HELP WANTED: Are you looking to pad your golden years and increase your grandkids' birthday money? Forget about reverse mortgages; instead, join our network of ransomware agents. If you can play bridge online, you can run your own ransomware campaign.
The billion-dollar ransomware business, and fifth-highest distributed malware according to the 2017 Verizon DBIR, is now accessible to anyone — no technical expertise required. Just like you can use an app to get a date, a ride, or even a mortgage, today's as-a-service technology has democratized ransomware, offering no-skilled criminals — or grandmothers who need a little extra cash — a low-friction way to get in on the game. And it's having an impact on enterprises.
The first ransomware criminals had to build malware and sneak it inside an organization — usually accomplished with a convincing phishing campaign. Once inside, the malware locks down valuable data and holds it for ransom. The more targets an attacker hits, the better their return.
Now, with ransomware-as-a-service, attackers no longer have to build and maintain their own malware, develop an infrastructure, or manage an attack — all they need to do is sign up, offer a few grandkids' or pesky neighbors' emails, and pay a percentage as a service fee.
Ransomware-as-a-service strains like Cerber and Karmen — and now WannaCry — are dominating information security headlines and Twitter feeds, even unseating Locky from the ransomware throne. Both variants offer as-a-service models that lower the barrier to entry and provide graphical dashboards on metrics like infection rates and ransoms paid. Customers can even increase their ransom price.
RaaS: Best Tools at the Best Price
Similar to how legitimate SaaS offerings allow organizations to outsource parts of their business and infrastructure, ransomware criminals can now outsource managing and maintaining their ransomware practice. Ransomware-as-a-service providers — just like their legitimate SaaS counterparts — have an interest in making sure their customers (like grandma) have access to the best tools at competitive prices so that more will choose their service. When one threat vector closes, their business revenue is affected, so it's in their best interest to deploy updates and stay ahead of the technologies and practitioners working to stop them.
Organizations should expect the number of attacks to continue to increase, thanks to ransomware's low barrier to entry and increased sophistication due to competition between ransomware-as-a-service businesses that fight to stay ahead of each other and enterprise malware detection efforts.
Though as-a-service ransomware may increase the frequency and sophistication of attacks, the key strategies that organizations need to employ to address ransomware and other threats remain the same:
- Protect data from the inside. The perimeter isn’t going to protect against code running inside the firewall. Determined attackers will likely be able to get inside the network (if there's even such a thing as "inside" any more), so assuming a strong perimeter will protect you by itself may mean that your security inside the perimeter leaves you at risk.
- Rethink your access rights. In the recent 2017 Varonis Data Risk Report, an average 20% of all folders within an organization are open to everyone. That means that only one user needs to make a mistake and become infected with ransomware to take down 20% of your shared files. Make sure that only the right people have access to what they're supposed to and data isn't accessible to every employee.
- Monitor everything. You can't catch what you can't see, and monitoring the data that's at risk is critical. Nobody breaks into the bank to steal the pens, so make sure that you're looking at how users access data so you know when something goes wrong. Here's a hint: if you've missed a ransomware attack, you've definitely missed just about any other data-centric attack. Ransomware is the easiest attack to spot if you're watching how file systems are being used.
- Have a remediation plan. Finally, organizations should regularly perform backups of their file system, especially critical and sensitive data, and have a remediation plan to find and restore compromised data in the case of ransomware and other cyber attacks.