Blog

6 tips for staying ahead of RaaS: Extortion-as-a-Service

Share
Share
Share on facebook
Share on linkedin
nexon-blog-raas-6-tips

Last month, in their annual survey – The State of Ransomware 2022 – Sophos showed that 80% of Australian organisations were hit with ransomware in 2021. The advent of Ransomware-as-a-Service (RaaS) has changed the threat landscape again. Now, bad actors with limited knowledge of coding can access ransomware on a lease or subscription plan – enabling cyber criminals with the tools and intent to quickly shut down operations and extort money from high-value corporate targets.

Affiliate networks of no-coders

Criminal hackers have historically always been coders – it’s been an imperative to be able to adjust, adapt, and tailor their approaches for the best results. But, by building affiliate networks, there’s now a broader reach for bounty hunters and the breadth, depth, and volume of attacks are growing and impacting victims greater than ever before.

How do Ransomware-as-a-Service, or RaaS, attacks work?

RaaS uses the same principles as any other ransomware attack. As I explained above, the difference is only that now, non-coders can be threat actors too, and the coder threat actors have levelled up their marketing and business strategies.

Unsurprisingly, phishing is often the first line of attack as our front-line staff fall foul due to convincing text messages or emails. And whilst we’re all getting wiser and smarter in spotting a scam, the approaches are increasingly more believable.  We’ve become more used to spotting those badly-composed emails, or a dodgy-looking logo or email address – but these aren’t your Nana’s scams – it’s now harder than ever to identify one.

Links get clicked, instructions are followed, and abracadabra, access is granted as if a magic word was uttered and ornate double doors open to reveal everything you thought was secure.

What happens next varies significantly. Most likely critical infrastructure, sensitive documentation, and/or operational systems become inaccessible or compromised.

Eventually, once the panic has had time to set in, you’ll be offered an ‘out’ by means of a decryption code, to be sent to you once a sum of money is paid via an untraceable currency before a (fast-approaching) deadline.

How can you defend against RaaS attacks?

This really depends on your organisation’s maturity, size, and risk profile.   There are more than one set of “3 Ps” in security, but if you can’t do anything else, Patching, Passwords and People is your way forward.

Patching – Keep systems and technologies up to date.

Passwords – Change default passwords and enforce complex passwords and Multi-Factor Authentication (MFA) tied into a Privileged Access Management methodology.

People – Train people to be your first line of defence rather than the weak link in the chain. If you make it easy for humans to do the right thing, they will almost always do it.

Once your 3 Ps are covered, you should then implement:

  • A good Asset and Vulnerability Management program – to understand what you have, and where you’re exposed.
  • A cyber security framework – for the basic standard in cyber security, choose the ACSC Essential Eight Maturity Model, or for more sophisticated set-ups, the NIST framework will be your go-to.
  • A quality detection methodology and tooling – such as MITRE ATT&CK.
  • Tested processes which enable your organisation to effectively respond to events and incidents.

And finally – always use an expert. The cyber universe is hard to keep up with and organisations shouldn’t be bogged down in keeping track of it.  Instead, they should be focused on what they do best, whether that’s ensuring their business is running profitably, providing services in the public sector, educating students, providing healthcare, etc.  Instead, find a partner to be the backbone of your security operations to ensure that you keep trading for the long term.

Engaging a partner is an investment, yes, but when compared to the crippling commercial impact of a cyber security breach, the investment can pay dividends in days.

 

Related articles

30th June, 2022 | Dan Weis
The Pentester’s Guide to Weak Entry Points
Over 100 penetration testing engagements last year alone revealed consistently that there are 7 key weak points that most organisations demonstrate, at least in part. Dan Weis identifies these weak points, and how to fix them.
20 minutes
24th June, 2022 | Nexon
Tackling modern workforce challenges with your devices
Whether you’re trying to keep up with an increasing workforce or you’re transitioning to a hybrid model, you may have run into a few challenges along the way. Now more than ever before, employees are demanding seamless digital experiences and more flexibility. Delivering this is not only key to productivity, but it plays an important […]
3 minutes
21st June, 2022 | Nexon
Deploying applications with agility and speed without compromising on security
Although not a new concept to many, Zero Trust Security has been gathering speed in recent years. The acceleration of cloud adoption and multi-cloud environments fuelled by the pandemic and the shift to remote and hybrid work; connected devices; and cybersecurity threats have all contributed to bringing zero trust to the spotlight. There’s been an […]
3 minutes

Whitepaper

Expert strategies for tackling 2021’s cyber security norms

nexon-cybersecurity-ebook@1x 1