Last month, in their annual survey – The State of Ransomware 2022 – Sophos showed that 80% of Australian organisations were hit with ransomware in 2021. The advent of Ransomware-as-a-Service (RaaS) has changed the threat landscape again. Now, bad actors with limited knowledge of coding can access ransomware on a lease or subscription plan – enabling cyber criminals with the tools and intent to quickly shut down operations and extort money from high-value corporate targets.

Affiliate networks of no-coders

Criminal hackers have historically always been coders – it’s been an imperative to be able to adjust, adapt, and tailor their approaches for the best results. But, by building affiliate networks, there’s now a broader reach for bounty hunters and the breadth, depth, and volume of attacks are growing and impacting victims greater than ever before.

How do Ransomware-as-a-Service, or RaaS, attacks work?

RaaS uses the same principles as any other ransomware attack. As I explained above, the difference is only that now, non-coders can be threat actors too, and the coder threat actors have levelled up their marketing and business strategies.

Unsurprisingly, phishing is often the first line of attack as our front-line staff fall foul due to convincing text messages or emails. And whilst we’re all getting wiser and smarter in spotting a scam, the approaches are increasingly more believable.  We’ve become more used to spotting those badly-composed emails, or a dodgy-looking logo or email address – but these aren’t your Nana’s scams – it’s now harder than ever to identify one.

Links get clicked, instructions are followed, and abracadabra, access is granted as if a magic word was uttered and ornate double doors open to reveal everything you thought was secure.

What happens next varies significantly. Most likely critical infrastructure, sensitive documentation, and/or operational systems become inaccessible or compromised.

Eventually, once the panic has had time to set in, you’ll be offered an ‘out’ by means of a decryption code, to be sent to you once a sum of money is paid via an untraceable currency before a (fast-approaching) deadline.

How can you defend against RaaS attacks?

This really depends on your organisation’s maturity, size, and risk profile.   There are more than one set of “3 Ps” in security, but if you can’t do anything else, Patching, Passwords and People is your way forward, and make up our first 3 tips to stay ahead of RaaS attacks.

Patching – Keep systems and technologies up to date.

Passwords – Change default passwords and enforce complex passwords and Multi-Factor Authentication (MFA) tied into a Privileged Access Management methodology.

People – Train people to be your first line of defence rather than the weak link in the chain. If you make it easy for humans to do the right thing, they will almost always do it.


Once your 3 Ps are covered, our next 3 tips should be your next 3 steps to implement:

An asset and vulnerability management program – to understand what you have, and where you’re exposed.

A cyber security framework – for the basic standard in cyber security, choose the ACSC Essential Eight Maturity Model, or for more sophisticated set-ups, the NIST framework will be your go-to.

Quality detection methodology and tooling – such as MITRE ATT&CK.


And bonus tip #7:

Other tested processes – if you’ve found other tested processes that fit your ways of working, if they enable your organisation to effectively respond to events and incidents, then by all means, keep using them!


And finally – another tip, but because we say it so often, I think it could count as our mantra when it comes to cybersecurity – always use an expert.

The cyber universe is hard to keep up with and organisations shouldn’t be bogged down in the overwhelming task of keeping track of it.  Instead, they should be focused on what they do best, whether that’s ensuring their business is running profitably, providing services in the public sector, educating students, providing healthcare, etc.  Instead, find a partner to be the backbone of your security operations to ensure that you keep trading for the long term.

Engaging a partner is an investment, yes, but when compared to the crippling commercial impact of a cyber security breach, the investment can pay dividends in days.