Ransomware is malware that modifies data on a victim's device and renders it inaccessible until a ransom is paid to reinstate access to the data. Hackers or attackers exploit a system's vulnerabilities to spread this type of malware.
The first instance of ransomware can be traced to 1989, when Joseph Popp distributed 20,000 floppy disks infected with the AIDS Trojan, also known as the PC Cyborg virus, to participants of a World Health Organization conference. Fortunately, the ransomware did not spread widely due to the lack of interconnectivity between systems and devices. Although rudimentary in nature, the AIDS Trojan laid the stepping stones for today’s more sophisticated variants.
By 2005, the first variants of modern ransomware surfaced, but it was not until 2012 that the number of attacks accelerated at an alarming rate. This spike was further fueled by the rise of cryptocurrency, and the anonymity and untraceability it offers. This, in turn, opened up a new stream of revenue for attackers who monetized their malware products by creating ransomware markets, which we now know as Ransomware as a Service (RaaS).
RaaS is analogous to other SaaS offerings in its business model, where the business operators with better access to resources offer their services to their affiliates. Cybercriminals create ransomware to be franchised or sold as attack kits to anyone wanting to infect their victims' devices. The kit contains instructions for the attackers on how to deploy ransomware, infect devices, and collect payment. This payment is then split between the ransomware authors and the attackers. Notable RaaS providers include Satan RaaS, REvil, Dharma, and Lockbit.
Although the operating methods of RaaS seem simple, there are more complex factors at play that influence and fuel its workings.
Ransomware has come a long way since 1989 when victims of the AIDS Trojan were asked to send $189 to a physical P.O. box in Panama. The difficulties and risks of collecting the ransom played a large part in the slow adoption of RaaS. This quickly changed with the emergence and widespread use of cryptocurrency, which leaves no paper trails and guarantees anonymity and instant payments. Since the driving force behind a majority of ransomware attacks is monetary gain, cryptocurrency has prompted the surge of RaaS markets.
The migration to remote work since 2020 introduced more vulnerabilities for ransomware attacks. Since employees working from home were no longer protected by the company's network firewall, and the traditional security measures were not as effective, an increase in ransomware threats occurred. The growth and availability of cloud infrastructure also propelled scalable, geography-independent environments deployable from anywhere in the world.
According to a report by HHS, ransomware attacks were responsible for almost 50% of all healthcare data breaches in 2020. These numbers are expected to surge considering the rise of remote work and the spike of RaaS franchises.
The RaaS market is a Pandora's box containing a plethora of ransomware for cyberattackers to choose. From simple drag-and-drop interfaces to a fully prefabricated kit that requires no coding knowledge, ransomware is available for as little as $40. Many kits feature a dashboard to keep track of attacks and the money extorted and provide a support link to help victims navigate ransom payment options. This makes ransomware attacks available to everyone irrespective of their technical abilities and significantly broadens the pool and lowers the bar for entry to threat actors willing to engage in the lucrative RaaS business.
RaaS vendors have adopted an efficient business model that gives them easy access, more leverage, and a larger attack base. In place of a team of two or three people focused on spreading ransomware, there are now multiple independent attackers impacting IT environments worldwide. RaaS business models today often include monthly subscriptions, affiliate programs with profit sharing, and one-time purchase options. As a result, ransomware attacks and the demands placed on their victims have been surging at an unprecedented rate. In May 2021, a US insurance company.paid a ransom of $40 million, the largest publicly reported payment made by any ransomware victim to date.
While this is bad news for businesses, we must also remember that defensive techniques are also evolving. RaaS has made ransomware easily accessible even to people with no technical capabilities, but at the same time these attacks are also not as complex as the attacks carried out by expert criminals and are often easier to detect and remediate. Since the RaaS market has only a few major vendors, it's easy to trace the ransomware attack to the author, even if the code is customized.
Ransomware attacks are expensive, but prevention is not. Identifying vulnerabilities, backing up data, training employees to be alert to potential attacks, and encrypting critical data are some recommended precautionary measures. It's also high time organizations moved away from the traditional castle-and-moat protection, where resources can be accessed only by people within the network, and from layered security practices that emplace multiple levels of security, as both have proven less effective in the face of ransomware attacks than Zero Trust security practices, which eliminate any implicit trust and require authentication for each interaction.