Ransomware is a lucrative business for criminals. It is paying off, and it is working.

According to a recent Trend Micro report, a staggering 84% of US organizations experienced either a phishing or ransomware attack in the last year. The average ransomware payment was over $500,000.

Bad actors want to keep cashing in. So they’re going as far as creating ransomware kits as a service (Ransomware as a Service) to be sold on the dark web and even setting up fake companies to recruit potential employees.

Many ransomware gangs function like real companies — with marketing teams, websites, software development, user documentation, support forums and media relations.

If the “companies” run by ransomware gangs can operate with minimal expenses and mind-blowing revenues, what’s stopping them from growing in number and size?

But, the more we know about how these gangs operate, the better we can be prepared for the next ransomware attack.

What Is Ransomware as a Service?

Ransomware attacks are on the rise because it’s easier than ever for criminals to launch an attack. So simple, in fact, that would-be attackers can download prefabricated ransomware kits containing everything they need to strike.

These ransomware kits are sold on the dark web as a service, much like the Software-as-a-Service (SaaS) model. Ransomware-as-a-Service kits provide criminals the opportunity to launch ransomware attacks with minimal technical knowledge. No malware creation skills? No problem.

Malicious actors often purchase the kits under a monthly subscription and, in many cases, are offered the opportunity to act as an affiliate of the malware creator’s service and earn a commission. Perpetuating ransomware is profitable all around.

With most RaaS kits, criminals get access to user forums, 24/7 technical support, user reviews and even discounts on future purchases.

Not only are RaaS kits crafted to minimize the technical roadblocks, but they’re also inexpensive. While the more extensive kits may fetch several thousand dollars, some ransomware kits sell for only forty dollars per month.

Using this business model, tracking and identifying these ransomware developers is more challenging since they are not the ones launching the attacks.

Unfortunately, cybersecurity experts predict RaaS to become more prevalent in 2022.

How Ransomware Gangs Operate

Ransomware is a lucrative and competitive business. In 2020, ransomware revenues were over $400 million worldwide.

Today, ransomware gangs operate much like regular, legitimate businesses would — complete with professional websites, marketing campaigns, how-to videos and even white papers.

Some ransomware gangs and operators are very well known in both black and white hat communities, and maintain a steady presence on the dark web. Many others, however, appear, disappear and reappear — often with new kits.

Would-be criminals looking to purchase a ransomware kit can even, for no money down, launch an attack and receive a smaller share of their victim’s ransom as an affiliate of a large ransomware gang. Some ransomware gangs might offer an easy-to-use interface for attack monitoring, while others only wish to deal with hackers with more technical skills.

According to Brett Callow, Threat Analyst at Emsisoft, one troubling trend to look out for is that the gangs are now using exfiltrated data in more extreme ways. “They no longer simply release it on the dark web,” he said. “Gangs use the data to contact customers or business partners or use non-publicly available information relating to mergers or IPOs as additional leverage.”

The FBI recently issued a Private Industry Notification (PIN) about the threat.

How the Enterprise Can Defend Against RaaS — Plus, Some Good News

Cybersecurity news is typically doom and gloom. How refreshing, then, to begin with some positive news on the ransomware front before outlining the best defense strategies.

“The risk-to-reward ratio today has a bit more risk and a bit less reward,” explained Callow. “Arrests, bitcoin recoveries, infrastructure disruption and bounties have given threat actors a few black eyes.”

Plus, Callow’s team of security experts have been actively pursuing a high-profile ransomware group — and they’re succeeding in helping victims quietly take back their data without dispensing any ransom.

Despite the progress, ransomware is not going away in 2022. For the enterprise, a robust ransomware defense strategy can only fortify its cybersecurity posture.

The backbone of that strategy is ensuring you follow a robust backup process. Backups should be regular and frequent. The more frequent the backups, the less data you are at risk of losing. Whenever possible, backups should be stored on different devices in different locations.

Backups aside, here are the key critical elements to include in your ransomware defense strategy:

– Embrace zero trust, enforce least privilege principles. IBM Security X-Force recommends that organizations apply least-privilege methodologies like zero trust so that user access is limited to what they need to do their jobs.

– Test employees. By testing employees with simulated phishing attacks, the chances of being successfully phished with a real ransomware email can diminish.

– Patch frequently. Maintaining an aggressive and current patch management policy can foil attackers that maliciously use zero-day vulnerabilities in their ransomware attacks — a notable threat intelligence trend.

– Change default passwords. This defense tactic is overlooked and underrated, as a default password is one of the easiest ways for a bad actor to gain easy entry and access.

– Use MFA wherever possible. While MFA isn’t foolproof, it’s a massive improvement over password-only protection and can be the difference between a successful and foiled attack.

– Use current antivirus and endpoint protection. AV solutions must be updated as often as possible since ransomware is constantly evolving to avoid detection. Additional endpoint protection solutions that detect suspicious behavior and untrusted applications should also be given serious consideration.

– Strip/limit/prohibit email attachments containing executables. Organizations may configure their email gateways to scan attached ZIP archives, but often forgo stripping or removing the executables. If the executable is malicious, it’s an easy way for attackers to bypass other endpoint controls.

– Foster a culture of security. When everyone in the organization, from the executive to the entry-level employee, is encouraged to participate in security, risk typically decreases.