The shift to the subscription economy has created a new norm in the as-a-service world. And it’s not just Netflix and Spotify that have adopted this business model. New research from Tenable, the Cyber Exposure company, found that one of the main reasons ransomware has prospered is due to the advent of ransomware-as-a-service (RaaS) which has catapulted ransomware from a fledgling threat into a force to be reckoned with. The service model has significantly lowered the barrier of entry, allowing cybercriminals who lack the technical skills to commoditise ransomware.
In 2020 alone, ransomware groups reportedly earned $692 million from their collective attacks, a 380% increase over the previous six years combined ($144 million from 2013-2019). The success of RaaS has also attracted other players such as affiliates and initial access brokers (IABs) who play prominent roles within the ransomware ecosystem – oftentimes more than ransomware groups themselves.
Affiliates who earn between 70%-90% of the ransom payment, are charged with the task of doing the dirty work to gain access to networks through tried-and-true methods such as spearphishing, deploying brute force attacks on remote desktop protocol (RDP) systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web. Affiliates may also work with IABs, which are individuals or groups that have already gained access to networks and are selling access to the highest bidder. Their fees range on average from $303 for control panel access to as much as $9,874 for RDP access.
The research found that ransomware’s current dominance is directly linked to the emergence of a technique known as double extortion. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leak websites, while also encrypting the data so that the victim cannot access it. Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching DDoS attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs’ arsenal for placing additional pressure on victim organisations.
“Ransomware continues to impact businesses around the world, both in terms of ransom paid and cost of remediation, and the Middle East is not exempt. With sophisticated RaaS techniques being used, including double extortion, it is imperative that enterprises prepare themselves in advance, gaining insights and understanding that help them mitigate and remediate these attacks,” explains Satnam Narang, senior staff research engineer at Tenable.
A recent global survey, by Vanson Bourne, found that the total cost of remediation following a ransomware attack has increased in the United Arab Emirates (UAE) and Saudi Arabia. In UAE the total cost increased from $0.52M in 2020 to $1.26M in 2021, and for Saudi Arabia it increased from $0.21M to $0.65M. Remediation costs typically include downtime, people’s hours, device and network costs, lost productivity and opportunities, and the ransom paid.
“Enterprises cannot throw people and money into the situation and expect it to be a permanent fix. They need to align with the right partners, select the right technologies and build the right internal skills. These are wise investments with longer term returns,” Satnam concludes.