We asked Vicky Ray, Director – UNIT 42 Cyber Consulting and Threat Intelligence, Asia Pacific and Japan, Palo Alto Networks about the extent of this emerging risk.
With ransomware attacks not showing any signs of slowing down, how does the ‘as-a-service’ model on social media further amplify the issue?
Along with perfecting their malware and building up their technical support operations, Ransomware-as-a-Service (RaaS) groups have also been implementing marketing strategies using social media – both to publish their victims’ information or to recruit more affiliates.
Today, social media sites are one of the many channels bad actors use to share stolen data. Roughly 4.9 billion people use some form of social media today. This is more than 60% of the world’s population. Its wide usage has made it one of the many channels where they hack into to steal identities for scams and to commit frauds. It is also a platform to share the incident or contact journalists. This will likely gain the attention of potential new affiliates, to carry out their attacks. For wannabe cyber extortionists, it becomes much easier for them to find these tools and services.
Do novice threat actors who deploy such attacks really pose a threat to businesses and individuals?
Ransomware-as-a-Service (RaaS) aims to make ransomware attacks simpler for those that only have little technical and programming skills, allowing them to participate in launching these attacks and earn financial gain. With this tactic, novice threat actors can obtain tailor-made ransomware developed by experts and ready to attack their potential victims.
The lack of expertise of the threat actors commissioning these attacks still poses a threat to businesses and individuals as the RaaS platform and the associated services provide a lower barrier to entry to sophisticated targeted attacks yielding large profits.
In 2021, a RaaS playbook from Conti was leaked, with instructions on how novice actors can compromise enterprise networks. Therefore, with minimum skills, threat actors can hunt for big corporations that can afford a high ransom.
While launching these attacks, these novice threat actors benefit from expert-level and sophisticated software to encrypt and decrypt files as well as 24/7 software support – hence they can launch their attacks more seamlessly.
Will this model add to the growing volume of ransomware attacks businesses face? How can they spot and prioritize tackling professional vs novice attacks?
The 2023 Unit 42 Ransomware and Extortion Report highlighted that ransomware payments reached as high as US$7 million in cases that Unit 42 observed in 2022.
With the reduced barrier to entry that the RaaS model offers, it could cause a flood of new threat actors using ransomware and expand the risk of ransomware attacks.
An example is LockBit 2.0, one of the RaaS groups that Unit 42 is actively monitoring.
The 2022 Unit 42 Incident Response Report outlined that as of May 2022, LockBit 2.0 has published information from more than 850 organizations – accounting for 46% of all ransomware-related breach events shared on leak sites within the year.
Organizations should not discriminate between professional and novice attacks.
Instead, organizations must develop a prevention-first cyber security strategy and be prepared to defend against all possible attack vectors by having a comprehensive awareness of all security vulnerabilities.
Cyber resilience with a strong incident response and recovery plan are also essential for mitigating damage.
Educating all members of the organizations about cyber hygiene measures is also important. Solidly covering the foundations of good cyber defense can help prevent attacks by rookie and expert cyber criminals looking for a payout.
Can this model be used as a breeding ground by cyber criminals to strengthen their networks? How can this menace be curbed at a grass roots level?
The RaaS model and associated forums can be a training and breeding ground for cyber-criminal organizations. Threat actors or affiliates participating in a RaaS model are part of an entire ecosystem, including developers, infrastructures and services for negotiation communications, guidance on how to execute the attacks and platforms for publishing stolen data.
They also have access to open darknet forums, allowing them to gain knowledge from other members and eventually improve their skills as well as create partnerships with others. Prolonged discussions on these open forums also grant them access to connect with higher-skilled cybercriminals. The forums may also be considered a recruitment ground for bigger cybercrime organizations.
Curbing attacks using the RaaS model requires increased education and stronger warnings of its illegality to prevent curious minds from wanting to try out the model. For organizations, staff education on social engineering tactics and other cybersecurity practices also needs to be done, as well as restricting administrative and system access to those who need it. On top of everything, using attack surface management platforms to patch and monitor vulnerabilities may also help.
With cybercrime becoming more and more lucrative, how can cyber police and society as a whole combat this ever-expanding attack surface?
The cyberpolice and government need to carry out regular horizon scans to study emerging trends, patterns and technologies used. If the landscape is regularly reviewed, the cyber police can develop new tools and strengthen their defense practices. Regular scanning of the open darknet forums to monitor and flag any developments in threat actors’ conversations could also be implemented.
Furthermore, governments must regularly assess and enhance capacities and capabilities to effectively combat cybercrime while incorporating industry best practices and learning from successful approaches in other jurisdictions.
On a societal level, a strong criminal justice system, bolstered by stringent and efficient laws, will empower law enforcement agencies to adequately probe cybercrimes and acquire the necessary evidence to prosecute the individuals accountable successfully. The procedures and processes of the criminal justice system must be agile and streamlined to effectively address emerging forms of cybercriminal activities, considering the rapidity and magnitude at which such crimes are committed.Click below to share this article