RaaS kits will be a problem in 2024

In the first three quarters of 2023, the number of ransomware attacks increased by almost 70% compared to the first three quarters of 2022, according to a report from Apple.. Ransomware attacks rose a lot in 2023, reaching over 500 million. However, there's no relief from this threat in sight. Digital transformation and hybrid work are increasing the risks for organizations, exposing them to various threats.

The situation is getting worse because of Ransomware-as-a-service (RaaS) kits. These kits provide attackers with ready-made tools like templates and scripts to create and carry out their malicious campaigns. As the RaaS market continues to mature in 2024, organizations are going to be inundated with an avalanche of attacks.

Here is a primer on RaaS kits, the major players, and how you can protect your organization from these devastating attacks.

What is Ransomware-as-a-service (RaaS)?

RaaS is a business model between ransomware operators and affiliates in which affiliates pay a fee to launch ransomware attacks developed by operators.

Costing as little as $40 a month to several thousand dollars, these kits have effectively lowered the bar for launching ransomware attacks, allowing novice attackers with little or no coding experience to spin up attacks at scale. Given that the average ransom demand was $1.62 million in the first half of 2023, a 47% increase from the previous six months, the margins can be gigantic. The increase in ransom demands encourages affiliates to launch more attacks. They hope to successfully breach systems and make huge profits.

How does RaaS work?

RaaS kits are a cooperation between operators and affiliates. Operators develop and update the tools and command and control (C&C) dashboards, set up victim payment portals, create leak sites and manage counterintelligence operations to evade cybersecurity solutions and hide from threat intelligence actors. They then market their products on the dark web to affiliates who launch and operate the attacks. The affiliates gain access to targets’ systems (either through phishing or an access broker), set ransom demands and conditions, execute the ransomware, negotiate with the victim and manage decryption keys. This relationship allows each entity to focus on what they do best and nothing else – effectively pooling their resources to deliver the best chances of a successful ransom payout.

What are some examples of a successful RaaS kit?

Hive is one of the most famous RaaS gangs. The group emerged in 2022 and has since grown to be the most prolific RaaS operators in the world, using a pass-the-hash technique to gain access to Microsoft Exchange Servers. The U.S. Department of Justice announced in January that it had disrupted Hive operations by seizing two back-end servers belonging to the group, but not before Hive was able to defraud more than 1,500 victims and receive tens of millions of dollars in payouts.

PINCHY SPIDER has vowed to be the first ransomware gang to earn $2 billion in ransom payments, and is known for receiving the largest known ransom payment in history – a cool $10 million for a single attack. The group sells variations of REvil, also known as Sodinokibi, to affiliates in exchange for a 40 percent stake in all payouts. This affiliate model has made REvil extremely popular, especially by Russian-speaking attackers.

Since 2019, LockBit has recently been made available as a RaaS toolkit. It’s mainly advertised to Russian-speaking customers or English speakers with a Russian guarantor. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly, presenting a notable challenge for organizations hoping to protect themselves against the ransomware threat.

How do I prevent a RaaS attack?

The best way to prevent a RaaS attack is to prevent the ransomware from gaining an initial access on an endpoint. This requires robust browser security capabilities that ensure visibility and control into every browser session. This gives IT and security teams actionable threat intelligence inside the browser – enabling dynamic policy enforcement for zero-hour phishing, malware and ransomware attacks that target the browser.

Basic security hygiene can also help mitigate the risk of ransomware. These include:

• Regular vulnerability scannings help limit the attack surface and address any potential threats on internet-facing devices.
• Up-to-date patching ensures you are maintaining current versions of the latest software and operating systems, helping you address newly discovered vulnerabilities that RaaS kits are designed to exploit.
• Regular data backups ensure you are able to recover quickly, with minimal disruption, in the event of a security breach.
• Multi factor authentication (MFA) provides an extra security layer that enhances the security barrier between potential attackers and your internal systems.
• Continuous education helps users recognize suspicious web and email messages and report any phishing incidents.
• Law enforcement reporting, regardless of the size or impact of the breach, helps authorities investigate breaches, disrupt RaaS gangs and bring criminals to justice.

Assess your ransomware readiness

Thanks to the relative ease of launching attacks through a RaaS kit, ransomware is going to continue to be a major concern among CISOs in 2024. Check to see if your existing cybersecurity tools protect you against today’s highly sophisticated and evasive RaaS kits with our free assessment tool. And learn more about how to implement a robust browser security strategy from Menlo Security.