RaaS packages are easy to find on the Dark Web, reducing the barrier of entry so that essentially any cybercriminal can introduce successful ransomware attacks, states Microsoft.
Image: JustSuper/Adobe Stock Ransomware-as-a-Service has significantly end up being a popular method of attack. By making the most of ready-made ransomware sets developed for affiliates, bad guys do not need innovative technical know-how to launch an attack. In a report released Monday, Microsoft covers the latest wave of RaaS attacks and offers guidance on how to combat them.
In its August 2022 Cyber Signals report named Extortion Economics, Microsoft discusses that RaaS kits are readily available for purchase on the Dark Web just as easily as are legal products on legitimate e-commerce sites. With such RaaS programs as Conti and REvil, cybercriminals can buy sets that consist of everything they require, including ransomware payloads, data leak, client support and payment infrastructure. The customers, known as affiliates, have the ability to buy an RaaS package for a set rate, while the seller gathers a portion of the make money from each successful attack.
SEE: Mobile device security policy (TechRepublic Premium)
Must-read security protection
These types of ransomware campaigns begin with initial gain access to, normally through a malware infection or by exploiting a security vulnerability. From there, they may move to credential theft to raise benefits and move laterally across a network. Completion goal is data exfiltration, enabling the assailants to hold important information for ransom. A lot of RaaS-based attacks use a double-extortion method in which the stolen information is not just gathered but leaked publicly unless the ransom is paid.
The shutdown of the Conti ransomware gang in May 2022 shook up the RaaS landscape. Some affiliates who were utilizing Conti packages moved to other RaaS systems such as LockBit and Hive. Others have relied on releasing payloads from numerous RaaS systems.
Two groups in the ransomware business are DEV-0537 (aka LAPSUS$) and DEV-0390 (a previous Conti affiliate). DEV-0390 starts an attack through malware but then utilizes genuine tools to exfiltrate information and obtain the ransom payment. This group likewise gains access to accounts by taking credentials and then sends the stolen data to a cloud sharing site.
How to safeguard your company from ransomware-as-a-service attacks
To secure your company from RaaS attacks, Microsoft uses several suggestions.
Prevent preliminary access
Avoid malicious code execution by managing macros and scripts.
Segment your network
To avoid lateral motion by attackers, segment your network based on account advantages.
Audit account qualifications
Evaluating the direct exposure of account credentials can assist stop ransomware and cyberattacks in basic. Make sure that your IT staff and security operations center work together to reduce the level of administrative privileges and comprehend where they’re most exposed.
Decrease the attack surface area
Establish rules to minimize the attack surface used in ransomware events. Having plainly specified rules can help stop attacks in their initial phases.
Implement multi-factor authentication
Make certain that MFA is active for all accounts however focus on those with administrator access. MFA is specifically vital with a remote or hybrid workforce where it need to be required on all devices in all places and at all times. Likewise make sure to allow passwordless authentication such as FIDO secrets or authenticator apps for sites and services that support them.
Look for blind spots in your security
Verify that your security products are set up properly and tested routinely. Ensure that they’re running with the ideal security setups which no part of your network is unguarded.
Harden your web facing assets
Consider removing replicate or unused applications to remove dangerous services. Apps like TeamViewer are prime targets for cybercriminals, so understand how and where you allow such apps.
Solidify your cloud assets
As attackers target cloud-based resources, you require to protect these as well as on-premises possessions. Focus on solidifying your security environment and dealing with cloud admin and tenant admin accounts with the exact same level utilized for domain admins.
Keep your systems approximately date
Preserve an inventory of your software application and systems so you know where to prioritize support and security and can rapidly spot the most delicate and critical properties.