Ransomware-as-a-service behind the ravaging global ransomware spike

Satnam Narang, Senior Staff Research Engineer at Tenable

The shift to the subscription economy has created a new norm in the as-a-service world. And it’s not just Netflix and Spotify that have adopted this business model. New research from Tenable®, the Cyber Exposure company, has found that one of the main reasons ransomware has prospered is due to the advent of ransomware-as-a-service (RaaS) which has catapulted ransomware from a fledgling threat into a force to be reckoned with.

How has RaaS prospered ransomware?

The service model has lowered the barrier of entry, allowing cybercriminals who lack the technical skills to commoditise ransomware. In 2020 alone, ransomware groups earned $692m, a 380% increase over the previous six years combined ($144m from 2013-2019).

The success of ransomware-as-a-service (RaaS) has also attracted other players such as affiliates and initial access brokers (IABs) who play prominent functions within the ransomware ecosystem – oftentimes more than ransomware groups themselves.

Affiliates who earn between 70%-90% of the ransom payment, are charged with the task of doing the dirty work to gain access to networks through methods like spearphishing, deploying brute force attacks on remote desktop protocol (RDP) systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web.

Affiliates also work with IABs, which are individuals that have already gained access to networks and are selling access to the highest bidder. Their fees range on average from $303 for control panel access to as much as $9,874 for remote desktop protocol (RDP) access.

What new techniques are ransomware groups using?

The research found that ransomware’s current dominance is directly linked to the emergence of a technique known as double extortion. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leak websites, while also encrypting the data so that the victim cannot access it.

Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching distributed denial-of-service (DDoS) attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs’ arsenal for placing additional pressure on victim organiations.

“With RaaS and double extortion, attackers are finding holes in our current defences and profiting from them. The Australian Cyber Security Centre recorded a fifteen per cent increase in ransomware cybercrime in 2021,” said Satnam Narang, senior staff research engineer.

“So long as the ransomware ecosystem continues to thrive, so too will the attacks against organisations and gov’ts. It’s imperative that these entities prepare themselves in advance so they are in the best position possible to defend against and respond to ransomware attacks.”

“While ransomware groups get the most notoriety and attention for attacks, these groups come and go. In spite of the turnover, affiliates and IABs remain prominent fixtures in this space and more attention should be given to these two groups in the ecosystem at large.”