By Keith Glancey, Head of Solutions Architect at Infoblox
Over the years, ransomware has become an increasingly popular attack method for hackers looking to make a large return on investment. The COVID-19 pandemic only accelerated this problem further, opening up new opportunities for cybercriminals to cause disruption and find vulnerabilities.
As businesses continue to struggle with securing the new remote and hybrid working landscape, cybercriminals will continue to use it to their advantage. In fact, today it is estimated that there is at least one ransomware attack on a business every 11 seconds. These attacks are not just frequent. They are also damaging, with recent research discovering that the average ransomware recovery costs for businesses have more than doubled in the past year, rising from $761,106 in 2020 to $1.85 million in 2021. And that’s without the long-term reputational damage.
Whilst tried and tested ransomware distribution tactics – such as malicious websites, email campaigns and even USB memory sticks – are still very much in use, over the last year or so other, newer methods have also increased in popularity. One such method – which is quickly becoming the number one headache for security teams and business leaders – is Ransomware-as-a-Service (RaaS).
A new era in ransomware
RaaS is changing the game. A subscription-based model that enables users to use pre-developed ransomware tools to execute attacks, RaaS gives everyone the power to become a hacker. There’s no technical knowledge required; all individuals need to do is sign up for the service.
RaaS platforms are closely modelled after legitimate SaaS products. They include support, community forums, documentation, updates, and more. Some even offer supporting marketing literature and user testimonials. Users can choose to sign up for a one-time fee or for a monthly subscription. There are also special features which you can pay for, such as a status update of active ransom infections, the number of files encrypted, and payment information.
Although deploying this new type of ransomware requires no specific skills, it still enables threat actors to develop highly targeted attacks on large organisations, where they can ask for large ransoms. In these highly targeted cases, threat actors use carefully researched social-engineering tactics, such as well-crafted emails to entice targets to click dangerous URLs or open malicious attachments. In other cases, threat actors may target a vulnerability that is particular to or commonly used by their target victim group.
It’s no surprise that RaaS is becoming so popular. In fact, research discovered that almost two-thirds of ransomware attacks in 2020 used RaaS tools. It has also been behind some of the most notorious attacks this year, including those on the Colonial Pipeline and JBS. The size and sophistication of these attacks should concern all cybersecurity professionals, and their successes highlight how the RaaS market is only likely to grow moving forward.
Future proofing with DNS
When it comes to ransomware, failing to prepare really is preparing to fail. More often than not, attacks are successful when victims do not have an effective strategy in place. Therefore, businesses need to expect attempted ransomware attacks and prepare accordingly.
Getting detection and prevention right can help businesses to gain the upper hand. This is where Domain Name System (DNS) tracking comes in. DNS is a core network service, which means that it touches every device that connects to a company’s network and the wider internet. What’s more, some 90% of malware, including ransomware, touches DNS when entering and exiting the networking, making it a powerful tool in the cyberdefense toolkit. When applied to security, DNS can help protect against ransomware attacks by detecting and blocking communication with known C&C servers that distribute malware, helping to stop an attack before it even starts.
To take DNS-based security to the next level, businesses can merge DNS with DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management). This combination of modern technologies – known as DDI – can pinpoint threats at the earliest stages, and paired with DNS security, can identify compromised machines and correlate disparate events related to the same device.
With RaaS becoming so established, organisations battling against ransomware need to level up. As with most complex issues, there’s no silver bullet for cybersecurity. However, by focusing on detection and prevention and using core infrastructure like DDI, security teams can get the upper hand.