Tenable has found the self-sustaining ransomware industry earned $692 million from collective attacks in 2020, and attributes the shift to the subscription economy which has created a new norm in the “as-a-service world”.
Due to the advent of ransomware-as-a-service (RaaS), ransomware has prospered and Tenable has found that the service model has significantly reduced the barrier of entry, allowing cyber criminals who lack the technical skills to commoditise ransomware.
According to Robert Huber, Tenable's chief security officer and head of research, it has indeed become an easy way to operate ransomware.
"It's run just like a business.
"And just like a business, certain functions can be contracted out.
"You don't have to be an expert or subject matter expert to actually go out and build a ransomware kit, those components are already available for you," Huber said.
In 2020 alone, ransomware groups reportedly earned $692 million from their collective attacks, according to Tenable data, a 380 per cent increase over the previous six years combined ($144 million from 2013-19).
The success of RaaS has also attracted other players such as affiliates and initial access brokers (IABs) who play prominent roles within the ransomware ecosystem, oftentimes more than ransomware groups themselves.
"In the ransomware world, they have affiliates, they have initial initial access brokers, and then they have the ransomware gangs or the ransomware operators, you can do all three of those functions," Huber explained.
"You can essentially work with one or the other providers to provide that capability for you; instead of having the person actually gaining access to an organisation, it can be farmed that out to an affiliate, or an initial access broker.
"Quite honestly, that's a lot of the heavy lifting, that's where some of the technical challenges may occur, or that's where the targeting challenges may occur is getting that initial foothold in the door and a lot of that's been taken off the table," Huber added.
Affiliates who earn between 70 per cent-90 per cent of the ransom payment, are charged with the task of doing the dirty work to gain access to networks through tried-and-true methods such as spear-phishing, deploying brute force attacks on remote desktop protocol (RDP) systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web.
Affiliates may also work with IABs, which are individuals or groups that have already gained access to networks and are selling access to the highest bidder. According to the Tenable research, their fees range on average from $303 for control panel access to as much as $9,874 for RDP access.
"The initial extortion tactic was the ... 'we're just going to encrypt your systems'," Huber continued.
"For you to gain access back, you have to pay and we'll unencrypted them, which takes some time to unencrypted system – it's not like, you pay a fee and all sudden you have access to your data right away.
"They're criminals and may not do that anyway, so you could make a payment, they may not do it," Huber said.
Ransomware’s current dominance is directly linked to the emergence of a technique known as double extortion according to the Tenable data. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leak websites, while also encrypting the data so that the victim cannot access it.
According to Satnam Narang, senior staff research engineer at Tenable, with RaaS and double extortion, Pandora's box has been opened.
"Attackers are finding holes in our current defences and profiting from them."
"The Australian Cybersecurity Centre recorded a 15 per cent increase in ransomware cyber crime in 2021.
"So long as the ransomware ecosystem continues to thrive, so too will the attacks against organisations and governments."
Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching DDoS attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs' arsenal for placing additional pressure on victim organisations.
"It's imperative that these entities prepare themselves in advance so they are in the best position possible to defend against and respond to ransomware attacks.
"While ransomware groups get the most notoriety and attention for attacks, these groups come and go.
"In spite of the turnover, affiliates and IABs remain prominent fixtures in this space and more attention should be given to these two groups in the ecosystem at large," Narang concluded.