6 tips for staying ahead of RaaS: Extortion-as-a-Service


Last month, in their annual survey – The State of Ransomware 2022 – Sophos showed that 80% of Australian organisations were hit with ransomware in 2021. The advent of Ransomware-as-a-Service (RaaS) has changed the threat landscape again. Now, bad actors with limited knowledge of coding can access ransomware on a lease or subscription plan – enabling cyber criminals with the tools and intent to quickly shut down operations and extort money from high-value corporate targets.

Affiliate networks of no-coders

Criminal hackers have historically always been coders – it’s been an imperative to be able to adjust, adapt, and tailor their approaches for the best results. But, by building affiliate networks, there’s now a broader reach for bounty hunters and the breadth, depth, and volume of attacks are growing and impacting victims greater than ever before.

How do Ransomware-as-a-Service, or RaaS, attacks work?

RaaS uses the same principles as any other ransomware attack. As I explained above, the difference is only that now, non-coders can be threat actors too, and the coder threat actors have levelled up their marketing and business strategies.

Unsurprisingly, phishing is often the first line of attack as our front-line staff fall foul due to convincing text messages or emails. And whilst we’re all getting wiser and smarter in spotting a scam, the approaches are increasingly more believable.  We’ve become more used to spotting those badly-composed emails, or a dodgy-looking logo or email address – but these aren’t your Nana’s scams – it’s now harder than ever to identify one.

Links get clicked, instructions are followed, and abracadabra, access is granted as if a magic word was uttered and ornate double doors open to reveal everything you thought was secure.

What happens next varies significantly. Most likely critical infrastructure, sensitive documentation, and/or operational systems become inaccessible or compromised.

Eventually, once the panic has had time to set in, you’ll be offered an ‘out’ by means of a decryption code, to be sent to you once a sum of money is paid via an untraceable currency before a (fast-approaching) deadline.

How can you defend against RaaS attacks?

This really depends on your organisation’s maturity, size, and risk profile.   There are more than one set of “3 Ps” in security, but if you can’t do anything else, Patching, Passwords and People is your way forward, and make up our first 3 tips to stay ahead of RaaS attacks.

Patching – Keep systems and technologies up to date.

Passwords – Change default passwords and enforce complex passwords and Multi-Factor Authentication (MFA) tied into a Privileged Access Management methodology.

People – Train people to be your first line of defence rather than the weak link in the chain. If you make it easy for humans to do the right thing, they will almost always do it.


Once your 3 Ps are covered, our next 3 tips should be your next 3 steps to implement:

An asset and vulnerability management program – to understand what you have, and where you’re exposed.

A cyber security framework – for the basic standard in cyber security, choose the ACSC Essential Eight Maturity Model, or for more sophisticated set-ups, the NIST framework will be your go-to.

Quality detection methodology and tooling – such as MITRE ATT&CK.


And bonus tip #7:

Other tested processes – if you’ve found other tested processes that fit your ways of working, if they enable your organisation to effectively respond to events and incidents, then by all means, keep using them!


And finally – another tip, but because we say it so often, I think it could count as our mantra when it comes to cybersecurity – always use an expert.

The cyber universe is hard to keep up with and organisations shouldn’t be bogged down in the overwhelming task of keeping track of it.  Instead, they should be focused on what they do best, whether that’s ensuring their business is running profitably, providing services in the public sector, educating students, providing healthcare, etc.  Instead, find a partner to be the backbone of your security operations to ensure that you keep trading for the long term.

Engaging a partner is an investment, yes, but when compared to the crippling commercial impact of a cyber security breach, the investment can pay dividends in days.


Related articles

6th December, 2023 | Stephen Ellis

How to deliver modern customer experiences with legacy finance platforms

Financial service providers are wedged between yesterday and tomorrow. While traditional systems still power core solutions (and will for some time), today’s customers expect personalised, real-time service delivery across any channel. How do you bridge the gap without reinventing the wheel?
4 minutes
21st November, 2023 | Dan Weis

From static reports to remediation: the journey to next-level cybersecurity

Our rigorous penetration test reporting is just the beginning. We understand that for most organisations, the real challenge begins with turning those findings into tangible security improvements. That's why we've introduced an intuitive, interactive Penetration Testing Reporting portal that allows you to seamlessly manage your vulnerabilities in a central location for multiple stakeholders to action accordingly.
5 minutes
20th November, 2023 | Janniek Starren

How Teams proliferation exposes you to security and compliance risks

Remember that cross-functional team that ran the big product launch in 2022? No, neither do I. But it still exists online, complete with sensitive financial documents, third-party access, and private discussions about competitors. Did anyone lock the door on the way out?!?   The recent rush to remote and hybrid work has created a flurry […]
5 minutes


Expert strategies for tackling 2021’s cyber security norms

nexon-cybersecurity-ebook@1x 1