News, news analysis, and commentary on the latest trends in cybersecurity technology.

Ransomware-as-a-service gangs are difficult to shut down, but sophisticated, AI-driven defenses may finally be killing their profits.

Oakley Cox, Director of Analysis, Darktrace

March 14, 2022

4 Min Read
Global ransomware threat illustrated by open lock icons in red superimposed on image of Earth
Source: NicoElNino via Alamy

Last summer, the ransomware-as-a-service (RaaS) group REvil exploited a vulnerability in Kaseya's software to launch one of the most impactful ransomware attacks on record. Europol arrested seven members of the group that year and, after US requests for action, Russia followed suit with 14 arrests in January.

Two weeks after Russia made its arrests, however, malware research firm ReversingLabs says the number of REvil implants has actually increased. This article explores why and how to stay ahead of an evolving RaaS threat landscape.

RaaS: Too Big to Fail?
The RaaS business model is underpinned by increasingly well-established and professional criminal gangs. A recent ransomware report issued collaboratively by the FBI, CISA, NCSC, ACSC, and NSA highlighted the complexity of RaaS networks; the developers, affiliates, and freelancers they work with; and the difficulty in attributing cyberattacks to certain groups or individuals. The impact of pulling one person — or, indeed, 20 members — from this network through arrests appears small. The business model is resilient to disruption while still remaining incredibly profitable.

At the same time, the tactics, techniques, and procedures (TTPs) the gangs employ are ever-changing, with whole groups disappearing and then reemerging under new titles.

What this does is allow the criminals to shake off law enforcement efforts while also keeping ahead of cyber defense teams. Traditional security tools are engineered around rules and signatures of past attacks, and they therefore fail to address the new and evolving TTPs employed by RaaS threat actors.

There is a way to get ahead of this problem. AI technology can react to novel threats because it understands what constitutes "normal" for its digital surroundings and, as a result, spots the subtle behavior that deviates from this norm. It was this approach that allowed automated AI security software to shine a light on a REvil ransomware attack in the summer of 2021. Here's what happened.

REvil in the Wild
The attack targeted a health and social care organization, a sector that has become more popular among cybercriminals since the onset of the pandemic.

The attacker gained access via a remote worker's laptop and then escalated their privileges using a legitimate remote desktop protocol (RDP) connection to a corporate server. With the authority of these new credentials, the attacker was able to reach numerous other internal devices, using its widespread access to steal data and exfiltrate it to REvil-controlled infrastructure.

Because this targeted organization had employed AI-powered security tools across its digital estate, it had complete visibility over the compromised laptop and every other endpoint device in its digital environment, and the organization was alerted immediately.

When this organization decided to roll out AI for threat detection, the decision was to keep it in monitoring and not enable AI-response. Since the AI wasn't configured to respond, the attack was not stopped. After two further weeks, the attacker found the organization's most sensitive data.

Tracing the Kill Chain
This attack was carried out using sophisticated tools and a high degree of patience. By spacing out the stages of the attack, the threat actors made its overall trajectory much harder for a human team to identify. This is a common approach for RaaS groups, which often divide the different stages of an attack between various gang members and affiliates.

The use of "living off the land" techniques, by which attackers abuse legitimate programs regularly in use by the target organization to perform malicious actions, also helped them to avoid the attention of traditional security tools.

The AI system detected each step of the attack chain, including unusual external connections the attack used for command and control (C2), and created a coherent security incident for review. The security team were able to leverage the information to take action and initiate remediation efforts.

Cybercriminal gangs are amorphous and ever-changing, and the business model of ransomware-as-a-service ensures the latest attack tools are distributed far and wide. Because of this, making individual arrests is unlikely to have a significant impact on the wider trend of faster and more frequent ransomware attacks.

This highlights the importance for organizations of all sizes to have the right protections in place to defend against the next wave of attacks. Adopting technology that exceeds the sophistication of these RaaS gangs is the most surefire way of attacking their profitability. Individual threat actors are too numerous to target effectively; the attacks themselves must be rendered ineffective by adopting AI, not only in the detection of cyber threats, but in response as well.

About the Author(s)

Oakley Cox

Director of Analysis, Darktrace

Oakley Cox is Director of Analysis at Darktrace, based at the Cambridge headquarters. He oversees the defense of critical infrastructure and industrial control systems, helping to ensure that Darktrace’s AI stays one step ahead of attackers. Oakley is GIAC certified in Response and Industrial Defense (GRID), and helps customers integrate Darktrace with both existing and new SOC and Incident Response teams. He also has a Doctorate (PhD) from the University of Oxford.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights