Ransomware-as-a-Service is Fueling the Threat Landscape. Here’s What to Do About It.

If there were a popularity contest for cybercrime attack types, ransomware would quickly be crowned as the winner. Our FortiGuard Labs team recently published an in-depth look at the current threat landscape and found that ransomware attacks continue to become more sophisticated and destructive, with attackers introducing new strains and updating, enhancing, and reusing old ones.

What’s especially concerning as we look at the first half of the year is that the number of new ransomware variants we identified nearly doubled compared to the previous six-month period. We saw 10,666 new ransomware variants in 1H 2022, compared to just 5,400 in 2H 2021. New variants means defenders need to constantly be on the lookout for shifts in tactics and techniques.

Curious as to what’s driving this volume and variety in ransomware attacks?

Ransomware-as-a-Service (Raas) seems to be the catalyst behind it all. Here’s more about RaaS, how it works, and recommendations for ensuring that you’re adequately protecting your organization from this increasingly widespread attack vector.

What is Ransomware-as-a-Service (RaaS)?

RaaS is a subscription-based ransomware system. It’s a subset of the larger Crime-as-a-Service (CaaS) market, which is the practice of experienced cybercriminals selling tools and knowledge to help others carry out cybercrimes. Numerous attack vectors and associated code are available through the CaaS market, such as phishing kits, DDoS attacks, and of course, RaaS, to name a few.

RaaS programs are unique in eliminating the need for attackers to write their own malicious code. This allows even inexperienced cybercriminals to successfully target people, businesses, and other organizations for a quick payday. Like popular streaming media subscriptions or food delivery services, bad actors can access ransomware and other malicious software for a monthly fee. In the past few years, we've seen RaaS increase in popularity among cybercriminals.

How RaaS Works

Most CaaS operations – including the RaaS market – employ developers of all ability levels. Junior-level “script kiddies” copy and paste existing code to create new offerings while senior developers work on more sophisticated attacks, such as Zero Day weaponization. The result is countless new attack variants that these ransomware groups can then sell to new hackers.

When cybercriminals sign up for a RaaS service, they become an affiliate – RaaS groups typically call these people partners. However, they are more like franchisees since they pay back a percentage of their profits to the RaaS operation. In exchange, many RaaS offerings include a variety of additional services, including help desk, ransom negotiators, and money laundering. Each partner receives their own identifier and, often, even a unique piece of malware, which helps explain why the number of new ransomware variants being identified is skyrocketing. The RaaS operators intentionally assign unique IDs and variants to mask the identity of the group and partner purchasing the subscription. 

Defending Against a Growing Number of Ransomware Variants

With more ransomware variants being made available to attackers, many bad actors are inevitably searching for an easy payout. And while ransomware isn’t new, its rapid growth, combined with its destructive nature, makes it more critical for CISOs and their security teams. They need real-time visibility into both an organization’s external (beyond your perimeter) and internal attack surface, as well as effective protection and remediation strategies and tools in place. Advanced endpoint detection and response (EDR) technology, combined with AI and ML-driven behavioral-focused detections, offers a strong defense against a growing collection of variants and the clever techniques we see bad actors using to execute them.

In addition, a service, such as digital risk protection service (DRPS), provides organization-specific, expert-curated and actionable external attack surface intelligence, identifies threat actors’ activity and brand infringement, and monitors ransomware data leaks. When leaked credentials are for sale on hacker forums, there is high probability that they will be used in an attack against the organization.

Beyond implementing effective strategies and technologies, cybersecurity education for your organization's employees is crucial. Teaching employees how to spot, avoid, and report phishing and ransomware is a vital first line of defense. We're also seeing RaaS groups increasingly target enterprise security teams with their attacks as they try to crack the crown jewel, so to speak, and gain bragging rights for doing so. Find opportunities for your team to hone their skills. Build and test your processes and playbooks, and then allocate time for tactical training sessions based on real-world scenarios. Consider engaging an outside firm to pressure-test the team and identify potential security gaps.

Above all else, taking a holistic approach to security that’s broad, integrated, and automated is essential to reducing complexity and increasing security effectiveness across today’s expanding networks.

Ransomware will likely continue winning the cybercrime popularity contest thanks to its disruptive nature. And RaaS makes it easy for cybercriminals of any skill level to take advantage of this attack vector. By offering education on cybersecurity best practices, collaborating with other defenders, and using behavioral-based AI solutions to detect and implement countermeasures, organizations can fend off attackers and protect against the evolving threat landscape. 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.