Interview News

Decoding ransomware-as-a-service: How the underground business works


With the advent of RaaS, double and triple extortion, ransomware groups are operating on a self-sustaining model with multiple actors working together, creating a dubious ecosystem of cybercrime.

We need to make it more difficult and less lucrative for cybercriminals by shoring up organisations’ security postures and escalating government countermeasures. If we work together, cyberattacks won’t be the big business they are now.

Satnam Narang, Senior Staff Research Engineer, Tenable

Why is Ransomware-as-a-Service a thriving business?

Ransomware-as-a-Service (RaaS) has turned into a lucrative business as threat actors need not have the technical expertise to develop malware. They license it from ransomware groups, lowering the barrier of entry into the world of cybercrime. Ransomware operators provide the ransomware and the infrastructure, and recruited affiliates are tasked with breaking into networks to deploy the malware.

Ransomware groups utilise recruitment, marketing and advertising tactics to attract affiliates for their programs. Affiliate programs offer insiders within corporations potentially millions of dollars in exchange for deploying ransomware within their organizations. Affiliates are provided playbooks on how to deploy the ransomware, lowering the technical barrier, which is one of the primary reasons why RaaS is a thriving business.

Who are the different actors in the ransomware ecosystem and what makes them a major threat to organizations?

The ransomware ecosystem has three key players — Ransomware groups, affiliates and initial access brokers (IABs). Ransomware groups are the face of the ecosystem, responsible for developing the ransomware, managing the infrastructure behind hosting stolen files and negotiations with victims.

Affiliates are the pillars holding up the structure of the ransomware ecosystem because they’re the ones doing the dirty work of infecting organizations in myriad ways. Affiliates identify attack pathways by purchasing access through Initial Access Brokers or by using common attack vectors such as spearphishing, brute-forcing RDP systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web.

Initial Access Brokers or IABs are a group of cybercriminals who specialize in gaining access to an organization’s IT infrastructure. They specialize in gaining initial access to organizations using similar techniques as affiliates. They offer access to the highest bidders — this could be an affiliate purchasing access or the ransomware group itself developing a working relationship with IABs directly.

What are the hiring and marketing strategies RaaS groups deploy to enlist IABs and affiliates?

Like every organized crime outfit that recruits outsiders to carry out dubious operations, ransomware groups too have their own methods of recruitment. These groups pay their affiliates enormous amounts of money. For instance, LockBit 2.0 provides instructions on how organization insiders can be part of the “affiliate recruitment” by offering “millions of dollars” and anonymity in exchange for credentials and access. Another ransomware gang, ALPHV, upped the stakes by offering a 90% profit share with its affiliates.

Each ransomware gang has their own set of requirements for each hiring post — this depends on the type of talent they want to recruit. Some look for credential harvesters, developers or affiliates. For instance, BlackMatter, which was earlier known as DarkSide, has different criteria for recruiting affiliates. DarkSide listed its own requirements for affiliates from experience to the knowledge required.

What makes RaaS a self-sustaining business model?

RaaS is a lucrative and self-sustaining business simply because of the amount of money in the ransomware ecosystem. Ransomware groups are impermanent. We have seen multiple ransomware groups disappear over the years, either as a result of law enforcement action like REvil or out of their own volition like DarkSide, which rebranded as BlackMatter.

We also hear numerous reports that newer groups include members of past ransomware groups. For instance, REvil was the successor to GandCrab, while Conti is considered the successor to Ryuk. When certain groups are dismantled, new groups capture the attention of affiliates seeking new partnerships.

Affiliates and IABs are the engines driving the ransomware ecosystem. These threat actors are not linked to any one specific ransomware group and their services can be bought by the highest bidder. Even as old ransomware groups shut down and new ones emerge, affiliates and IABs remain in the ecosystem, making RaaS a self-perpetuating business model.

Double and triple extortion tactics most often ensure ransom payments are made. What regulatory norms do governments need to implement, to ensure businesses pay more attention to install security measures to protect themselves against ransomware?

We need to make it more difficult and less lucrative for cybercriminals by shoring up organisations’ security postures and escalating government countermeasures. If we work together, cyberattacks won’t be the big business they are now.

To thwart attacks, the private sector must secure its systems properly while the government responds with deterrence measures.

Maintaining systems, using multi-factor authentication, limiting user privileges and understanding where you are most exposed have to be the first part of this equation.

Given the enormity of the threat RaaS outfits pose to businesses and critical infrastructure, how can organizations fortify themselves?

The rising number of ransomware attacks is an obvious wake-up call for organizations as bad actors are profiting from weaknesses in organizational defenses. The logical solution would be establishing deterrence. This can be achieved by shoring up organizations’ security postures.

Ransomware wouldn’t thrive as a profitable business model if the risks are higher than the reward. Establishing deterrence requires organizations to maintain a sophisticated level of cyber hygiene. This can be done by implementing a variety of measures including:

  • Multi-factor authentication, encryption and strong passwords for all accounts
  • Continuously auditing permissions for user accounts
  • Identifying and patching vulnerabilities to business-critical assets in the network regularly
  • Strengthening Remote Desktop Protocol
  • Continuous monitoring of the Active Directory to detect misconfigurations and shadow users
  • Regular updates for encrypted, offline backups
  • Antimalware and antivirus software to detect suspicious activities within the network
  • Training employees about common attack vectors and the importance of cyber hygiene
  • Conduct regular penetration tests and tabletop exercises to develop holistic incident response plans 

What kind of interest have you observed from the region for your offerings?

The attack surface has changed dramatically not only in the sheer volume of assets but also in the variety of assets that have become exposure risks. Shadow IT, public cloud, ephemeral resources, and more distributed infrastructure and application deployment has made the attack surface highly dynamic and ever-changing. In addition, the assets that make up your attack surface are more interconnected than ever before, so exposure in one area can quickly become a breach in a critical part of the business.

While attacks continue to increase in sophistication, the vast majority are opportunistic, preying on the fact that most teams are overwhelmed and unable to address even well-known vulnerabilities. Bad actors of all skill levels and motivations will continue targeting known vulnerabilities in popular software so long as they remain unpatched and vulnerable. So we are seeing the need for Exposure Management which draws on deep insights into all aspects of the modern attack surface – across assets, as things change, and with the context of interdependencies – to accurately gauge and prioritize exposure risk.

Can you elaborate on your market approach?

We’ve continued to drive innovation in vulnerability management, and as a result, have grown our market share lead over the past three years.

Tenable Research underpins our technology and our ability to serve our customers. We are market leaders in CVE coverage, assessing over 70,000 vulnerabilities; leaders in zero-day research, with over 400 vulnerabilities disclosed since January of 2019; and in most cases, our team provides coverage within 24 hours of finding new vulnerabilities. Last but not least, we’ve expanded our scope through acquisition and R&D and are now recognized as leaders or significant players in the Operational Technology, Cloud Native, and Active Directory security markets.

Related posts

COAI announces its leadership for the year 2024-25 at AGM 2024


Mercury Security collaborates with HID


CFS ropes in new Global Head for IT