Ransomware-as-a-service: A new business model for cybercriminals

The sale of ransomware secrets creates an explosion of cyberattacks

Jun 02, 2022

Ransomware has become the most significant cybersecurity threat today, affecting large multinational organizations and the smallest of entities. A ransomware attack represents a low-risk, high-reward opportunity for criminals, as little effort is required to access sensitive information and demand bounties that can cause extensive harm to businesses—especially small- to medium-sized companies.

The RSM US Middle Market Business Index 2022 Cybersecurity Special Report found that 41% of middle market executives know of a company targeted by a ransomware attack, and 23% of executives experienced an attack themselves in 2021. In the current environment, inaction is not an option, and companies must take proactive steps to address expanding and evolving ransomware risks.

To add to the evolving threat landscape, cybercriminals have taken advantage of the exponential growth of ransomware-as-a-service (RaaS), a service model where sophisticated threat actors develop and sell ransomware platforms to other threat actors. Now, cybercriminals no longer need to be highly technical to launch a cyberattack on an organization, so potentially lucrative ransomware attacks are rapidly increasing.

How does the RaaS model work?

The RaaS model provides the purchaser with extensive training, reference materials and malicious code that can be used to launch a ransomware attack. Here are some key takeaways for understanding how RaaS works.

RaaS providers typically use several different purchase models

  • Subscription: The RaaS provider receives a predetermined cryptocurrency payment for a finite period of usage.
  • Affiliate: The RaaS provider receives a recurring fee plus a percentage of the ransom payment.
  • Purchase: The RaaS provider sells a kit to the purchaser.

The attacks leverage well-established hacking tools (i.e., Mimikatz), while employing current vulnerability and penetration testing tools (i.e., Cobalt Strike). These attacks are designed to not only exploit well-known, existing vulnerabilities but also take advantage of new zero-day vulnerabilities. Threat actors have developed elaborate social engineering and intelligence-gathering methods to cause significant devastation for a victim when a ransomware attack is launched.

How to protect your organization from ransomware attacks

The reality is that ransomware will continue to be an ongoing threat to organizations, and there is no way to completely remove the risks. However, the following actions can help reduce the potential success of an attack.

Stay informed about new vulnerabilities

The National Institute of Standards and Technology (NIST) published information to help protect against threats and recover from a potential ransomware attack. In addition, the US-CERT—CISA regularly posts updates on new vulnerabilities and attacker tactics, techniques and procedure (TTP) trends.

Make sure you have backups

It is important to have backups not just for business continuity and disaster recovery, but also to be able to restore critical data if a ransomware attack occurs. The trusted, age-old 3-2-1 backup rule will help protect backups from attackers. Don’t forget that attackers also work nights, weekends and holidays, so you should have regular and frequent backups.

Implement advanced endpoint detection and antivirus protection

While attackers use established TTPs, they are also attacking new vulnerabilities and constantly updating their tool sets. Have a robust and properly configured defense system in place to identify and minimize potential attacks before they gain traction and affect your environment.

Have an incident response plan

Develop a strategy that outlines how your organization will respond if you suffer an attack. A ransomware situation is a chaotic event; the longer it takes you to respond to an attack, the more costly it will be. Ransomware has always been a concern, but the rapidly changing threat landscape is increasingly affecting companies of all types and sizes. Every organization should create a security approach that includes strategies to both prevent and remediate ransomware attacks. A strong security plan can limit financial exposure and reduce downtime.

More cybersecurity insights

Stay up to date on what matters most to your business.

Let us know your personal preferences for topics, industries and services to start receiving RSM updates in your inbox. Get the most from insights, events and offers from our team of first-choice advisors.