Ransomware as a Service (RaaS): Trends, Threats, and Mitigation Strategies You Need to Know in 2023

Ransomware is an ever-evolving threat worldwide, affecting not only individuals but organizations, startups, governments, agencies, and high-profile enterprises. It is estimated that over 493.33 million ransomware attacks were launched globally in 2022, accounting for almost 9% of all malware attacks (Petrosyan, 2023a; Petrosyan, 2023b). As new vulnerabilities are being identified, companies are exercising scrutiny and investing more in their cybersecurity solutions. 

In this blog, readers are introduced to the current state of the cybersecurity landscape and the impact of ransomware attacks on organizations. It discusses the latest ransomware trends, RaaS business models, and what threat actors are presently doing to evolve and grow sophisticated in their methodologies. Further, this blog covers the historical events associated with ransomware attacks, the top threats organizations face, and the steps that can be taken to combat and mitigate these threats.

Ransomware Attacks in the 21st century

The latest ransomware statistics show that attackers gain access to systems and plant ransomware through phishing, exploitation of software vulnerabilities, and stolen remote desktop protocols (RDP) credentials. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed that of ransomware events targeted 14 of the 16 critical infrastructure sectors in the United States. Some of these sectors were government facilities, food and agriculture businesses, and the U.S. Defense Industrial Base. Education was one of the top sectors targeted by ransomware threat actors, according to the United Kingdom’s National Cyber Security Centre (NCSC-UK), which classified ransomware as the most prominent cyber threat facing the country (CISA, 2022).

The increasing sophistication of ransomware tactics requires cybersecurity authorities to evolve their mitigation, threat identification, and detection strategies. The following is a list of critical incidents that occurred in the 21st century:

1. REvil Attacks on Apple and President Donald Trump

The REvil ransomware group committed several ransomware attacks globally and became notorious for offering customized RaaS subscriptions to cybercriminals. Formed in 2019, REvil became one of the longest-running ransomware groups in history, having operated for nearly three years. They published 169 of U.S. President Donald Trump’s “Dirty Laundry” emails after being branded as cyber terrorists publicly. They demanded 42 million USD in ransom from the involved law firm, Grubman Shire Meiselas & Sacks (Winder, 2020), and were said to be behind the leaking of legal documents of many A-list celebrities (Ilascu, 2020). The Qakbot banking trojan attacks and high-profile hits on Apple, including hacking into the company’s schematics before the Apple Macbook Pro’s official launch, were also among their misdeeds.

2. 2022 Costa Rican Ransomware Attack

Costa Rica declared a national emergency after ransomware attacks plagued the country in 2022. The Russian ransomware gang “Conti” pressured citizens to force the government to pay a ransom of 20 million USD to aid their cause (Associated Press, 2022). Conti warned that they planned to overthrow the government and demonstrate its strength through a series of cyber attacks. The U.S. Department of State offered a 10 million USD reward to individuals who could pinpoint information about any member with a leadership role in the Conti group that could potentially lead to their arrest (U.S. Department of State, 2022).

Conti’s next attack targeted the Costa Rican Social Security Fund, which is responsible for managing the country’s health services. Later, the Ministry of Finance is said to have suffered damages, and the government was forced to declare a national emergency (Sharma, 2022).

3. Financial Trading Group ION Gets Hijacked by Ransomware Attacks

ION was hit during the first week of February by a ransomware attack and was forced to clear its derivative platform overnight to protect its clients. Wall Street Journal reported that the attack had far-reaching effects on global financial markets and had impacted them massively. Investors couldn’t place bets on commodity prices, and the platform had problems with data submissions. The trading group disconnected its servers completely and restored its operations after the issue was resolved. Traders had to manually match prices during this downtime, and there were delays in financial reporting. This incident proved that even the best banks and financial institutions with cutting-edge technologies could be compromised, no matter how robust their cybersecurity policies or their level of cyber-readiness to face these threats (Toulas, 2023). 

4. DarkSide Ransomware 

DarkSide Ransomware is a unique ransomware strain that threat actors use to launch multiple large-scale attacks against global organizations. The first incident was seen in August 2020, and the DarkSide group evolved to operate as a RaaS provider. They have a deep history of conducting double extortion attacks, blackmailing victims into sending payments for unlocking systems, and also for retrieving exfiltrated information. 

Popular tactics used by the group to target victims include privilege escalations, impairing defenses and exploiting vulnerabilities like CVE-2020-3992 and CVE-2019-5544, exploiting public-facing applications, and customized file notes and random extensions.

Many organizations invested in their cybersecurity efforts to implement effective incident response planning and mitigate their threats (Patil, 2021). Their most notable attack was the 6-day outage in the Colonial Pipeline during early May, which even the U.S. Government noted. The group even became a potential threat to national security. 

Most Popular Ransomware Strains

The average cost of a ransomware invasion was 1.85 million USD in 2020, and attackers are getting bolder by using the latest ransomware strains to launch several threats (Sophos, 2022). Currently, the most prevalent ransomware strains in the world include the following:

• Bad Rabbit – Bad Rabbit is a famous ransomware strain that originated in 2017. It is most notable for hijacking victims’ systems and locking them out until users pay a ransom, usually in Bitcoin. Bad Rabbit ransomware infections can prevent access to files and servers, and it is usually disguised as an Adobe Flash installer. Victims are exposed to the virus directly via drive-by downloads and compromised websites, and the malware is embedded through JavaScript that’s directly injected into the site’s HTML coding (Proofpoint, 2023).
• Jigsaw – Several variants of Jigsaw—the first ransomware strain to delete files from compromised machines until a user pays up—have appeared since 2016. Jigsaw is notorious for encrypting files and continuing to delete additional ones if the user refuses to pay the ransom as time passes (KnowB4, 2023).
• Maze – Maze is a new and destructive Windows ransomware strain that has affected companies since May 2019. It encrypts sensitive information, spreads to more networks, and was originally developed as a variant of the ChaCha ransomware. Maze does not discriminate and targets victims across various industries, including healthcare companies and Xerox Corporation. The creators of Maze warn its targets that they will sell the stolen data online with commercial value on the dark web or use it to attack the target’s partners, clients, and known associates if the ransom is not paid within the deadline (Zinar, 2020).

Many other strains are impacting victims around the world, like Petya, Ryuk, Wannacry, GoldenEye, Cryptolocker, and NotPetya. Crypto ransomware strains encrypt files and make them inaccessible to victims unless they pay a ransom. More challenging strains are the locker strains, where victims can get locked out of the devices. In both cases, victims lose access to sensitive information and may fail to recover data on time without falling prey to cyber adversaries. It is essential to know how to protect organizations from ransomware attacks and take the steps necessary to prepare to face these threats. (Heinbach, 2020). Finally, evolving ransomware strategies include ransomware strains like HardBit, which includes explanations of how cyber liability insurance works and additional extortion. HardBit 2.0 includes text that that files were also exfiltrated with an explicit threat to release them for sale or onward publishing if contact is not forthcoming (Slaughter, 2023).

How to Protect Yourself from Ransomware Attacks

Ransomware is a significant issue faced in modern times, and it’s vital to minimize risks and not fall for these attacks. Some ransomware strains attack the people and not technologies, which means the use of social engineering methodologies is prevalent. Having good software as a service (SaaS) and on-premise backup programs is a start, and organizations must ensure that all their machines are kept up-to-date.

The following are some ways you can stay protected from ransomware attacks:

• Don’t disclose personal information online, and never click on unsafe links. If you receive a call or message from an unverified source, do not respond or attempt to engage with it. Do not open suspicious attachments in emails or spam messages. If the website does not have a security certificate or does not use  HTTPS instead of HTTP for the browser address and lacks the shield or lock icon, it is not safe to visit.
• When using public WiFi networks, always use a VPN. Public WiFi is not encrypted and should never be used for conducting sensitive transactions.
• Make sure you have a data backup and recovery plan in place so that you’re prepared for cases when a machine gets infected. If your system is compromised, you can take it down offline immediately and retrieve the sensitive information from those backups in other locations. Always keep your hardware architectures up-to-date and use the latest firmware. Cloud-based architectures are harder to exploit and have fewer security vulnerabilities than on-premise infrastructures, which makes them less susceptible targets for ransomware attacks.
• Make security awareness training mandatory for all employees during the onboarding process and implement a culture of cyber readiness (LLC, 2016).

Conclusion

Ransomware threats have surged dramatically, and with the increased proliferation of the Internet of Things, AI, RPA, VR/AR, and 5G technologies, we can expect numbers to continue increasing in the next few years. Ransomware techniques prey on the victim’s gullibility and hijack systems in ways they aren’t even aware of. Universities, hospitals, legal offices, and several firms are facing these risks, and significant fines can be imposed on organizations if they fail to address them. The most common cause of ransomware attacks is a lack of proper data compliance, governance, and cybersecurity policy measures. It’s critical to train employees to identify these threats and ensure they don’t click or respond to malicious emails or links. Security efforts should also focus on identifying impersonation attempts, and organizations are beginning to take a proactive approach to threat monitoring, analysis, and security.

References

• Associated Press. (2022, June 17). Costa Rica, ‘under assault’ is a troubling test case on ransomware attacks. NBC News. https://www.nbcnews.com/news/latino/costa-rica-assault-troubling-test-case-ransomware-attacks-rcna34083
• CISA. (2022, February 10). 2021 Trends Show Increased Globalized Threat of Ransomware.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-040a

• Heinbach, C. (2020, November 6). Common Types of Ransomware. Datto.  datto.com/blog/common-types-of-ransomware
• Ilascu, L., (2020, May 8). REvil ransomware threatens to leak A-list celebrities’ legal docs. Bleeping Computer. https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/
• KnowB4. (2023). Jigsaw Ransomware. https://www.knowbe4.com/jigsaw-ransomware
• LLC, S. M. (2016, October). The Growing Threat of Ransomware Attacks. Strategic Management Services. https://www.compliance.com/resources/growing-threat-ransomware-attacks/
• Patil, Y. (2021, June 9). DarkSide Ransomware. Qualys. https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware
• Petrosyan, A., (2023a, May 4). Annual number of ransomware attacks worldwide from 2017 to 2022. Statista. https://www.statista.com/statistics/494947/ransomware-attacks-per-year-worldwide/
• Petrosyan, A., (2023b, May 3). Annual number of malware attacks worldwide from 2015 to 2022. Statista. https://www.statista.com/statistics/873097/malware-attacks-per-year-worldwide/
• Proofpoint. (2023). What Is Bad Rabbit? https://www.proofpoint.com/us/threat-reference/bad-rabbit
• Toulas, B., (2023, February 2). Ransomware attack on ION Group impacts derivatives trading market. Bleeping Computer. https://www.bleepingcomputer.com/news/security/ransomware-attack-on-ion-group-impacts-derivatives-trading-market/
• Sharma, A., (2022, May 9). Costa Rica declares national emergency after Conti ransomware attacks. Bleeping Computer. https://www.bleepingcomputer.com/news/security/costa-rica-declares-national-emergency-after-conti-ransomware-attacks/
• Slaughter, A., (2023, March 16, Ransomware Roundup — HardBit 2.0. https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup
• Sophos, (2022). The State of Ransomware 2022. https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf
• U.S. Department of State. (2022, May 06). Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice. https://www.state.gov/reward-offers-for-information-to-bring-conti-ransomware-variant-co-conspirators-to-justice/
• Winder, D., (2020, May 17). Hackers Publish First 169 Trump ‘Dirty Laundry’ Emails After Being Branded Cyber-Terrorists. Forbes. https://www.forbes.com/sites/daveywinder/2020/05/17/hackers-publish-first-169-trump-dirty-laundry-emails-after-being-branded-cyber-terrorists/?sh=1fbbcac5268c
• Zinar. Y., (2020, December 14). Maze Ransomware Analysis and Protection. Crowdstrike. https://www.crowdstrike.com/blog/maze-ransomware-analysis-and-protection/