Extortion Economics: Ransomware’s New Business Model

With the right approach, cybercrime can be turned into a preventable disruption to business. There are our top tips to strengthening your posture against the ransomware economy.

istock 1157334052

Did you know that over 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cybercriminals have become emboldened by the underground ransomware economy.

And yet, many threat actors are working within a limited pool of ransomware groups. Although ransomware is a headline-grabbing topic, it’s ultimately being driven forward by a relatively small and interconnected ecosystem of players. The specialization and consolidation of the cybercrime economy has fueled ransomware as a service (RaaS) to become a dominant business model — enabling a wider range of criminals to deploy ransomware regardless of their technical expertise. This, in turn, has forced all of us to become cybersecurity defenders.

When Microsoft is developing threat intelligence, we don’t just rely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We also observe end-to-end events as they occur. This has allowed us to identify patterns in cybercriminal activity and turn cybercrime into a preventable disruption to business. Once businesses can address the problems and network gaps that industrialized tools rely on to succeed, they can better strengthen their cybersecurity position. Here are some of our top tips.

Understanding how RaaS works

Before you can defend against ransomware, you must first know how it operates. Ransomware is not targeted. Instead, ransomware takes advantage of existing security compromises in order to gain access to internal networks. Cybercriminals have adopted a maximum-efficiency approach when it comes to ransomware. In the same way that businesses hire gig workers to cut down on costs, cybercriminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.

This flourishing RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage as well as payment infrastructure. What we think of as ransomware “gangs” are in reality RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more “affiliates,” as they refer to the users of their service, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the dark web for penetration testing tools or out-of-the-box malware can join this economy.

So, what does this mean for enterprises?

A new business model can offer fresh insight

This industrialization of cybercrime has created specialized roles in the RaaS economy, such as the access brokers who are responsible for selling access to networks. When companies experience a breach, there are often multiple cybercriminals involved at different stages of the intrusion. These threat actors can gain access by purchasing RaaS kits off the dark web, consisting of customer service support, bundled offers, user reviews, forums, and other features.

Cybercriminals can pay a set price for a RaaS kit while other groups selling RaaS under the affiliate model take a percentage of the profits.

Ransomware attacks are customized based on configurations of the target networks, even if the ransomware payload is the same. They can take the form of data exfiltrations, as well as other impacts and, because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. For example, infostealer malware steals passwords and cookies. These attacks are often treated with less severity, but cybercriminals can sell these passwords to enable other, more devastating attacks.

However, these attacks follow a common template. First, there is initial access via malware infection or exploitation of a vulnerability. Then, credential theft is used to elevate privileges and move laterally. This industrialization has allowed prolific and impactful ransomware attacks to be performed by attackers without sophistication or advanced skills.

Reporting on ransomware may seem like an endless scaling problem but in reality, there is a finite set of actors using the set of techniques.

Strategies for businesses to deploy

Now that we understand the mechanics behind RaaS, there are several preventative measures that companies can take.

  1. Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. Organizations failing to implement credential hygiene is one of the biggest security misconfigurations that we observe, and yet this simple tool can be a major factor in preventing threat actors from moving laterally and distributing a ransomware payload across the company.
  2. Audit credential exposure: Audit your credential exposure to better prevent ransomware attacks and cybercrime at large. IT security teams and security operations centers (SOCs) can work together to reduce administrative privileges and understand the level at which their credentials are exposed.
  3. Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.

Ultimately, ransomware has been made easier by threat actors’ industrialization of tools and ability to target organizations without needing highly-specialized skillsets. But by implementing foundational security best practices and monitoring their credentials, companies can make it that much harder to fall victim to a ransomware attack.

For more information on ransomware, check out the full Cyber Signals article and explore more threat intelligence insights on Microsoft Security Insider.


Copyright © 2022 IDG Communications, Inc.