS providers are expecting to make money when you sign up as an affiliate. Therefore, some of the more established providers will ask for proof of past performance working with other RaaS providers. In other words, the provider wants to check if you have worked with any other providers, and how much money you made, before accepting you into their program.

Of course, there are a few providers that don’t care and let many people sign up for their services at a much lower cost. The quality of service and software, as well as its efficiency, can vary between these options.

A Short Ransomware History

One early and successful malware package, Zeus, came out in 2007 and hit the headlines between 2013 and 2014, when it was used to install CryptoLocker ransomware. The CryptoLocker ransomware attack was propagated by infected email attachments and via the Gameover Zeus botnet.

Shortly after that, CryptoWall, Locky and other large-scale attacks also appeared. Many of these threats now fall under the category of advanced persistent threats (APT), meaning that they are built for stealth and persistence, making them especially difficult to detect and remove. Fast-forward to 2017, when ransomware attacks were becoming more large-scale, attacking computers around the world all at once. Some of the biggest and most famous of these include the WannaCry attack of May 2017 (in fact, this year marks the fifth anniversary of that attack), followed by NotPetya in June 2017.

Today, many cybercriminals act within a large, distributed business model, complete with call centers to handle ransom payments. Many organizations of this type target large corporations and industries or high-profile individuals to get the biggest payouts – a strategy known as “big-game hunting.”

Sodinokibi (a.k.a. REvil) is one of many examples of today’s large and profitable cybercriminal operations that use a RaaS business model and recruits affiliates to distribute their ransomware. Their exploits include stealing nearly a terabyte of data from a large law firm and demanding a ransom to not publish it. And as we saw with DarkSide, the stakes continue to rise; threatening critical infrastructure affects far more people than those within the targeted organization and could put people in danger.

Combatting RaaS via Collaboration

Amidst all of this, it’s easy to feel that RaaS operators are winning. But there are options for effective defense, including, crucially, the sharing of threat intelligence.

In addition to technological solutions, a necessary element in building a strong cybersecurity foundation is working with all internal and external stakeholders, including law enforcement. More data helps enable more effective responses. Because of this, cybersecurity professionals must openly partner with global or regional law enforcement, like US-CERT. Sharing intelligence with law enforcement and other global security organizations is the only way to effectively take down cybercrime groups. Defeating a single ransomware incident at one organization does not reduce the overall impact within an industry or peer group.

It’s a common practice for attackers to target multiple verticals, systems, companies, networks and software. To make it more difficult and resource-intensive for cybercriminals to attack, public and private entities must collaborate by sharing threat information and attack data. Private-public partnerships also help victims recover their encrypted data, ultimately reducing the risks and costs associated with the attack.

Visibility increases as public and private entities band together. For example, a financial institution may experience a ransomware attack but then not share information responsibly with law enforcement. But law enforcement working with a credit-card company impacted by the same cybercrime group needs that information to better understand the group and its full scope. Actionable threat intelligence with global visibility helps both the private and public sectors shift from being reactive to proactive.

A Collaborative Approach

RaaS remains in the spotlight thanks to DarkSide. Unless organizations construct cybersecurity that effectively combats ransomware, the number of incidents like the attack on Colonial Pipeline will continue to grow. Remote work has expanded the threat landscape, as has RaaS by enabling almost anyone to become a cybercriminal. RaaS groups operate like businesses and take millions of dollars from legitimate business.

Technology tools are only one half of the anti-cybercrime equation; organizations also need to share their threat intelligence with law enforcement and other security groups. This creates a global network of information that collectively helps defeat ransomware and its creators. It’s the element of security that will truly help turn the tide.

Aamir Lakhani is cybersecurity researcher and practitioner, FortiGuard Labs.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles