How to protect yourself from Ransomware-as-a-Service (RaaS) insider attacks

Ransomware is evolving. The emergence of open source “Ransomware as a Service” (RaaS) malware packages mean anyone can now be a hacker – and the UK is seeing the fastest growth in these kinds of attacks.

What is Ransomware-as-a-Service (RaaS)?

After enjoying a 59% decline in ransomware in 2018, the UK saw ransomware volume jump 195% in the first half of last year.

Ordinarily, ransomware providers would themselves be trying to spearfish an organisation. Typically, they would craft emails designed to entice an employee of that organisation to unwittingly click a link and launch a ransomware program.

With RaaS, they don’t have to do that part of the job.

Ransomware providers now have affiliate schemes. So anyone – let’s say a rogue employee or a competitor – can sign up on the dark web as an affiliate to a RaaS house. The vendor (the RaaS house) will issue them with a unique URL. The affiliate then chooses a target and launches an attack. If and when a ransom is paid, the affiliate is given a cut.

How does RaaS work?

Let’s say you sign up for this. You could either send your link via a spearfishing attack to another organisation or you could quite easily craft an email to yourself at work that looks like it came from outside (or however else you want to do it) and execute that link inside the organisation you work for.

Employees are more likely to know what will be perceived as a plausible email, making the ransomware provider’s job easier and increasing the likelihood of a successful transaction.

Once inside the organisation, the ransomware encrypts all the documents (as in a normal ransomware attack). The victim (the organisation’s system administrator) will get a pop up saying “you’ve now got 48 hours to pay us this ransom of (for example £400k in bitcoin) if you want your documents decrypting.”

And if they pay the ransom, the ransomware provider kicks 40% of that back to the affiliate that brought them that traffic. They literally now can just sit back, fire out ransomware and rely on other people to find the victims!

Now that’s a scary thought because there are a lot of people who aren’t happy with their employers. There are also a lot of people who think they can get away with clicking a link like that at work – and they are probably right. In a lot of cases, employers don’t have the ability to track who clicked what and when.

Warning to ‘would be’ ransomware attackers

If you’re reading this and thinking there’s easy money to be made here – stop!

Many employers DO have systems in place to know who clicked a link. They will then be looking at where the link came from – was it on an email or was it brought in on a USB stick?

Once they have all this information, they can notify the police of the possibility of an insider ransomware job. The police can then track that person’s finances – see if they go out next week and buy a nice flash car etc.

How big a risk is RaaS in my organisation?

RaaS danger is subjective to each organisation. If the organisation is known to have good insurance, there’s a chance the ransom can be high and still get paid. This includes public sector organisations. It’s a risk/reward decision for the RaaS affiliate.

Those seeking for financial gain can make lots of money.

So far, the prevalence is largely undocumented as affiliate program data is restricted. Are targeted spear phishing attacks pushing malware links into organisations due to a desire to cause disruption by competitors or from sabotage by disgruntled employees? We simply don’t know. Many of these attacks haven’t yet been reported (that I can see). But now that the framework for enabling them is in place (first with Gandcrab, and now with Sodinokibi), it’s only a matter of time.

How can employers protect themselves from an attack?

You need an air gap between your back up data and your protected systems, whether that be to tape or to a cloud host provider like ourselves. Essentially you should be backing everything up offsite.

• Keep yourself patched
• Educate your users to the risks of incoming email
• Employ a perimeter email-scanning server to check for malicious payloads and links.

• Have network separated recovery solutions, ie:
• replicate into the cloud for fast recovery of essential systems
• backup to tape or to a cloud backup provider for less critical systems, allowing eventual restoration of all data effected.