Partner Perspectives

Extortion Economics: Ransomware's New Business Model

Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialized roles in service of ill-gotten gains.

Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cybercriminals have become emboldened by the underground ransomware economy.

And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialized roles and consolidated the cybercrime economy, fueling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cybersecurity defenders in the process.

Microsoft Security doesn't just rely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We track ransomware attacks across the entire arc of the event — from incursion and exfiltration to ransom demand. This has allowed us to identify patterns in cybercriminal activity and turn cybercrime into a preventable business disruption. Following are some of our top tips.

Understanding How RaaS Works

Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cybercriminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.

This flourishing RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.

So what does this mean for enterprises?

Fresh Insight From a New Business Model

This industrialization of cybercrime has created specialized roles in the RaaS economy. When companies experience a breach, multiple cybercriminals are often involved at different stages of the intrusion. These threat actors can gain access by purchasing RaaS kits off the Dark Web, consisting of customer service support, bundled offers, user reviews, forums, and other features.

Ransomware attacks are customized based on target network configurations, even if the ransomware payload is the same. They can take the form of data exfiltration and other impacts. Because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. For example, infostealer malware steals passwords and cookies. These attacks are often viewed as less serious, but cybercriminals can sell these passwords to enable other, more devastating attacks.

However, these attacks follow a common template. First comes initial access via malware infection or exploitation of a vulnerability. Then credential theft is used to elevate privileges and move laterally. This templatization has allowed prolific and detrimental ransomware attacks to be performed by attackers without sophisticated or advanced skills.

Strategies for Businesses to Deploy

Now that we understand the mechanics behind RaaS, let's examine several preventative measures that companies can take.

  • Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. Failure to implement credential hygiene is one of the biggest security misconfigurations that we observe, and yet this simple tool can be a major factor in preventing threat actors from moving laterally and distributing a ransomware payload across the company. 
  • Audit credential exposure: Audit your credential exposure to better prevent ransomware attacks and cybercrime at large. IT security teams and security operations centers (SOCs) can work together to reduce administrative privileges and understand the level at which their credentials are exposed.
  • Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.

Ultimately, carrying out a ransomware attack is easier than ever thanks to the commoditization of ransomware toolkits. But by implementing foundational security best practices and monitoring their credentials, companies will be less likely to fall victim to a ransomware attack.

Read more Partner Perspectives from Microsoft.