RaaS Class: A Defensive Guide to Ransomware-as-a-Service Attacks
Despite high-profile takedowns of notorious RaaS gangs, attacks like the Vegas casino hacks in September are surging. As law enforcement plays whack-a-mole, enterprise leaders must educate workers and enhance cyber hygiene protocols.
All it reportedly took for hackers to break into the computing systems of several major Las Vegas casinos in September was a very persuasive 10-minute phone call. But that’s only one way they exploited weak human links in the businesses’ cybersecurity chains to launch devastating ransomware attacks.
The scammers initially penetrated MGM Resorts, Caesars Entertainment, and other casino networks using one of the oldest tricks in the book: convincing IT help-desk staff they were employees who had lost their logins and needed new ones.
The story captured headlines for weeks because it involved such gigantic targets on the Las Vegas Strip as well as enormous dollar figures. For instance, The Wall Street Journal reported Caesars paid an estimated $15 million ransom to regain control of its systems. MGM, meantime, rejected a payout and instead swallowed more than $100 million in operating losses during the time some slot machines, sports-betting kiosks, digital hotel room keys, online reservations, and credit-card systems were inactive.
It is sexy stuff, to be sure. But almost buried in the attack coverage is a more sinister revelation: that a major ransomware-as-a-service (RaaS) group likely armed proxies with all the tools they needed to launch these attacks.
In fact, a RaaS gang called ALPHV, also known as BlackCat, reportedly helped a hacking operation called Scattered Spider, or UNC3944, in its efforts to squeeze money from the casinos in exchange for a share of the loot. That’s typically how RaaS (pronounced “rass”) works: Criminals utilize an Everything-as-a-Service (XaaS) model and offer easy-to-use hacking tools and services on the dark web for a flat monthly fee or a portion of any profits.
Such arrangements are typical for these cybercriminals, according to David Bradbury, CISO of Okta, an identity and access management company. “Think of them more as business associates or affiliates,” Bradbury told Reuters.
In use since at least 2016, this business model for ransomware has been adopted by cyber gangs that carry out their business with the kind of precision and bespoke services (some RaaS packages come with customer service, reviews, feature updates, and discounts) that would make a Wharton professor proud. The result: RaaS has become spectacularly profitable.
Propelling the pain – what is ransomware-as-a-service and why is it so effective?
These kinds of illicit arrangements, it turns out, have not only surged but also played a key role in a nearly 40% rise in global ransomware attacks during the last year, according to a report from Zscaler, a zero-trust platform.
Would-be cybercriminals use RaaS to carry out attacks they might not otherwise be capable of launching themselves.
“Would-be cybercriminals use RaaS to carry out attacks they might not otherwise be capable of launching themselves,” said Deepen Desai, global CISO and head of security research at Zscaler. “The vast majority of ransomware groups employ RaaS, which has proven effective, leading to an increase in the number of attacks every year.”
BlackCat is considered one of the largest and most nefarious RaaS gangs, even though its members are largely thought to be Gen Zers in their teens or early 20s. But other big-name players have also hurt organizations in recent years, including:
- BlackBasta, which is believed to have been behind a costly ransomware attack against BankCard USA last June
- Clop, the ransomware gang that recently took advantage of MOVEit file transfer software vulnerabilities to launch attacks affecting more than 40 million people and at least 600 public and private organizations
- Karakurt, an offshoot of the notorious Conti gang that’s been targeting healthcare organizations for the last year, threatening to expose confidential patient records
- LockBit, which the U.S. government says has extorted roughly $91 million from U.S. businesses since 2020. It’s currently seeking a ransom from CDW, one of the world’s largest resellers.
RaaS gangs have been around long enough that many of the most notorious names have already been eliminated. In January, for example, the Hive RaaS group, which allegedly stole more than $100 million from 1,500 victims in 80 countries between 2021 and 2023, was infiltrated and taken down by FBI agents. And last year, members of REvil, the prolific gang that U.S. officials said executed the Colonial Pipeline attack that led to panic gasoline buying on the East Coast, were arrested in Russia.
