Software-as-a-Service (SaaS) is fairly common in the world of legitimate enterprise software where vendors offer their software products through a subscription model, usually to obtain a distributed cash inflow and to improve the affordability of their products by allowing their customers to match their expenditure on the product with their use of the product. Threat actors are now adopting this business model, seeking different benefits, to provide cyberthreats, especially ransomware, as a service with frightening consequences for the enterprise world.
How Ransomware Works
Ransomware is a form of malware that encrypts data on the victim’s IT network, paralysing business operations until a decryption key is obtained by payment of ransom that is usually demanded in cryptocurrency. Data is the key to ransomware’s potency and the success of the attack model; every enterprise needs data to function, even if that data is internal administrative data that is of no value to anyone else, and preventing access to this data increases the probability that a ransom will be paid and turns every business into a potential target.
Cyberattacks were problematic, but not an existential threat, for businesses when the entire attack process was handled by an individual or team. The various activities involved, such as developing malware, identifying suitable targets, scouting for points of entry, and deploying the attack, were time consuming and skill intensive which limited the frequency and severity of attacks. Such limits do not apply to Ransomware-as-a-Service (RaaS).
How RaaS Amplifies the Ransomware Threat
Under the RaaS model, ransomware providers restrict themselves to the technical development of ransomware. Initial Access Brokers (IABs) provide points of entry to enterprise networks for a price. Prospective attackers subscribe to the ransomware, obtain access to an identified enterprise victim from an IAB, and combine them to launch the attack. This has removed the time and skill constraints that limited attacks before, as cyberattackers need very little technical knowledge to deploy ransomware. Each segment specialises in their role, with corresponding improvements in attack capability.
RaaS offerings can be quite sophisticated: they are advertised on the dark web; ransomware developers provide dashboards and helplines to facilitate attacks; and negotiation services are provided to extort maximum payment from victims. The extortion models are also evolving: ransomware gangs used to demand ransom from the victim to provide a decryption key; they now threaten to release exfiltrated data, such as customers’ Personally Identifiable Information (PII), if the ransom isn’t paid (double extortion); and may approach the victim’s customers threatening to release their data obtained from the victim if the ransom isn’t paid, to exert additional pressure on the victim to pay (triple extortion).
The combination of these factors has resulted in an increase in the proliferation of ransomware attacks. K7 Computing estimates that ransomware will grow to become a $30 billion industry in 2023. High profile ransomware events such as the Continental Pipeline attack in the USA have made international headlines, but ransomware attacks are not limited to large organisations. Schools, colleges, government departments, and smaller organisations in the public and private sector are targeted by ransomware groups with potentially devastating outcomes: a 157-year-old college in the USA was forced to cease operations following a ransomware attack.
Considering the above, the enterprise sector should prepare their cyber defences assuming that a) they will be the target of a ransomware attack; it is a matter of when and not if, and b) the attack could bring operations to a halt with associated impact on profitability and business continuity. Defending against such attacks requires creating plans to both prevent ransomware and to respond to an attack if it is successful.
Preventing Ransomware Attacks
Preventing ransomware attacks requires policy, technology, and training. A cybersecurity policy is required to define standards, roles, and responsibilities. What is the minimum strength required for enterprise passwords? Who is responsible for ensuring that all patches and security updates are installed? When should hardware or software nearing end-of-support be replaced? How may enterprise IT assets be used? Performing an audit of the organisation’s IT infrastructure will reveal weaknesses that must be addressed in the policy, improving the effectiveness of the policy.
Technology solutions, such as K7 Endpoint Security, K7 Network Security, and data backups must be utilised to defend against ransomware. The endpoint security solution should be capable of permitting legitimate encryption while denying malicious encryption and protect against phishing which may be used to deliver ransomware. Technology solution vendors must be evaluated based on awards won, frequency of updates, long-term track record, and speed of support as every second counts when responding to a potential threat event.
All employees must be trained on the fundamentals of cyber hygiene; identifying phishing and other forms of social engineering that attempt to compromise the user rather than hardware or software; and the need to report suspicious activity immediately and the reporting structure to be followed. Such training can be provided by specialists who combine expertise in both cybersecurity and training, such as K7 Academy. A culture of cybersecurity must be inculcated within the organisation to ensure that staff hold each other accountable for following mandated cybersecurity standards.
It is essential to ensure the entire organisation is blanketed by the proposed cyber defences. No device and no individual, even the CEO, must be exempt from these measures. Threat actors do not care about organisational hierarchy, or the challenges faced in identifying all the devices that are part of an organisation’s IT ecosystem. They will exploit every available opportunity and therefore enterprise cybersecurity must be maintained, monitored, and revised periodically to prevent the emergence of attack opportunities.
Responding to Ransomware Attacks
Finally, a plan of response will be required in the event an organisation does suffer a ransomware attack. This plan must cover attack mitigation, compliance measures, and public relations to minimise the impact on the business’s brand and to avoid regulatory action. Paying the ransom is not recommended but a decision on payment may need to be made soon after an attack occurs in sectors like healthcare where lives may be lost if the organisation is unable to return to normal operations quickly.
Confusion and chaos are to be expected following a ransomware event and comprehensive contingency plans that are implemented quickly will help restore confidence, both within and outside the organisation, in the enterprise’s ability to counter the attack, manage the consequences, and preserve stakeholder value.
Download K7’s whitepaper Unmasking Ransomware for more information on building enterprise defences against ransomware, or Contact Us to learn how K7’s enterprise cybersecurity solutions can protect your organisation against ransomware.