Rise of RaaS: Consolidating the Vendor Risk Factor

In the first part of our Rise of Ransomware as a Service series, we learned RaaS enables organizations to purchase ransomware and gain hacking resources which were not accessible before. With heightened access to malicious software, a rise in ransom attacks has followed. In this second part of our Rise of RaaS series, we will focus on ransomware protection and defense.

This post will review three high-profile cyberattacks that grabbed America’s attention this past year. Understanding how these attacks occurred, and the snowball effect that often follows, allows organizations to build their defenses and implement strategies to thwart similar assaults, as hackers often reutilize techniques. We’ll review some key steps and new security strategies that, when implemented, will ensure your organization is protected, as well as resilient, to ransomware.

The first attack we want to expound upon is what many know as the hack on the Pentagon and Department of Homeland Security. This recognition is due, of course, to the major security risk this hack imposes to the United States. But the Pentagon and DHS were not the only entities compromised in this attack. Fortune 500 companies, as well as additional government agencies, were also breached. These organizations all had one thing in common: a third-party vendor named SolarWinds, a Texas-based vendor that provides IT management tools for their customers.

It’s unclear how hackers gained access to the SolarWinds infrastructure, but once inside they began work on creating a duplicate of a SolarWinds patch that was due to be released to customers. The replica included the same bug fixes and software updates that SolarWinds had intended it to have, but lines of malicious code were added. At the very last second, right before SolarWinds was set to deploy their patch, the hackers switched the two and the replica patch containing malicious software was released. Customers were then able to download and deploy what they thought was the SolarWinds patch. Once this patch was deployed on any server with Internet access, a backdoor was opened and the attackers made themselves right at home. The intrusions were only discovered when the cybersecurity giant, FireEye, noticed some strange activity in their network and investigated. They traced this activity to the SolarWinds patch and discovered the malicious code.

Without FireEye’s inspection, the hackers could have continued undetected, extending their reach before locking down data and requiring a ransom for restoration. This prompts a frightening question: Could hackers have used the same methodology as the patch swap, or something similar, to gain access to other organizations and have yet to be discovered? We will review ransomware protection tips towards the end of this article, but we think it’s worth mentioning now that a “see something, say something” approach is of critical importance. Many employees may write off suspicious activity as a glitch or one-off scenario, but a sense of due diligence to investigate these situations caught a breach that affected an estimated 18,000 organizations. Of course, not everyone has the same resources as FireEye, but a log of suspicious activity and when it occurred can give your third-party vendors reason for an additional patch review.

The attack on Kaseya occurred more recently, on the Friday before the Fourth of July weekend. Like the Solar Winds attack, the Kaseya breach affected their customers as well. Kaseya provides IT management solutions for managed service providers (MSPs) and IT teams. The managed service providers who utilized Kaseya‘s products provide security and management services to their customers. This management integration caused a snowball effect and allowed hackers within the affected MSPs to gain access to Kaseya’s customers’ infrastructures as well. This led to the breach reaching about 1,500 companies.

The attack occurred when hackers from REvil, the Russian based cybercrime group, found a zero-day vulnerability, or a vulnerability that has just been discovered, in Kaseya’s VSA servers which allowed them entry. From here, REvil hackers scanned the internet to find any of Kaseya’s customers utilizing this software in order to exploit the vulnerability and access their infrastructure as well. REvil demanded $70 million dollars in exchange for a key to decrypt their environment. As mentioned in the first part of this series, REvil has since taken down their site and did so without providing any decryption keys for those, like Kaseya, still in negotiations. Kaseya has stated that they have since obtained a universal decryptor from a third party.

The last and most recent breach we’ll touch upon is the attack on Accenture. This attack happened on Tuesday, August 8^th when the cyber-crime organization, LockBit, encrypted data on Accenture’s infrastructure and seemingly exfiltrated the data offline. Lockbit has threatened to release the data to their site if a ransom is not paid.

According to Accenture, they had tactics in place to minimize the impact of this attack. Once suspicious activity was noticed, their team worked quickly to trace the activity and lock down their servers to limit what the hackers could access. From there, they were able to roll their encrypted servers back to their latest backup or snapshot version. This rollback method is effective and a route many organizations have taken in the past. Rolling your servers back may cause you to lose any changes made from the time the last backup or snap was taken to the time of the rollback, but allows organizations to get their infrastructure up and running quickly, without paying a ransom.

In the next section, we will provide tips to protect against ransomware, as well as techniques to make your environment resilient if an attack does occur. However, we want to emphasize the importance of backing up your servers, as we’ve seen in this example. Doing so frequently will minimize the data lost and allow for easy and seamless disaster recovery in the wake of an attack. It’s also good practice to store backups in a separate location so if one server is destroyed or compromised, the backup is not lost with it. Now, let’s jump into some additional steps you can take in order to be both protected and resilient.

