The “as a service” business model has gained widespread popularity as growing cloud adoption has made it possible for people to access important services through third-party providers. Given the convenience and agility of service offerings, perhaps it shouldn’t be surprising that the “as a service” model is being used by cybercriminals for nefarious purposes.
Ransomware as a service (RaaS) involves cybercriminals purchasing and selling access to ransomware payloads, leaked data, RaaS “kits,” and many other tools on the dark web. We explore this topic in the second edition of Cyber Signals, Microsoft’s quarterly brief that shines a spotlight on threat topics informed by our 43 trillion signals of data and research by more than 8,500 security experts. It’s one of the many resources available on Microsoft Security Insider, a site where you’ll find the latest cybersecurity insights and threat intelligence updates.
At Microsoft, we have been tracking the trend of human-operated ransomware. These threats are driven by humans who make decisions at every stage of the attack, making them particularly impactful and destructive to organizations. RaaS operations, such as REvil and the now-shutdown Conti, have the malware attack infrastructure and even stolen organizational data necessary to power ransomware activities. They then make these tools available on the dark web for a fee. Affiliates purchase these RaaS kits and deploy them in company environments. Like legitimate “as a service” offerings, RaaS may even include customer service support, bundled offers, and user review forums.
Ransomware as a service: Appealing to cybercriminals, challenging for companies
In more than 80 percent of ransomware attacks, the cybercriminals exploited common configuration errors in software and devices, which can be remedied by following security best practices. This means that ransomware actors are not using any new and novel techniques. The same guidance around timely patching, credential hygiene, and a thorough review of changes to software and system settings and configurations can make a difference in an organization’s resilience to these attacks. The other challenge is that some actors have opted to forgo the ransomware payload. They exfiltrate the victim organization’s data and extort money by threatening to release their data or sell it on the dark web.
As a result, companies that limit their hunting efforts to looking for signs of just the ransomware payload are at a greater risk of a successful breach and extortion. Finally, the ease of RaaS for cybercriminals means it is highly likely to remain a challenge for organizations worldwide.
Cybercrime—including ransomware, business email compromise schemes, and the criminal use of cryptocurrency—comes at a significant cost. The Federal Bureau of Investigation’s 2021 Internet Crime Report found that potential losses exceeded USD6.9 billion in 2021.1
In the European Union, the European Union Agency for Cybersecurity (ENISA) reported that about 10 terabytes of data were stolen each month by ransomware threat actors between May 2021 and June 2022, and a whopping 58.2 percent of that stolen data involved employees’ personal information.2
Ransomware as a service offers a few advantages to cybercriminals:
- Lowers the barrier to entry for cybercriminals interested in committing ransomware attacks because these ransomware kits enable people with minimal technical expertise to deploy ransomware.
- Conceals the identity of the cybercriminals behind the attack because anyone with a laptop and a credit card can search the dark web, purchase RaaS kits, and join the RaaS gig economy. As a result, governments, law enforcement, media, security researchers, and defenders face a bigger challenge in determining the culprit behind the attacks.
What Microsoft is doing to share threat intelligence insights
Microsoft gains deep insights into the ever-evolving threat landscape and threat actors by analyzing more than 43 trillion threat signals daily and leveraging the unique skills of more than 8,500 experts—threat hunters, forensics investigators, malware engineers, and researchers supporting our threat intelligence community and customers. These experts specialize in dedicated areas, such as vulnerabilities, threat actors, ransomware, supply chain risk, social engineering, and geopolitical issues.
Microsoft focuses on gathering intelligence about these cybercriminals’ behaviors, tactics, tools, and techniques to truly understand the end-to-end scope of their attacks and operations. We believe cybersecurity intelligence should be shared broadly. You can see our insights in our security intelligence blogs, the Microsoft Digital Defense Report, and Cyber Signals, our quarterly briefing, which can be found on Security Insider, our source for threat insights and guidance.
We understand that managing the myriad tasks necessary to grow a business gives organizations precious little time to stay updated on the latest security threats, let alone to preempt and disrupt extortion threats. We are committed to sharing the threat insights we have gathered with the cybersecurity community to help organizations secure their employees, customers, and partners. We are all cybersecurity defenders. Together, we can stay ahead of these threats.
Strategies to protect your organization
Because cybercriminals rely on security vulnerabilities they can exploit, companies can help block attackers by investing in integrated threat protection across devices, identities, apps, email, data, and the cloud. Here are three major strategies to help protect your environment from RaaS attacks:
- Prepare to defend and recover: Adopt a Zero Trust approach, which means never trusting an identity but instead always fully authenticating, authorizing, and encrypting every access request before granting access. This strategy also involves taking measures to secure your backups and protect your data.
- Protect identities from compromise: Safeguard network credentials and prevent the lateral movement used by attackers to evade detection while moving through your organization in search of assets to exfiltrate or destroy.
- Prevent, detect, and respond to threats: Leverage comprehensive prevention, detection, and response capabilities with integrated security information and event management (SIEM) and extended detection and response (XDR). This means understanding typical attack vectors, like remote access, email and collaboration, endpoints, and accounts, and taking steps to prevent attackers from getting in. And, very importantly, ensure that along with outside-in protection you are also doing inside-out protection focused on data security, information protection, and insider risk management.
A great security posture starts with understanding the threat landscape. Microsoft remains deeply committed to partnering with our entire community on sharing intelligence and building a safer world for all together.
To stay up-to-date on ransomware as a service and other threat insights and guidance, bookmark Microsoft Security Insider.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Internet Crime Report, Federal Bureau of Investigation. 2021.
2Ransomware: Publicly Reported Incidents are only the tip of the iceberg, European Union Agency for Cybersecurity. July 29, 2022.