How to protect your organization from ransomware-as-a-service attacks

RaaS kits are easy to find on the Dark Web, lowering the barrier of entry so that virtually any cybercriminal can launch successful ransomware attacks, says Microsoft.

ransomware as a serviceImage: JustSuper/Adobe Stock

Ransomware-as-a-Service has increasingly become a popular method of attack. By taking advantage of ready-made ransomware kits designed for affiliates, criminals don't need advanced technical know-how to launch an attack. In a report released Monday, Microsoft covers the latest wave of RaaS attacks and offers advice on how to combat them.

In its August 2022 Cyber Signals report named Extortion Economics, Microsoft explains that RaaS kits are readily available for purchase on the Dark Web just as easily as are legal products on legitimate e-commerce sites. With such RaaS programs as Conti and REvil, cybercriminals can buy kits that include everything they need, including ransomware payloads, data leakage, customer support and payment infrastructure. The customers, known as affiliates, are able to purchase an RaaS kit for a set price, while the seller collects a percentage of the profits from each successful attack.

SEE: Mobile device security policy (TechRepublic Premium)

Must-read security coverage

These types of ransomware campaigns start with initial access, typically via a malware infection or by exploiting a security vulnerability. From there, they may move to credential theft to elevate privileges and move laterally across a network. The end goal is data exfiltration, allowing the attackers to hold critical data for ransom.

Most RaaS-based attacks use a double-extortion strategy in which the stolen data is not only harvested but leaked publicly unless the ransom is paid. The shutdown of the Conti ransomware gang in May 2022 shook up the RaaS landscape. Some affiliates who were using Conti kits shifted to other RaaS systems such as LockBit and Hive.

Others have turned to deploying payloads from multiple RaaS systems. Two groups in the ransomware business are DEV-0537 (aka LAPSUS£) and DEV-0390 (a former Conti affiliate). DEV-0390 initiates an attack through malware but then uses legitimate tools to exfiltrate data and extort the ransom payment.

This group also gains access to accounts by stealing credentials and then sends the stolen data to a cloud sharing site.

How to protect your organization from ransomware-as-a-service attacks

To protect your organization from RaaS attacks, Microsoft offers several recommendations.

Prevent initial access

Prevent malicious code execution by managing macros and scripts.

Segment your network

To prevent lateral movement by attackers, segment your network based on account privileges.

Audit account credentials

Reviewing the exposure of account credentials can help stop ransomware and cyberattacks in general. Ensure that your IT staff and security operations center work together to reduce the level of administrative privileges and understand where they're most exposed.

Reduce the attack surface

Set up rules to reduce the attack surface used in ransomware incidents. Having clearly defined rules can help stop attacks in their initial stages.

Enforce multi-factor authentication

Make sure that MFA is active for all accounts but prioritize those with administrator access.

MFA is especially critical with a remote or hybrid workforce where it should be required on all devices in all locations and at all times. Also be sure to enable passwordless authentication such as FIDO keys or authenticator apps for sites and services that support them.

Look for blind spots in your security

Verify that your security products are installed correctly and tested regularly. Make sure that they're operating with the right security configurations and that no part of your network is unprotected.

Harden your internet facing assets

Consider removing duplicate or unused applications to eliminate risky services.

Apps like TeamViewer are prime targets for cybercriminals, so be aware of how and where you permit such apps.

Harden your cloud assets

As attackers target cloud-based resources, you need to secure these as well as on-premises assets.

Focus on hardening your security environment and treating cloud admin and tenant admin accounts with the same level used for domain admins.

Keep your systems up to date

Maintain an inventory of your software and systems so you know where to prioritize support and security and can quickly patch the most sensitive and critical assets.

Leave a Reply

Your email address will not be published.