RaaS kits are easy to find on the dark web, lowering the barrier to entry so that virtually any cybercriminal can launch successful ransomware attacks, Microsoft says.
Ransomware as a service is increasingly becoming a popular attack method. By taking advantage of ready-made ransomware kits designed for partners, criminals do not need advanced technical know-how to launch an attack. IN report released MondayMicrosoft covers the latest wave of RaaS attacks and offers tips on how to combat them.
In its August 2022 Cyber Alerts Report, the Economics of extortion, Microsoft explains that RaaS kits are readily available for purchase on the Dark Web just as easily as legal products on legitimate e-commerce sites. With such RaaS programs as Conti and REvil, cybercriminals can buy kits that include everything they need, including ransomware payloads, data exfiltration, customer support, and payment infrastructure. Customers, known as affiliates, can purchase a RaaS suite at a set price, while the seller collects a percentage of the profit from each successful attack.
SEE: Mobile Security Policy (TechRepublic Premium)
These types of ransomware campaigns begin with initial access, usually by infecting with malware or exploiting a security vulnerability. From there, they can move on to stealing credentials to elevate privileges and move laterally in the network. The ultimate goal is data exfiltration, which allows attackers to hold critical data for ransom. Most RaaS-based attacks use a double extortion strategy where the stolen data is not only collected but also leaked publicly unless the ransom is paid.
The arrest of the Conti ransomware gang in May 2022 shook the RaaS landscape. Some affiliates that used Conti kits have switched to other RaaS systems such as LockBit and Hive. Others have turned to deploying payloads from multiple RaaS systems.
Two groups in the ransomware business are DEV-0537 (aka LAPSUS$) and DEV-0390 (a former Conti affiliate). DEV-0390 initiates an attack via malware, but then uses legitimate data exfiltration and ransom payment extortion tools. This group also accesses accounts by stealing credentials and then sends the stolen data to a cloud sharing site.
How to protect your organization from ransomware attacks as a service
To protect your organization from RaaS attacks, Microsoft offers several recommendations.
Prevent initial access
Prevent the execution of malicious code by managing macros and scripts.
Segment your network
To prevent lateral movement by attackers, segment your network based on account privileges.
Account Audit Credentials
Reviewing the disclosure of account credentials can help stop ransomware and cyberattacks in general. Make sure your IT staff and security operations center are working together to reduce the level of administrative privileges and understand where they are most exposed.
Reduce the attack surface
Set up policies to reduce the attack surface used in ransomware incidents. Having clearly defined rules can help stop attacks in their infancy.
Implement multi-factor authentication
Make sure MFA is enabled for all accounts, but prioritize those with admin access. MFA is especially critical in a remote or hybrid workforce, where it must be required on all devices, in all places, at all times. Also, be sure to enable password-less authentication, such as FIDO keys or authentication apps for sites and services that support them.
Look for blind spots in your security
Make sure your security products are installed correctly and tested regularly. Make sure they are running with the correct security configurations and that no part of your network is unprotected.
Strengthen your internet assets
Consider removing duplicate or unused applications to eliminate risky services. Apps like TeamViewer are a prime target for cybercriminals, so be mindful of how and where you allow such apps.
Strengthen your cloud assets
As attackers target cloud-based resources, you need to protect these as well as on-premise assets. Focus on strengthening your security environment and treat cloud administrator and customer administrator accounts with the same level as domain administrators.
Keep your systems up to date
Maintain an inventory of your software and systems so you know where to prioritize maintenance and security and can quickly remediate your most sensitive and critical assets.