As Ransomware-as-a-Service (RaaS) has simultaneously grown more powerful and easier to use, just about anyone can launch successful, damaging ransomware attacks on organizations. Small and medium businesses are particularly vulnerable to the widening variety of tactics –from the “spray and pray” favored by Avaddon to the mass-market-based business model used by Dharma RaaS.
“The skills that it takes to launch a ransomware attack have lessened” now that “exploit kits are easily purchased off of the web like other commercial off-the-shelf software,” said Terence Jackson, CISO at Thycotic.
Inexperienced attackers with little or no knowledge of coding or even hacking need only sign up with a RaaS provider for a “service” that includes just about everything a would-be hacker needs to launch a financially-motivated attack, as a pair of recent reports from DomainTools and Sophos underscore.
And, increasingly, the information is not only encrypted, but stolen and published online as even low-level attackers use double-extortion schemes, much like the higher-end Maze gang did with sensitive data from the internal networks of LG and Xerox. For example, hackers using Avaddon, the RaaS discovered by DomainTools last Saturday, took to the dark web to expose the phone numbers, email addresses and physical addresses of the employees and business partners of Los Angeles-based EFCO Forms.
Based on the ransomware notes that have been made public, the ransom payments for Avaddon start at $350, though they can go much higher, said Tarik Saleh, senior security engineer and malware researcher at DomainTools. The company first observed Avaddon in the wild in July, but the operators’ extortion site and the EFCO information were discovered last weekend.
“We can look to Avaddon as another example of ransomware authors that have adopted newer and more effective means of financially capitalizing on victims,” said Saleh, explaining that Avaddon’s authors were inspired by Maze’s massive financial success, “specifically with the double-extortion theme.”
In contrast to Avaddon, Dharma RaaS ransom demands tally a bit higher, averaging $8,620, according to Coveware, but still lower than the $84,000 average ransomware demand reported by Emsisoft. Sophos first learned of the Dharma RaaS – a variant of Dharma, one of the most profitable ransomware families, in play since 2016 – through its customers.
The vast majority of the targets for the Dharma RaaS attacks are SMBs and according to Coveware, 85 percent of the attacks seen in 2020 target exposed access tools such as Remote Desktop Protocol (RDP) servers, Sophos said in a report.
“By [using Dharma RaaS to gain] privileged access to RDP servers, the attackers can turn off antivirus, Windows Defender and neutralize many of the new security controls put into Windows 10,” said John Shier, senior security advisor at Sophos. “The attackers [then] can scrape for passwords, do network scans and move laterally throughout the network” to position them to exfiltrate data files in bulk.
But Saleh pointed out that RDP exploitation requires the ability to detect and deliver an exploit or password spraying to a vulnerable RDP host, so the technical barrier of doing that versus sending out an email with an attachment is much higher.
“Ultimately, the [RDP attacks] can lead to the same success path for the attacker, which is getting the ability to execute code on a machine,” Saleh explained. “RDP operates as one of the many vectors, but it’s less popular with Avaddon attackers due to the more technical requirements of conducting the attack.”
To counteract RaaS attacks, Saleh said companies need to make sure all their appliances are inspected and all email attachments and links are analyzed. He also recommended deploying an EDR and upgrading to Windows 10 and the cloud version of Windows Defender, so files get inspected for malware in the cloud. Security teams should also use a SIEM that’s integrated with an analytics tool such as Splunk so they can derive attack patterns from the log data.
Sophos advises security teams to protect their organizations against RaaS attacks by following a number of steps:
- Lock down RDPs. Shut down internet-facing RDPs to deny attackers access to networks. If the company needs access to an RDP server, put it behind a VPN.
- Take an inventory – and patch. Check that the company has a full inventory of all devices connected to its network and always install the latest security updates, as soon as they are released, on all the devices and servers on the network,
- Backups still make sense. Keep regular backups of the company’s most important and current data on an offline storage device.
- Learn the warning signs of a ransomware attack. Be aware of the five early indicators an attacker is present to stop ransomware attacks.