What is Ransomware and How Does it Work?
Ransomware is a family of malware that prevents victims from accessing their data. During a ransomware attack, a malicious actor will deploy the malware inside of an organization and, depending on the type and sophistication, will be either manually directed at a storage repository or appear dormant while it gathers information about the nature and location of critical value data.
Once the determination has been made, the malware executes and encrypts the targeted data using a private key that only the attacker has access to or a complex encryption algorithm that only the attacker can decrypt. Once the data is encrypted, it becomes mathematically unfeasible to use a “brute force attack” to decrypt the locked data because it would take an inordinate amount of time (like hundreds of years) to force decryption. The victim organization can either restore their data with uninfected and up-to-date backups or pay the ransom. When the ransom has been paid, the private key or decryption mechanism is provided to the victim, and they can resume normal business operations.
How is Ransomware-as-a-Service Different and Why Are Criminals Using it?
During the COVID-19 pandemic, the shift to remote working has left businesses vulnerable to online assailants without protecting a corporate network or firewalls. With employees suddenly working on unsecured home networks and misconfigured VPNs, companies have lacked suitable security protocols and employee education initiatives to stop cyber-criminals from taking advantage of this shift.
Ransomware-as-a-Service (RaaS) has grown massively as a result. Its business model satisfies the demand of cyber-criminals that lack proficiency in ransomware development. The increasing prevalence of RaaS means that the ability to cause remote, targeted cyber-attacks is highly accessible. Its implications affect not only business security but also national security on an international level.
Cyber-criminals are not stupid. They understand return on investment (ROI), profitability and how to work collaboratively. Like in the software industry, the ability to develop software is significantly different from distributing the software. They each require distinctive skillsets to be executed successfully. So, if it works for typical software companies, why wouldn’t it work for cyber-criminals?
RaaS has lowered the threshold to entry for this type of crime. The ones that distribute the malware can be, and typically are, totally separate from those that create the malware — just like developers and sales representatives have different roles within a company that mutually benefit one another. So, cyber-criminals don’t have to be malware developers or even be in a crew that has this capability; they can simply pay, or work collaboratively with, skilled developers in a strategic alliance that allows them to focus on distribution.
Using this model allows the business leaders of these organized criminal syndicates to maximize profitability without doing more work than they need to. It is not only a cost-effective strategy but also one that provides extra protection for the criminals committing these cybercrimes by creating a layer of separation between the malware developers and the distributors making them less likely to be implicated if one of the members involved is arrested.
How to Protect Against the Threat
To effectively defend against this threat, businesses and organizations need to treat their defensive posture with the same level of rigor and determination as that of their adversaries. Failure to do so will result in their business being compromised and the subsequent theft and monetization of critical value data.
Security should be a top priority at board level. There should be plans for technology, training and threat exercises like red teaming and purple teaming that combine the tactics of the red team, the bad guys, and the blue team, the good guys. Businesses should also include active threat hunting to seek out attackers that have found their way past security.
Organizations will pay for security — either now without interest or later with interest. That interest will manifest itself as the loss of customer confidence, loss of market share, regulatory fines and potentially class action or shareholder derivative lawsuits. For businesses to future proof their operations, it’s essential they act now, rather than wait until their critical value data is under lock and key of a criminal — and held to ransom.