Chris Swagler | August 31st, 2022

Ransomware is a particularly difficult cyber threat to eradicate. It continues to evolve and the most recent versions are extremely dangerous for companies around the globe. There’s no innovative technology used by this new ransomware; however, it utilizes a new business model called Ransomware-as-a-Service (RaaS), which creates an arrangement between two threat actors. First are the operators, who create and maintains the technologies that enable extortion operations; second are the affiliates who release the ransomware payload. Both sides share the profits when the affiliates execute successful ransomware and extortion attacks.

How Does Ransomware-as-a-Service Work?

The RaaS model makes it easier for cybercriminals who lack the knowledge or skills to develop their own tools to carry out the attacks. Cybercriminals can easily buy network access from anyone who has already broken into a system. In addition to hosting leak websites and integrating them in ransom notes, decryption negotiation, payment pressure, and cryptocurrency transaction services are among a few of the extortion support services numerous RaaS programs provide. RaaS operators benefit their affiliates by providing access to compromised networks. Access brokers search the internet for vulnerable systems to exploit and reserved for future financial gain.

Threat operators highly value compromised credentials because they frequently come with a guaranteed administrator account as part of the deal. RaaS relies on human operators capable of making informed, calculated decisions and varying attack patterns based on what they discover in the accessed networks, which is one factor that makes the threat so alarming. During the hands-on-keyboard phase of an attack, threat operators attempt to defeat the security products in environments by using skills and knowledge. Microsoft refers to the attacks as human-operated ransomware to distinguish them as chains of activity culminated in ransomware payloads and not as a collection of malware payloads to be prevented.

How Can Companies Defend Themselves Against RaaS?

Develop credential hygiene and monitor exposure to credentials:

Create a logical network segmentation based on privileges that can be utilized in conjunction with network segmentation to prevent users from moving laterally. In preventing ransomware attacks and cybercrimes in general, credential exposure auditing is essential. To decrease the number of users with administrative rights and to better understand how vulnerable the credentials are, IT security teams and Security Operations Centers need to collaborate.

Harden the assets connected to the cloud and the internet:

Ensuring the security identity infrastructure is strong needs to be a top priority for security teams. This entails ensuring that multifactor authentication (MFA) is enabled for each account and that cloud administrators and tenant administrators receive the same level of security and credential hygiene as domain administrators. Companies can uncover and path vulnerabilities using the threat and vulnerability management features of endpoint detection and response products to reduce exposure.

Minimize security blind spots:

To ensure that all systems are protected by the security tools, companies need to make sure that their security tools are operating as efficiently as possible and that they regularly scan the network.

Shrink The Attack Surface:

Establish guidelines to lessen the surface that threat operators can utilize to launch their attacks to prevent ransomware attacks. It was discovered that companies with clearly established rules were able to mitigate attacks early on, preventing further damage.

Analyze the Perimeter:

Companies need to identify and protect perimeter systems that threat operators can use to access the network. Data can be augmented through public scanning interfaces like RiskIQ.

Recovery Preparation:

Companies need to have a strategy in place to recover fast from ransomware attacks which will be less expensive than paying the ransom. Periodically back up critical systems and guard backups against deleted or encrypted. Keep backups completely offline, off-site, or in online immutable storage.

The ransomware business model is changing and becoming more dangerous every day. There are several steps that companies need to take to defend themselves against ransomware attacks. Additionally, it’s critical for companies to remain vigilant of the current threat landscape and follow the point mentioned above to make it difficult for ransomware operators to succeed. At SpearTip, our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating ransomware, and recovering business-critical assets. The ShadowSpear Platform, our integrable managed detection and response tool, delivers cloud-based solutions collecting endpoint logs and detecting advanced ransomware threats through comprehensive insights.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.