Ransomware is evolving into an as-a-service model
Cybercrime is increasingly moving toward a ‘hack-as-a-service’ model, including user manuals for other hackers to get up and running quickly, according to British security firm Sophos in its new Threat Report 2022.
According to the Sophos researchers, attacks by individual ransomware groups gave way to more ransomware-as-a-service (RAAS) offerings in 2021, with specialised developers focusing on “renting out” malicious code and infrastructure to affiliated third parties.
Some of the most high-profile ransomware attacks in the past year made use of this RAAS model, including an attack on Colonial Pipeline in the U.S. by an affiliate of DarkSide. In turn, an affiliate of Conti Ransomware leaked information from the implementation manual provided by the operators, revealing the tools and techniques attackers could use to deploy the ransomware.
Once they have the necessary malware, RAAS affiliates and other ransomware operators can turn to initial access brokers and malware delivery platforms to find and attack potential victims.
An all-consuming black hole
“While RAAS offerings are not new, their main contribution in previous years has been to put ransomware within reach of lower skilled or less well-funded attackers,” says Chester Wisniewski of Sophos. “This has now changed, and in 2021, RAAS developers are investing their time and energy in creating sophisticated code and determining how to extract the largest payments from victims, insurance companies and negotiators. They are now outsourcing the work of finding victims, installing and running the malware, and laundering the stolen cryptocurrencies to other parties. This is disrupting the cyber threat landscape and common threats, such as loaders, droppers and initial access brokers, which were already there and which were causing disruption well before the rise of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.”
All of this fuels the second major trend anticipated by Sophos: established cyber threats (malware, spam, adware…) will continue to adapt to be able to distribute and deliver ransomware. The use of multiple forms of extortion by attackers to pressurise victims into paying a ransom is also expected to continue and increase in scope and intensity. In 2021, Sophos catalogued ten different types of pressure tactics, from data theft and exposure, to threatening phone calls, distributed denial of service (DDOS) attacks and more.
Cryptocurrencies will also continue to fuel cybercrime, such as ransomware and malicious cryptomining practices. Sophos expects this trend to continue until global cryptocurrencies are better regulated.