From the attacks on SolarWinds to the JPS Meat Packing Company, the threat of a cyberattack has been democratized. Enterprises both large and small, across industries, have reported attacks and ensuing business disruptions, financial losses, and damaged reputations. In this article, the first of a three-part series on the rise of ransomware, we’ll cover what Ransomware as a Service (RaaS) is, the key players, what is being done to combat future attacks, and if your enterprise could be a target. (Hint: The answer is probably yes.)
What Is Ransomware as a Service?
What exactly is Ransomware as a Service (RaaS)? You can think of it as the sinister twin of Software as a Service (SaaS). Just like Salesforce sells its CRM software for customers to utilize, cybercrime organizations are now offering ransomware in a similar vein. In short, organizations that have built malicious software are now offering the technology to others for a profit. Scary, right? With malicious software for sale, groups with fewer technical resources and those who want a solution without the work of building one themselves, are now able to gain the same hacking abilities as the large and sophisticated groups that spent years cultivating software to exploit system weaknesses and lock down network-wide data.
RaaS is Rising. Quickly.
This malicious new industry is on the rise. According to a Gartner report, 27% of all malware incidents in 2020 were a result of ransomware. There are a few possible reasons why. One reason is that this is an incredibly profitable venture–many companies opt to pay their attackers, as this is often the fastest route to get their systems back up and running. Another reason could be that in addition to profit, malicious software is now more readily available through Ransomware as a Service (RaaS). The more organizations with access to malicious software, the larger the number of attacks launched at corporations per year will be.
Who Are the Main Players?
Throughout the years, we have seen many cybercrime groups come and go, often dismantling and regrouping under a new name to avoid detection. Two of the most notorious hacking groups, often in the news today, originate from Russia; REvil and Darkside.
REvil, which stands for Ransomware Evil, was behind the Memorial Day weekend attack on the meat processing company JBS, and the attack that targeted Kaseya VSA servers right before the Fourth of July holiday. Kaseya provides IT management solutions for MSPs and IT teams; many customers of Kaseya with on-premise VSA servers were also affected by the attack.
Darkside has claimed credit for a number of cyberattacks globally, but their most recent claim was the attack on Colonial Pipeline. This attack resulted in major disruptions of US oil distributions to southeastern states, causing gas and oil shortages in the area, and attracting the unwanted attention of the US government.
Both organizations have gone dark since their latest attacks. Darkside shut down their sites due to pressure stemming from the attention of the US government, but uncertainty surrounds the reason why REvil’s sites went down. Experts believe that the two groups will also appear again, next time under new names.
What is Being Done?
As a result of these high-profile attacks, many organizations are investing the necessary resources to train their employees on better security practices, and build their cybersecurity stack. From CASBs, secure data transfer solutions, SIEMs, endpoint protection and more, security is fast becoming a top priority to help combat looming cyber assaults from RaaS. In addition to building their own protection, many organizations are looking to the government for help.
One of the government’s responses to these recent cyberattacks was to create the Ransomware and Digital Extortion Task Force. The goal of this task force is to bring the full weight and resources of the Department of Justice (DOJ) in response to new attacks on US companies. As many other organizations have done, Colonial Pipeline decided to pay the ransom needed to quickly bring their servers back up on May 8th. The task force was able to recover roughly 2.3 million dollars (almost half of the payment made to Darkside) which added to the mounting pressure the attackers were facing.
Who is a Target?
According to the Cybersecurity and Infrastructure Security Agency, DarkSide has publicly stated they “prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.” Cybercrime groups will also do their diligence to identify corporations with ransom insurance, or finances earmarked specifically for that purpose. While larger enterprises are currently the favorite for cyberattacks, smaller organizations also fall victim; however, the ransom amount demanded of smaller entities tends to be significantly lower than that of larger organizations.
In the next part of the Ransomware as a Service series, we will focus on how ransomware attacks have succeeded in the past, and discuss actionable steps to help protect your organization now and in the future. In the meantime, we invite you to visit our Danger for Data series, which focused on potential security vulnerabilities in an enterprise’s back-end and business sides, as well as how your team can mitigate these risks. We also invite you to learn more about the security-first zero trust strategy, and how DataMotion employs this model to help keep your organization’s data safe from would-be thieves while in transit.
To learn more on how you can take action now and protect your data while in motion, visit https://datamotion.com/tour-services/.