How ransomware-as-a-service (RaaS) became the pandemic’s most prolific cyber threat.
In the past year, the Fortinet FortiGuard Labs team has found a dramatic increase in the cyber threat landscape. Its Global Threat Landscape Report determined a sevenfold surge in overall ransomware activity in the second half of 2020. Sectors that have been heavily targeted by these attacks include healthcare, and professional services, and consumer services firms, with the public sector being a particularly attractive target. But ransomware has adapted, and the recent spike in its use directly results from the disruption that businesses faced at the start of the Covid-19 pandemic.
In the midst of having to deal with this sudden change in the way organizations run their businesses, the transition to working from home brought critical challenges to IT and security teams. This has been compounded by the fact that IT teams need to ensure that employees are aware of the latest cybersecurity threats and best practices on how to deal with them.
The growth of ransomware operations
Threat actors generally leverage ransomware to crypto-lock critical systems and business infrastructures, demanding a ransom for the decryption key. Leveraging the threat of releasing the compromised data if demands are not met, has proven to be a relatively simple and lucrative way to extort money from organizations.
Increasingly, researchers are also seeing encrypted versions of data posted online – not just held for ransom. This is usually along with the threat that if the ransom isn’t paid, all data will be released to the public, or sold.
As the volume and frequency of attacks and attackers have drastically increased, a more sinister and targeted form of ransomware scheme has come to the fore.
Traditionally, ransomware attackers have been a few highly skilled coders developing sophisticated malware strains and focusing on making money solely from ransom payments.
That approach has evolved to a service model with its promise of recurring revenue streams from multiple sources. Attackers have realized they stand to make more money by selling or leasing these strains on the dark web to the everyday criminal and taking a cut from the victim’s ransom payments. As a result, in the past six months of 2020, there was a steady growth of what is now being classified as ransomware-as-a-service (RaaS), according to the Global Threat Landscape Report.
RaaS is proving effective for lower-level cybercriminals who want to jump on the latest boom in ransomware activity, but don’t have the technical skills to develop their own malware strains. Demand for RaaS has increased drastically and competition among ransomware developers can lead to special deals being made for aspiring criminals, which could spell disaster for potential victims.
One RaaS threat actor that FortiGuard Labs identified was Smaug, a service that offered ransomware strains that could be deployed across Windows, macOS, and Linux platforms. Most RaaS is restricted to vetted members, but Smaug became a fully public offering in late 2020. Other major players in the RaaS space that organizations need to be aware of are Phobos, Sodinokibi, Conti, and Egregor. RaaS makes these types of attacks extremely attractive for cybercriminals, and almost any organization or business regardless of size or industry can become a potential victim.
Keeping the threat at bay
A compromised digital supply chain and a workforce telecommuting into the network pose a real risk that ransomware attacks can come from anywhere, meaning organizations need to have a strategic, platform approach to cybersecurity that offers consistent protection and visibility across the entire IT estate and attack surface.
Whether an organization uses cloud-delivered security solutions, endpoint detection, or zero-trust access, a cohesive strategy with the right solutions and an overarching view of the network is the best defense against malware. On top of this, organizations should look at making foundational changes to the frequency, location, and security of their data backups as an extra layer of protection.
There is no denying that enterprises and public sector organizations alike face a threat landscape with attacks on all fronts. Threat intelligence remains central to understanding these threats and how to defend against evolving threat vectors. Visibility is also critical, particularly when a significant number of users are outside the typical network scenario. Every device creates a new network edge that must be monitored and secured.
The use of artificial intelligence (AI) and automated threat detection can enable organizations to address attacks immediately, not later, and are necessary to mitigate attacks at speed and scale across all edges. Cybersecurity user awareness training should also remain a priority; cyber hygiene is not just the domain of IT and security teams.
There has been much debate on the topic of criminalizing ransomware payments in an effort to reduce the number of attacks. The official advice from the UK National Cyber Security Centre (NCSC) remains that organizations do not pay ransoms. This debate is likely to continue to divide opinion; however, it can’t be ignored that the paying of ransoms can be problematic.
Ransomware and RaaS, in particular, have become more prolific as a result of the ongoing global crisis, with the public sector targeted frequently. It’s not going away any time soon and organizations need to know what they’re coming up against and how best to mitigate the impact that a ransomware attack has while understanding that paying the attackers could make their situation worse. But, with a more proactive, platform approach to securing their IT environments and the right cybersecurity solutions and intelligence, these organizations can be confident that they have the tools to combat these threats.
Paul Anderson is director, UK, and Ireland at Fortinet.