Ransomware attacks are on the rise, doubling in the last year alone. But why has ransomware emerged as the weapon of choice for bad actors? The answer comes down to time and money.
Thanks to the proliferation of ransomware-as-a-service (RaaS), ransomware attacks are significantly cheaper to execute and require less skill than other forms of breaches. They are also highly profitable.
What is ransomware-as-a-service?
RaaS is a business model whereby malicious ransomware developers sell their malware as a license. As such, RaaS makes it easy for hackers to obtain the tools they need to perpetrate ransomware attacks – with little technical knowledge and fewer resources than other modes of cyberattack. A would-be RaaS customer simply logs onto a portal, selects their ransomware kit, and makes a payment in digital currency – transactions that are anonymous and almost impossible to track.
RaaS sellers offer many of the services that software-as-a-service (SaaS) businesses do, including SLAs, customer service, fee sharing agreements for ransom payments, and affiliate programs. RaaS “businesses” also run marketing campaigns to promote their software and provide online resources to help bad actors succeed.
Once procured, RaaS is used to target organizations directly, but bad actors also go after companies and government agencies via their digital supply chains. In 2021, for example, the ransomware attack against Kaseya, a provider of remote IT management monitoring solutions, impacted the company, its customers, and organizations who outsource IT management to Kaseya. Hackers requested $70 million in payment.
RaaS is a big business. What can your organization do to avoid being a victim of ransomware-as-a-service? Let’s look at three best practices.
3 best practices to avoid becoming a victim of ransomware-as-a-service
1. Maintain a strong patching cadence
The best strategy to prevent RaaS attacks is to get back to basics. That means practicing security hygiene and ensuring strong, consistent security performance. It sounds logical, but the guidance is grounded in data.
For instance, when Bitsight analyzed hundreds of ransomware events to estimate the relative probability that an organization will be a ransomware target, we found that organizations with a Bitsight Security Rating lower than 600 (falling on the low end of the scale) are almost eight times as likely to experience ransomware activity as those with a rating of 750 or above.
Then, when we studied the same organizations’ patching cadence, it emerged that a delay in applying patches correlated with increased ransomware risk. In fact, organizations with a patching cadence grade of D or F were more than seven times more likely to experience a ransomware event compared to those with an A grade.