Ransomware-As-A-Service – Implications For SMBs

Home/Uncategorized/Ransomware-As-A-Service – Implications For SMBs
Software as a Service

published, Nov-9-2022

Is your small business at risk of a ransomware attack?

Yes.

There are no ‘ifs’ or ‘buts’ attached to that answer because the harsh reality is that any business, of any size, is always at risk of ransomware. We will explore why that is so, and what you can do to protect your organisation.

RaaS – Ransomware Sauce Added To The SaaS Recipe

To understand Ransomware as a Service (RaaS) and how it impacts Small and Medium Businesses (SMBs) we must first understand ransomware and Software as a Service (SaaS) and how these intersect.

Ransomware

Ransomware is a form of malware that works by blocking access to the device or data that is stored on the device, usually by encrypting files on the device. Ransomware can find its way into a device through many avenues including malicious email attachments, phishing, and inadequately secured RDP sessions. Once ransomware enters a device, it will attempt to propagate through the network and, depending on the sophistication of the ransomware and the attacker, identify the most valuable data or files to be encrypted or look for backups to encrypt them as well. Once this reconnaissance is completed, the encryption will begin and the attacker will demand a ransom, typically in cryptocurrency like Bitcoin, to provide decryption keys. This process may not be quick – the encryption phase may commence 3 months after the initial infection.

Ransomware operators have also begun to steal data before encrypting it to apply additional pressure on victims to pay the ransom through

  • Double Extortion – The attacker threatens to release the exfiltrated data if the ransom is not paid
  • Triple Extortion – The attacker contacts the victim’s clients and informs them that their data has been stolen and will be released if they or the victim does not pay the ransom

Software as a Service (SaaS)

SaaS is a software delivery model used by providers of legitimate software where the software product is provided on a subscription or pay-as-you-go basis, where the software provider takes care of many of the maintenance and management activities that the customer would have incurred if the product had been purchased outright i.e., the product is converted into a service. Such software is typically offered through the cloud.

Ransomware as a Service (RaaS)

Ransomware is quite complex and not easy to develop, especially as businesses are ramping up their protection against ransomware and therefore ransomware developers have to increase the sophistication of the ransomware to evade enterprise defences. Continuous development of ransomware leaves the developers with little time to search for suitable victims and carry out attacks. They have therefore applied the SaaS delivery model to ransomware to create Ransomware as a Service where the developer provides the ransomware on a subscription or commission basis to affiliates who identify potential victims and carry out attacks.

RaaS offerings can be very sophisticated with developers advertising their offerings on the dark web and offering dashboards for the affiliates to use to monitor their attacks. Some RaaS providers even include Distributed Denial of Service (DDoS) attacks and voice-scrambled VoIP calls to the victim’s business partners and the media as part of their service to increase pressure on the victim to pay the ransom.

From the threat actors’ point of view, this is a superior model as division of labour creates specialisation, increases productivity, and improves return on investment. However, this is bad news for victims especially for SMBs.

RaaS Is A Nightmare For SMBs

Before the RaaS model was developed, ransomware developers would prefer attacking large companies as the ransom collected would have to be large enough to justify their effort and risk in developing and deploying the ransomware. Development of ransomware required great skill which limited the number of ransomware developers and therefore the number of attacks.

Under the RaaS model, the attack can be carried out by an affiliate who has no coding knowledge, which significantly increases the number of attackers. It now becomes profitable for ransomware operators to attack a large number of smaller victims which opens the floodgates to attacks on SMBs, which is supported by attack statistics: the USA reports that 50-70% of all ransomware attacks target SMBs. This is a nightmare for SMBs because the disruption caused by a ransomware attack may be sufficient to shut down operations.

How SMBs Can Protect Their Operations From Ransomware

Once we accept that RaaS makes ransomware attacks on SMBs inevitable and that ransomware is an existential threat to businesses, we can frame a strategy to counter ransomware much as we would take steps to counter any other business threat.

  1. Frame a Cybersecurity Policy – Every organisation, no matter how small, needs a cybersecurity policy to lay down who is responsible for what. Minimum cybersecurity standards that all employees, irrespective of how low or high they are in the organisation’s hierarchy, must follow and role-based enhanced cybersecurity requirements must be stipulated and employees must be made aware of these requirements. Policy compliance must be enforced across the rank and file with penalties for non compliance to ensure the policy is followed. Examples of policy measures that help prevent ransomware attacks include standards for password strength and regulation of the use of remote desktops
  2. Patch and Update Immediately – Hardware and software vendors release patches and updates to secure their products against known vulnerabilities. These should be installed immediately to avoid cyberattackers exploiting these vulnerabilities to launch ransomware attacks. The infamous WannaCry ransomware that affected computers across the world targeted machines that had not been patched despite a patch being available. Patches should be applied for all hardware and not just PCs i.e., routers, printers, IoT devices, and other networking and networked devices should have their patches applied as soon as they become available
  3. Deploy Endpoint Security – Ransomware is a type of malware and it can be stopped by enterprise anti-malware solutions like K7 Endpoint Security which uses signature- and behaviour-based analysis to detect and prevent known and unknown ransomware. It also protects against some forms of phishing that can be used to introduce ransomware into a device. It is critical to ensure that all endpoints in the organisation are protected by endpoint security as cyberattackers can launch ransomware attacks against the entire organisation by compromising a single unprotected device
  4. Deploy Network Security – Cyberattackers may attempt to penetrate vulnerable networks to introduce ransomware into an organisation. Network security like K7 Unified Threat Management devices provide gateway security and help thwart intrusion attempts
  5. Invest in Training – Threat actors are aware that businesses use technology measures to protect devices and networks. They therefore use social engineering, like phishing, to attack employees by gaining their trust and misleading them into performing harmful actions, such as revealing information about the business that could be used to launch a ransomware attack. An alert and aware user is the best defence against phishing and organisations should invest in training initiatives that will help employees spot social engineering attempts

K7 Security’s Enterprise Security hardware and software solutions protect businesses of any size in a wide range of industries against ransomware and other cyberthreats. Contact Us to learn more about how we can help you protect your organisation against ransomware.