What is Ransomware-as-a-Service (RaaS) and How to Protect Your Data

It’s no secret that the underground world of bad actors that wreak havoc on businesses through ransomware, phishing, and malware has been stepping up its efforts, searching for more sophisticated ways to perform data breaches and other malicious acts. The average data breach incident costs companies millions of dollars - and attacks are on the rise: Ransomware attacks increased 40% around the world in Q3 2020. In the U.S., a 139% rise was experienced, reaching 145.2 million cases in Q3 2020.

A brand-new mode of attack has recently been coined Ransomware as a Service, or RaaS. The RaaS model is much like the Software as a Service (SaaS) model and allows ransomware developers to lease or sell their “products” to other parties. 

The Microsoft 365 Defender Threat Intelligence Team recently wrote: “Within this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (Raas) gig economy, called human-operated ransomware, which remains one of the most impactful threats to organizations.

“We coined the industry term ‘human-operated ransomware’ to clarify these threats that are driven by humans who make decisions at every stage of their attacks based on what they find in their target’s network.”

Microsoft Key Insights on RaaS

Microsoft has continued to add updates on known RaaS threats: The most recent update in July provided new information about DEV-0206 activity, in which “existing Raspberry Robin infections are being used to deploy FakeUpdates, which then lead to follow-on actions resembling DEV-0243.” 

The Threat Intelligence Team has offered additional information about many other known RaaS actors, including DEV-0237, DEV-0450, DEV-0464, ELBRUS (FIN7), and DEV-0193 (TrickBot LLF) which have been identified as “the most prolific ransomware group today.” Read more about these threats here.

Protect Yourself Against RaaS

It may go without saying that companies need to step up their game to protect themselves against RaaS; however, many RaaS attackers have a keen understanding of system administration, allowing them to blend in. They also employ tools that evade and disable security products. One of the hackers’ most common tactics is to gain access to privileged credentials that are available in LSA Secrets. For this reason, Microsoft recommends building “credential hygiene” to protect your data from RaaS. This includes precautions like:

• When removing accounts from privileged groups, monitor for Logon Failed events (Event ID 4625) in Window Event forwarding 
• Determining the privileges in essential applications through the use of tools, such as LUA BuglightImproving administrator understanding of vulnerable credentials through LSASS or LSA Secrets by looking for events with EventID 4624, and in which a highly privileged logon type is 2,4, 6 or 10 
• Auditing credential exposure with a tool like BloodHound

Other ways to protect yourself from ransomware-as-a-service include: prioritizing the deployment of Active Directory updates and adding security patches as soon as they become available; hardening cloud environments by implementing Azure Security Benchmark; enforcing multifactor authentication; treating cloud administrators with the same credentials and with the same security “hygiene” as Domain Admins; reviewing and verifying that security tools are in their most secure configurations; and scanning networks regularly to make sure your products are protecting all systems, including servers.

Of course, there are many other ways to help prevent RaaS attacks — too many to discuss here. It’s important to stay on top of your security, particularly with the rise in RaaS and other malware schemes.