[Read also: CTI roundup – FBI and CISA issue a joint advisory for Snatch RaaS]
Yet, despite such takedowns, criminal RaaS-related activity continues to expand and threaten to impact the IT systems of organizations in education, construction, government, healthcare, media, retail, energy, transportation, and financial services, among other industries. As such, industry experts say it’s important to stay vigilant, take precautions, and adapt, because it’s not going away anytime soon.
“I guess for me, it is another one of the greatest hits coming from malicious actors,” said Kathryn Goldman, CEO of Cybermaniacs, a cyber-awareness training consultancy. “Whether it lasts or mutates, I don’t know. But it does seem to be getting worse, and we have to respond to it.”
Preparing for the inevitable – to reverse ransomware-as-a-service, train (and retrain) your workers
Goldman suggests starting with cultural changes aimed at making employees aware of the problem in order to avoid the same fate as those Las Vegas hotel-casinos. Just yesterday, Microsoft published a threat intelligence report on a cybercriminal collective of native English speakers who target help-desk personnel and technical administrators, imitating new employees with remarkable accuracy related to dialect and vocal tics, convincing security workers to reset passwords and multifactor authentication (MFA) methods.
Employees don’t have to memorize or even know every RaaS gang on the planet, especially since the players are constantly changing. A more effective course of action, Goldman says, is to educate them about how attackers these days use their psychologies or emotions to con them into acting, like clicking a link or providing information over the telephone. Social engineering techniques like these allow RaaS attackers to breach a network, seize its assets, or lock it down for a ransom.
What you’re trying to do is lift all of your people up to become responsive defense agents for your organization.
“What you’re trying to do is lift all of your people up to become responsive defense agents for your organization,” Goldman says. “For RaaS, it’s less important to focus on the technicalities of risk than it is to shift your psychology about being prepared to respond because ransomware attacks happen so quickly.”
This means taking time to train workers on how to spot and report phishing emails or vishing calls, and develop and conduct regular security-skills assessments.
The key word there is “regular” – training and testing are not one-and-done tasks but enterprise-wide (that is, mailroom to boardroom) operations that are repeated on an annual or semi-annual basis.
Defend digitally – tips to decrease your ransomware-as-a-service risk
In addition to cultural change and training, Desai says organizations trying to prevent RaaS-enabled cyberattacks should closely manage role-based access controls (RBACs), which are digital guardrails that decide what people can or cannot access on a network according to their jobs. At the same time, he says enterprises should continually inspect transport layer security (TLS), which encrypts data we send to keep it away from prying eyes.
He adds it’s important to also prioritize the implementation of user-to-application segmentation, which involves regulating access between individual users and specific apps in order to enhance security and limit attack surfaces.
“This provides an effective way to stop lateral threat movement from reaching your crown-jewel applications and contain the blast radius.”
[Read also: 5 steps to securing your organization’s “crown jewels” of data]
Desai says another tip is to ensure that your cybersecurity teams are able to inspect all encrypted traffic. More than 85% of attacks use encrypted channels, which often are not inspected, he says. This makes it easy for even moderately sophisticated attackers to bypass security controls and steal data.
Next, it’s imperative to maintain and enforce a consistent security policy that follows the users no matter where they are, Desai says. This includes things like in-line threat inspection (real-time examination of network traffic for malicious content or security risks as it passes through a security device or gateway), sandboxing (where you isolate untrusted or potentially threatening programs inside digital bubbles), and strong FIDO-based MFA, as well as regular security updates.
With the rise of remote work, these security measures are paramount to supporting a distributed workforce, which often accesses critical files and applications in the cloud.
Finally, Goldman says, it’s also useful to have an audit system in place to determine areas of an organization that are most vulnerable to a cyberattack and estimate how those departmental breaches might affect the overall organization.
“One way CISOs can wrap their heads around the various scenarios is to measure their potential impact so they know in advance how big the risk might be and can put it into perspective,” she says. “You have to take a targeted, tailored approach when responding to attacks, and you can only do that with data.”