Did you know that over 80% of ransomware attacks can be traced back to common misconfigurations in software and devices? This ease of access is one of the many reasons why cybercriminals are affected by the underground ransomware economy.
However, many threat actors work in limited ransomware groups. While ransomware is a high-profile topic, it is ultimately fueled by a relatively small and interconnected ecosystem of players. The specialization and consolidation of the cybercriminal economy has propelled ransomware-as-a-service (RaaS) into a dominant business model—enabling a wider range of criminals to deploy ransomware, regardless of their technical expertise. This in turn forces us all to be defenders of cybersecurity.
As Microsoft develops threat intelligence, we don’t rely solely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We also observe end-to-end events that occur. This allows us to identify patterns in cybercriminal activity and turn cybercrime into preventable business disruptions. Once businesses can address the issues and cyber gaps on which the success of industrialized tools depends, they can better strengthen their cybersecurity positions. Here are some of our top tips.
Learn how RaaS works
Before defending against ransomware, you must understand how it works. Ransomware is not the target. Instead, ransomware exploits existing security holes to gain access to internal networks. Cybercriminals employ the most efficient methods when it comes to ransomware. In the same way that businesses hire gig workers to keep costs down, cybercriminals have turned to renting or selling their ransomware tools for some of the profit, rather than carrying out the attacks themselves.
This booming RaaS economy allows cybercriminals to buy access to ransomware payloads and data breaches and payment infrastructure. What we think of as ransomware “gangs” are actually RaaS programs like Conti or REvil, used by many different actors switching between RaaS programs and payloads.
RaaS lowers the barriers to entry and obfuscates the identity of the attackers behind the ransomware. Some programs can have 50 or more “affiliations” because they refer to the users of their services, with different tools, techniques, and goals. Anyone with a laptop and a credit card and willing to scour the dark web for penetration testing tools or out-of-the-box malware can join the economy.
So what does this mean for businesses?
New business models can provide new insights
This industrialization of cybercrime has created specialized roles in the RaaS economy, such as access brokers responsible for selling network access rights. When a company suffers a breach, there are often multiple cybercriminals involved at different stages of the breach. These threat actors can gain access by purchasing RaaS toolkits from the dark web that include customer service support, bundled offers, user reviews, forums, and other features.
Cybercriminals can pay a fixed price for the RaaS suite, while other groups selling RaaS under an affiliate model get a percentage of the profits.
Ransomware attacks are tailored to the configuration of the target network, even if the ransomware payload is the same. They can take the form of data breaches as well as other impacts, and because of the interconnected nature of the cybercrime economy, seemingly unrelated intrusions can stack up against each other. For example, infostealer malware steals passwords and cookies. These attacks are usually handled less seriously, but cybercriminals can sell these passwords to enable other, more damaging attacks.
However, these attacks follow a common template. First, initial access through a malware infection or exploit. Credential theft is then used to elevate privileges and move laterally. This industrialization allows attackers to execute prolific and impactful ransomware attacks without the sophistication or advanced skills.
Reporting ransomware may seem like an endlessly scaling problem, but in reality, the number of actors using this set of techniques is limited.
Enterprise Deployment Strategies
Now that we understand the mechanics behind RaaS, companies can take some precautions.
- Establish credential hygiene: Develop privilege-based logical network segmentation that can be implemented with network segmentation to limit lateral movement. Organizations that fail to implement credential hygiene are among the biggest security misconfigurations we’ve observed, but this simple tool could be a major factor in preventing threat actors from moving laterally and distributing ransomware payloads across the company.
- Audit credentials exposed: Audit your credential exposure to better protect against ransomware attacks and cybercrime. IT security teams and security operations centers (SOCs) can work together to reduce administrative privileges and understand the level of exposure of their credentials.
- Reduced attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-related activity groups, organizations with well-defined rules were able to mitigate attacks in the initial stages while preventing manual keyboard activity.
Ultimately, the industrialization of threat actors’ tools and ability to target organizations makes ransomware easier without requiring highly specialized skill sets. But by implementing basic security best practices and monitoring their credentials, companies can make it more difficult to fall victim to ransomware attacks.
For more information on ransomware, check out the full Cyber Signals article and explore more threat intelligence insights on Microsoft Security Insider.
Copyright © 2022 IDG Communications, Inc.