A ransomware attack is where a Threat Actor, someone trying to gain access to your systems, will encrypt files on a device or network, making them inaccessible and unusable without a decryption key.
Threat Actors willsell these decryption keys to a person or business, usually demanding cryptocurrency, extorting them for money so they can access their files.
Names like “Wannacry”, “Lockbit” and “Maze” are a few of the infamous ransomware variants that have been seen over the last few years. Triskele Labs have also seen instances where a Threat Actor has utilised the built-in Windows encryption software, Bitlocker, to perform full disk encryption on devices, locking out access to endpoints (the device connected to the network, either by cable or wireless connection) – truly living off the land.
There is no doubt that Ransomware is very lucrative for Threat Actors. Crowdstrike, in their 2021 Global Security Attitude Survey, reported that the average ransom payment in 2021 had increased to $1.79 million (USD) from $1.10 million (USD) the previous year. One way that Ransomware has evolved is by making the barrier-to-entry easier,through Ransomware as a Service (RaaS).
Ransomware as a Service
RaaS is essentially a Software as a Service (SaaS) business model, where a Threat Actor will outsource the ransomware component of their attack. If they are more specialised with gaining initial entry into an organisation’s environment,but lack the skill or time to develop their own custom malware, they may join a RaaS affiliate group.
This significantly reduces the barrier-to-entry into performing a ransomware attack. RaaS groups can provide their affiliates an expertly developed piece of malware that's customised for a particular environment, minimising the chance of detection. If a ransomware attack is successful, the RaaS group and affiliate split the payment however they want.
RaaS groups are run like big businesses, focussing on ransomware attacks. They may have multiple affiliates working with them that gain initial access into environments and deploy their ransomware.
These affiliates are usually recruited from cyber-criminal forums and can even be required to provide references from other criminals before being onboarded. Affiliates can generally earn between 10-30% commission from each ransomware payment. RaaS groups may even provide additional training on exploits, tooling and infrastructure3. Some RaaS groups, such as Conti4, may even pay affiliates a wage instead of a commission.
What can you do to prevent a ransomware attack?
There is no silver bullet when it comes to protecting your organisation from ransomware, but rather a series of steps that you can take to minimise the risk. One of the most impactful steps an organisation can take is patching and making sure that your devices (particularly those that are internet facing) are up-to-date.
If a Threat Actor is able to successfully exploit a gap in your defences (due to something like a ProxyShell or Log4j), having your endpoints feeding telemetry and logs to a Security Information and Environment Management (SIEM) system can make a massive difference. It can alert you when something suspicious has occurred, while an Endpoint Detection and Response (EDR) tool can actively block malicious activity. These systems can be the difference between a simple exploitation and an exploitation with privilege and lateral movement, which is potentially much more damaging. An additional prevention is user awareness training, which helps employees recognise and report phishing attempts.
Phishing emails are a common initial vector for a ransomware attack. Threat Actors craft emails that can entice a user to go to a fake log in page and collect their credentials, or deliver an attachment containing malware. An email protection gateway is an effective method for filtering out phishing attempts and malicious attachments from being delivered to employees, stopping the threat before it even happens.
Enabling multifactor authentication on accounts is also vital. If a Threat Actor can gain access to valid credentials through phishing or social engineering, requiring a second form of authentication such as an authenticator app on a mobile phone may stop them in their tracks.
Knowing what your organisations most critical data is, where it resides and how it is protected is also extremely important. Backing this data up regularly, and testing that the backup procedures work, will allow an organisation to restore capabilities should the worst happen.
An alternative option is bringing a Managed Security Service Provider – like Triskele Labs – onboard. With extensive experience of thwarting and dealing with attacks, they’re better equipped to provide an all-round, holistic defence for your business, it’s systems and data. Not only that, they have access to cutting edge information and services not available to the average business.