Ransomware-as-a-Service (RaaS) has gone from strength to strength over recent years. Fuelled by organised criminal groups (OCGs), many of whom are state sponsored and have security researchers on the payroll, the marketplace has grown to become a billion-dollar/cryptocurrency industry.
RaaS provides all the tools necessary to carry out a ransomware attack, lowering the barrier to entry for attackers, from malware stealers and loaders, to phishing services to aid with distribution, to access information and post exploitation tools. However, there’s now evidence to suggest market forces are diminishing returns and squeezing the main players.
To start with, we’re seeing the decentralisation of OCGs who are now becoming more fragmented in a bid to evade law enforcement efforts. This decentralisation is not necessarily weakening RaaS. LockBit, which was disbanded in Operation Cronos and its leader named and sanctioned by the UK, US and Australia has still rebounded. Its tools have now since been published which is undoubtedly a blow for the group, but all this has done is force RaaS operators to lower their profile. Lockbit, once infamous for amassing $91 million, is now reported to be making ransomware demands of less than $1 million.
Falling returns but a ramp up in attacks
It’s a similar story across the board, with the Ransomware, extortion and the cybercrime ecosystem report by the NCSC noting that the 45 per cent cut of a ransom that groups would usually take has now fallen due to increased competition from other RaaS groups. Initial Access Brokers (IABs) who buy and sell information on breach-ready environments are also having to cut their prices and sell more. This is having the knock-on effect of attacks ramping up, with the Information Commissioner’s Office (ICO) noting that ransomware attacks accounted for 11 per cent of all disclosures in 2023 (compared to 8 per cent in 2022, 7 per cent in 2021 and 5 per cent in 2020).
SMEs in particular are susceptible to ransomware attacks because they lack the robust defences and deep pockets of their larger counterparts. They also tend to rely heavily on third party software so often fall victim to supply chain attacks such as the MOVEit file transfer software vulnerability so successfully exploited by Clop. Plus, security is less likely to be overseen by a dedicated team or even an individual, while staff awareness may be low and policy enforcement lax.
Groups such as Lockbit, Clop and Alphv/BlackCat as well as relative newcomer 8base have been quick to exploit these vulnerabilities but it’s very difficult to ascertain how successful they’ve been because SMEs will often decide to pay the ransom rather than risk the downtime or regulatory ramifications of disclosure. In fact, groups have threatened to go public over a failure to disclose if their ransoms go unpaid; in November Alphv/BlackCat filed an SEC complaint against MeridianLink over its failure to disclose a breach they had caused. And paying seems to be coming back into favour, with 48 per cent of companies saying they would not pay a ransom compared to 57 per cent last year, according the Cyber Security Breaches Survey 2024.
But is paying the ransom worthwhile? All the evidence points to the contrary. The ICO has stated that doing so is not considered an ‘appropriate measure’ to restore personal data and regards the business as having lost control over that data, placing it in breach of regulations such as GDPR. Moreover, the Ransomware: The Cost to Business Study 2024 reveals that organisations are just as likely to be targeted again. Of the 84 per cent of organisations who did pay, 78 per cent were hit again and only 47 per cent saw their data returned to them, with no assurances the data wouldn’t resurface on the dark web.
The democratising effects of GenAI
But there’s more bad news for SMEs because the commoditisation of RaaS will also see OCGs turn to more efficient ways to make attacks pay and that means GenerativeAI. The NCSC has warned that the technology will see the volume and impact of attacks increase over the next two years as it will allow less skilled operators to carry out effective access and information gathering as well as improved targeting. That could well prove disruptive for the RaaS business model, particularly for IABs, and could see RaaS become a subset of the emerging GenAI-as-a-Service criminal marketplace.
However, the NCSC also states that ransomware is largely successful due to poor cyber hygiene such as conducting regular backups, network segmentation, security awareness training and detection engineering. Threat detection and incident response (TDIR) is also vital to rapidly detect and respond to a ransomware attack and it’s no longer outside the reach of the SME. Next generation Security Incident and Event Management (SIEM), for instance, offers threat-hunting and pricing based on nodes rather than data volumes to keep costs predictable while those lacking inhouse resource can opt for Managed Detection and Response (MDR).
It’s also important that organisations look at how they are performing threat detection. Traditionally, known Indicators Of Compromise (IOCs) were used to detect breaches but adopting an approach focused on detecting Tactics, Techniques and Procedures (TTPs) is more sustainable because it allows the threat actor’s methods and new novel threats to be spotted. Such TTPs are mapped by frameworks such as MITRE ATT&CK and can be used to devise playbooks used by Security Orchestration Automation and Response (SOAR) technology which, in tandem with a SIEM, can automate response. The technology ensures attacks aren’t just spotted but are prioritised with the SOAR able to advise on possible remediation and recovery options to help the business recover.
RaaS is undoubtedly morphing in response to law enforcement and market pressures, but these are not curtailing attacks, just refocusing them, and we can expect further democratisation of the marketplace under GenAI. Ultimately, this will see attacks become even more targeted, making it vital that SMEs take heed of the NCSC advice and improve their cyber hygiene and TDIR capabilities to avoid becoming the next victim.
Christian Have is the CTO of Logpoint.
Read more
Why bother with ransomware? The rise of ‘low effort’ extortion attacks – Andy Zollo, EMEA regional vice-president at Imperva, discusses the rising threat of ransomware-free extortion attacks on businesses