Ransomware as a service is now a burgeoning market opportunity for existing or aspiring cybercriminals, providing them with a set of components complete with operational dashboards and a customized ransom-builder portal in return for profit-sharing. The creativity and enterprising nature of ransomware as a service represents a palpable threat to organizations of all sizes, industries and geographies.
“Gone are the days when every attacker had to write their own ransomware code and run a unique set of activities,” notes TechTarget’s SearchSecurity.com. Ransomware as a service enables cybercriminals to become affiliates of a ransomware operator. They use a large platform that provides the individual components or packaged services such as custom-built ransomware code, specialized victim messaging, selective data extraction and operational infrastructure to target a ransomware attack.
Unfortunately, it has always been very easy for cybercriminals to get started in ransomware. Initially, cybercriminals could buy a custom ransomware package promoted on the dark web for small amounts — as low as $10 USD for fairly simple attacks or a few hundred dollars for more sophisticated tools.
Ransomware as a service, however, makes it far easier and less risky for thieves. The number of ransomware attacks has multiplied overnight due to the fast-evolving ecosystem of affiliates and operators of malevolent, easy-to-obfuscate ransomware code that can be used against any type of organization — be it a rural public school system or one of the world’s largest corporations. As a proof point, the FBI's Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 2,084 ransomware complaints from January to July 31, 2021, a 62% increase compared to the same time frame in 2020.1
Affiliates are joining ransomware campaigns and paying the ransomware operator a substantial part of the ransom for use of their shared infrastructure, amounting to anywhere between 75% to 90% of any ransom being paid.2 The model is astonishingly simple to deploy and is extremely financially attractive to cybercriminals. To detect, prevent and remediate its negative impact, organizations need to act quickly.
Affiliates often merge the ransomware with distribution services, such as malspam and exploit kits, to help spread ransomware to new targets. These enablers are a powerful and efficient threat vector. To fight their arsenal of malicious tools, information security professionals (and their business colleagues) need to leverage a combination of threat intelligence and well-integrated, large-scale, data-driven solutions.
Fighting Ransomware With Real-Time Visibility, Expertise and Automation
As one of the leading cybersecurity firms in the world, CrowdStrike is in a unique position to help organizations stop ransomware attacks — no matter how they’re delivered. CrowdStrike collects over a trillion pieces of telemetry every day from millions of endpoints around the world, providing unprecedented breadth and depth of visibility into threat activity. Combined with dark web adversarial telemetry and deep forensics from incident response and continuous threat hunting, CrowdStrike offers real-time visibility into ongoing and emerging ransomware campaigns.
The CrowdStrike Security Cloud maintains a wide spectrum of threat data that is stored for scalability and integrated into multiple offerings. This multidimensional approach also ensures organizations can get started easily to be armed with optimal knowledge of ransomware threats, along with early warnings about new ransomware campaigns that could strike at a moment’s notice.
CrowdStrike’s Falcon X™ threat intelligence service, which is integrated into the CrowdStrike Falcon® comprehensive security framework, connects to CrowdStrike Threat Graph®. It offers a combination of fully automated — as well as human-driven — threat intelligence data outlets tailored to an organization’s requirements, challenges and budget.
CrowdStrike Falcon X goes beyond indicator of compromise (IOC) feeds and brings endpoint protection to the next level by combining malware sandboxing, malware search and threat intelligence into an integrated solution. This automation performs comprehensive threat investigations in minutes instead of hours or days. The results are displayed alongside Falcon detections, adding context to enable better prioritization and faster incident response.
Ransomware as a service is easy to hide and attracts many clever and diabolical threat actors because of its financial model and low risks. It has democratized ransomware, allowing small, organized cybercrime rings — or even lone individuals — to wreak havoc with organizations’ data, identities and private information.
Teaming with an experienced, well-resourced partner like CrowdStrike for threat intelligence and other anti-ransomware technologies acts as a force multiplier against this new, fast-evolving criminal ecosystem.
1 “Alert (AA21-243A): Ransomware Awareness for Holidays and Weekends,” Cybersecurity and Infrastructure Security Agency, Aug. 31, 2021
2 “Darkside Ransomware Gang Launches Affiliate Program,” Bank Info Security, Nov. 12, 2020