Ransomware-as-a-service (RaaS) may not be a brand-new tactic on the cyber battlefield, but it’s quickly gaining popularity among threat actors. For at least the past five years, cybercriminals have not only realised the monetary effectiveness of ransomware, but have understood that by banding together, and utilising each other’s strengths, they could expand their ransomware attacks, split the profits, and utilise stolen data to launch future cyber attacks on larger organisations.
This RaaS business model now often involves “ransomware gangs,” defined as individuals offering resources such as encryption software, leak sites, and branding to independent affiliates who then carry out the ransomware attack. This model has not only allowed less technical cybercriminals to execute attacks but has been a major force behind the sheer increase of data breaches year over year.
Arctic Wolf Labs, our elite team of security researchers, data scientists, and security development engineers, have strong reason to believe that, as 2024 progresses, so will the frequency and sophistication of RaaS. But, before we look into the future, it’s important to highlight the data and incidents that led us here.
What RaaS Looked Like In 2023
First, let’s look at the recent ransomware attacks from this past year. According to Arctic Wolf’s 2023 Breaches in Review, five of our top nine (55%), involved ransomware. Out of those five, three involved international ransomware groups, falling under the RaaS model.
MCNA Dental, for example, had 700GB of data exfiltrated and published on the dark web after the organisation failed to pay ransomware group LockBit’s $10 million USD ransom. LockBit was not only the top ransomware group in 2022 — listed 822 times on ransomware leak sites according to Arctic Wolf research — but is in a strong position to reclaim the title in 2023. According to internal tracking, dark web postings by them have increased 17% compared to a year ago. The group is infamous for its self-propagating ransomware and short dwell times, which could explain its prolific record. In the first half of 2023, LockBit had already posted on ransomware sites 527 times.
But the MCNA Dental breach is not the only major breach that started with ransomware and ended with exfiltrated data and untold financial losses. Compared to the second half of 2022, Arctic Wolf® Incident Response saw a 46% increase in ransomware incidents during the first half of 2023. According to the 2024 Arctic Wolf Labs Threat Report, ransomware accounted for 48.6% of incidents across 2023, and median ransom shot up 20% to $600,ooo USD. This could be attributed to a number of factors, including a dip in ransomware frequency in 2022, but other trends continue to move up and to the right, including the size of organisations breached, the continued proliferation of RaaS , and the global reach and impact of these kinds of cyber attacks.
Why RaaS Will Grow
If these trends continue, the answer to the question, “Will RaaS grow in 2024?” will be a resounding, confident yes. And the reason for that confidence extends beyond just patterns from years past.
The key to the future of RaaS lies with Cl0P, the ransomware group responsible for the exploitation of a zero-day vulnerability within MOVEiT Transfer , a common file transfer service. With this single exploit, the group was able to affect thousands of organisations, from local government offices to even British Airways. No doubt that attack will inspire more just like it. In addition, this vast series of attacks not only interrupted organizations’ operations across the globe, but it also reminded both cybercriminals and cybersecurity professionals that, in addition to money, data exfiltration is coveted. Millions of individuals’ personally identifiable information (PII) has found its way to the dark web thanks to CIL0P, and not only can that data be sold between criminals, but it can also be used to launch further ransomware attacks on both individuals and organisations — it’s the gift that keeps on giving for these savvy threat actors.
Seven of the top nine breaches covered in our 2023 Breaches in Review included data exfiltration, showing how cybercriminals are not only using this data for leverage during an attack, but treating it with the same value as gold. Our internal research has also noted that, from a technical standpoint, publishing these vast volumes of data is not technically difficult. The same amateur who bought a ransomware code from a RaaS broker can easily publish and sell the data they steal using that code.
Explore Arctic Wolf’s 2024 predictions in-depth.
How To Prevent Ransomware Attacks and Data Exfiltration
Taking the necessary steps to prevent a ransomware attack is more cost and operationally effective than trying to clean up your network, pay for credit monitoring services for those impacted, and explain to customers and clients that their PII now lies in the hands of cybercriminals. As this tactic continues to grow, it’s much, much better to be safe than sorry.
Broadly speaking, the best way to prevent ransomware is to employ the same cybersecurity techniques you would for any other kind of threat. Ransomware is just the tactic — the holding of data or operations for ransom — so it’s best to protect against the initial access technique, be that a vulnerability exploit, social engineering, remote access code, or a cloud misconfiguration.
Taking a holistic operations approach is always the best path forward when it comes to your security journey, as each organisation has dynamic business and security needs.
Techniques to improve overall cybersecurity include:
- Security awareness training that can help employees defend against social engineering attacks
- Strong identity management and password hygiene to prevent credential theft or credential stuffing, as well as privileged access escalation during an incident
- Vulnerability management and remediation that is on-going with a focus on priority, potential impact, and severity
- 24×7 monitoring of endpoints, cloud, network, and identities to swiftly respond to, isolate, and stop an incident
- A long-term cybersecurity strategy that focuses on operations and continued improvement, not just new tools
While these techniques can prevent an incident from occurring or escalating into a full ransomware attack, they are not specifically focused on data exfiltration. For that particular concern, Arctic Wolf Labs recommends the following:
“Create a baseline of expected network flow and user behaviour to detect potential data exfiltration activity. In most cases, threat actors compile the stolen data and attempt to exfiltrate it out of the network as quickly as possible, which would deviate from normal user behaviour.”
Learn more about Arctic Wolf Lab’s 2024 predictions and recommendations.
Explore how a security operations approach can transform your cybersecurity posture and put your organisation in a better position to fight cyber threats such as ransomware.
