The Madness of Ransomware ’as a Service’
October 2021 by Wissam Saadeddine, Senior Manager – MENA at Infoblox
Ransomware is bad, but it is also made very easy for the perpetrators
Ransomware has taken on absurd forms recently. At the beginning of this year, much of the east coast in the United States faced gas shortages because Colonial Pipeline was shut down. In July, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software. In Ireland, the HSE (the Health Service Executive, responsible for health care in the country) was in a digital hostage situation. And those are just a few of the most striking examples.
What’s so striking about these attacks is that they all seem to be the work of amateurs, and not of professional hacking groups.
The Colonial Pipeline hackers said of the chaos they caused at American gas pumps: "Our goal is to make money, not to create problems for society." The HSE hackers eventually gave their decryption code away for free, appearing to be a bit shocked by the impacts of their attack. And in July, the REvil group suddenly went offline, shortly before an unknown person handed the Kaseya victims the decryption key.
In fact, researchers at cybersecurity company Group-IB have reported that nearly two-thirds of all ransomware attacks in 2020 came from RaaS-based platforms which are tailor-made for amateurs to carry out devastating attacks.
Emergence of RaaS What is RaaS and what does that mean? Ransomware as a Service (RaaS) means that you can simply purchase a service online, on the Dark Web, and you can then take whoever you want hostage at will. So, if you want to get rich quickly, all you need is a connection to the dark web, a credit card or other way to pay, and reprehensible morals.
Unfortunately, the success of these types of constructions says more about the state of cybersecurity than about the criminals themselves. Unlike really advanced cyberthreats, these types of RaaS services are very easy to recognize. Their IP addresses are known. Any decent secure Domain Name System (DNS) should automatically block RaaS - but this is not happening. And that’s symptomatic of how far too many small and large companies still manage their security. Patches are not installed. Updates are not run. Passwords are not changed. Settings are not checked. And freely accessible information about all kinds of large and small threats is systematically ignored.
Importance of DNS DNS is an essential part of any network. The server translates domain names into IP addresses and in this way ensures that network traffic ends up in the right place.
Because it is such a critical part of network functionality, DNS traffic has traditionally been unencrypted, widely trusted by the systems that make networks work. Unfortunately, this also makes it an ideal method for hackers seeking to transfer data into a network (for example when uploading malware) or out of one (like when stealing sensitive data).
But at the same time, DNS’s central location at the foundation of the network also makes it possible to use as a powerful security tool. As one of the first services a device uses when it connects to the network, DNS can give network administrators visibility across the entire network, allowing them to identify and isolate compromised machines before they can cause significant damage. DNS can also be used to monitor traffic and can be leveraged to automatically block traffic to known malicious servers.
DNS security solutions can use Threat Intelligence - information about known threats, which is collected and shared by security providers - in this way to disrupt RaaS attacks before they cause damage. Servers that are known to be used by hackers are therefore automatically blocked by the DNS before the ransomware can be uploaded.
The biggest challenge to our resilience is not in ’state actors’ or digital criminal masterminds. They have better things to do than look for tiny rewards. The problem is that companies are so squeamish about their cybersecurity that any small-time criminal willing to put a little bit of time and effort into the Dark Web can effortlessly shut down the whole thing before anyone even realizes what’s happening.
It is the responsibility of the companies themselves to take at least the most basic measures. Of course, if a good hacker really wants it, he will get in everywhere. But the fact that we are currently seeing one nasty amateur after another cause enormous damage with means that have been known for a long time and can easily be parried, I think is even worse.