A new cyber security practice rising with RaaS is vendor consolidation. As the examples reviewed in this post have shown, companies both large and small can fall victim to ransomware through their third-party vendors. With this revelation, many organizations are taking preemptive measures to protect themselves and limiting vendors will help reduce your attack surface. The vendor consolidation strategy involves using one vendor to fulfill as many tasks as possible and building in-house solutions to replace software that’s currently contracted out.

One step to implementing this strategy is to understand the full reach each vendor has, which can allow you to utilize them for multiple needs. You may need to do your research and ask about other products your trusted vendors provide. It’s common for vendors to fulfill multiple needs and not get to market each of their products to you, so you might not know the full capabilities one vendor has. For example, DataMotion, Inc. is best known for our secure messaging technology, but we are also a Health Information Service Provider (HISP). This is a separate product and therefore may not come up when searching and researching about our secure messaging APIs. However, with a quick inquiry into our full product list found either on our website or through a sales representative, this can be easily discovered.

In addition to the vendor consolidation strategy, it’s also important to ask your vendors what their security stack looks like, and which companies they work with. Have this conversation not only while searching for a vendor, but also with current vendors. As industry leaders learn more, new security best practices, techniques and strategies will be developed (such as vendor consolidation) and it is important that you and your vendors work to implement them.

MFA is another great way to prevent a breach. A password is a mere speed bump that is one successful brute force attack away from being broken. The more complex a password is the longer the brute force may take, but it will still be hackable. Once a password is cracked, a second layer of defense is required. Most multifactor authentication strategies require the user to type in a code they receive from a text, email or authentication app that is only valid for a short period of time (so the code can’t be brute forced as well).

Finally, a resilient infrastructure is extremely important. You can do everything correctly on your end to protect your company against ransomware, but a vulnerability in a vendor’s product or system can still leave you open to a breach. Therefore, you must ensure that you have internal security measures in place to minimize damage if a breach does occur. This is why a least privilege model (LPM) or zero trust is essential.

The least privilege model ensures each system and user only has access to what they need to do their job, and no more than that, thus limiting any access to a hacker if they gain network entry. Similarly, zero trust treats an internal network just as it would traffic coming from outside the network; users and devices are not trusted simply because they have joined the network. They must be verified, just as a user from outside would be. Those who implement zero trust also utilize LPM, encryption and MFA within their internal network. The use of either model means if any user or system is compromised through a zero-day vulnerability or phishing attack, the data the hackers can open is limited by the access available. A zero trust approach is something DataMotion has implemented since the early stages of our development.

The encryption factor of zero trust is one we especially advocate for. Encrypted data on file servers, as well as any sensitive emails and messages, will help protect data from intruders within your environment. Hackers will not be able to open or read encrypted data in folders and messages. In the same vein, if encrypted data is exfiltrated from your environment, and the attackers threaten to decrypt your data and post it for all to see you don’t have to worry.  Your encrypted data will be unreadable. Windows file servers make it easy to encrypt sensitive data, and a tool like DataMotion makes it easy to send and receive encrypted messages and know they are backed up on our messaging portal.

As ransomware continues to rise, cybercrime groups are becoming stronger and smarter. They are learning to target organizations that will enable them to reach as many companies as possible through a single vulnerability. Attacking third-party vendors often creates a snowball effect, allowing the organization’s customers, and in some cases customers’ customers, to fall victim as well. Understanding this risk allows companies to take preemptive steps to help protect themselves. In addition to vendor consolidation, understanding your vendor’s security level and keeping up with security best practices will help prevent a breach. A least privilege model and data encryption will help keep you resilient if a breach does occur.

The final post of this RaaS Series will cover the aftermath of an attack, including the steps often taken to bring encrypted infrastructures back up and running, how victims engage in negotiations, and the legal issues that often follow. Keep an eye out for this installment, as it will also provide additional security tips to help protect your company from a ransomware attack.

If you haven’t already, please visit our recent Danger for Data series, which focused on potential security vulnerabilities in an enterprise’s back-end and business sides, as well as how your team can mitigate these risks. To learn more on how you can take action now and protect your data while in motion, visit https://datamotion.com/tour-services/.

• The Rise of Ransomware as a Service
• The Rise of RaaS: The Real Cost of Ransomware

• The New York Times’ Scope of Russian Hacking Becomes Clear: Multiple U.S. Agencies Were Hit by David E. Sanger, Nicole Perlroth and Eric Schmitt
• NPR’s “A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack” by Dina Temple-Raston
• NPR’s “A Ransomware Attack Hit Up To 1,500 Businesses. A Cybersecurity Expert On What’s Next” by Leila Fadel
• The Verge’s “19 days after REvil’s ransomware attack on Kaseya VSA systems, there’s a fix” by Richard Lawler
• Inforsecurity Magazine’s “Accenture Tied Up in $50M Ransom Lockbit 2.0 Attack” by Sophia Waterfield
• Gartner Top Security Risk and Trends for 2021 contributed by Kasey Panetta
• CPA Practice Advisor’s Zero Trust and Least Privilege: What a Cybersecurity Mindset Looks Like