Mark Brown, Global Managing Director, Digital Trust, Consulting Services at BSI discusses the increase in the prevalence and impact of ransomware in recent years, the rise of Ransomware-as-a-service (RaaS) and steps organizations can take to mitigate the risk of attack.
In 2022, ransomware may undergo an Industrial Revolution of its own…
The appearance of Software-as-a-Service (SaaS) organizations at the turn of the century has led, just over twenty years later, to an IT market where start-ups operating under this model are seemingly ubiquitous. By the end of this year, the global SaaS market is expected to be worth almost US $172 billion, an endorsement of the model’s success.[i] It is only natural that hackers would seek to replicate this success.
The rise of Ransomware-as-a-service (RaaS)
Since the mid-2010s, the cybersecurity experts at BSI, and many others around the world, have noticed a gradual but continuous rise in the prevalence and impact of ransomware on both organizations and consumers. Given this rise, which currently shows no signs of stopping, it is highly likely that businesses will need to escalate their preparations against ransomware even further in 2022.
With ransomware becoming an almost daily headline occurrence over the past two years, I believe that 2022 may be the year where we finally see a transition from ideas of cybersecurity to ones of cyber-resilience as the key technology risk objective. Organizations should recognize that they are incapable of preventing cyberattacks completely, considering the broad range of players which now aim to take advantage of system vulnerabilities, ranging from isolated individuals to hackers in the service of nation-states. Instead, the aim should be to minimize the damage caused by cyberattacks. As we often say, it isn’t a matter of if, but when a cyberattack will take place. Indeed, it may have already occurred and your organization may not be aware…
Ransomware-as-a-service (RaaS) sees knowledgeable software developers build ransomware tools and lease them out, often via the dark web, to those who wish to use them in the same way that B2B and B2C SaaS developers build more legitimate software tools for businesses and consumers. It’s an attractive product for the same reason SaaS is; often, very little in-depth technical knowledge is required to use the ransomware tools and once purchased, they are often highly effective. The business models can vary, but by 2031 ransomware is predicted to cost the world US $265 billion annually, according to one report.[ii]
The maturing RaaS industry
Given that currently, consumers and devices are expected to come under attack from ransomware every eleven seconds[iii], it is my belief that crowd-sourcing and ransomware as a service will soon no longer be seen as an anomalous activity. As a practice, it is likely to become mainstream as cybercriminals reveal themselves to be truly ‘organized’ criminals.
In this way, we may see Ransomware-as-a-service (RaaS) become “industrialised” in much the same manner as has occurred in traditional software development over the past twenty years, leading to a further increase in attack frequency.
Furthermore, compartmentalised criminal groups operating in segmented attack chains could conduct attacks on unwitting and/or ill-prepared enterprises, often weaponizing tools used by in-house security teams to bypass cyber-defence strategies. The increasingly organized criminal structures of ransomware collectives, as they seek dominance in an ever-more lucrative market, will operate in two ways as rival criminal gangs choose to collaborate in order to increase criminal returns or undermine each other’s activities. We should expect the business models of these groups, for that is essentially what they are, to evolve.
What is certain is that there is no end in sight to ransomware attacks. The need for organizations to continue to increase their ability to withstand such attacks and all forms of cyberattacks is a core business risk management activity. Businesses should transition from aiming for true cybersecurity to cyber-resilience and hope to achieve ‘digital trust’ on the part of their users and customers. As organizations reckon with the increasingly interconnected nature of the global supply chain, growing in awareness of the upstream, midstream and downstream risks, they will see the need to show that they can act as a trusted operator. As the decade progresses and ransomware attacks become more regular and more targeted, organizations will need to exert considerable effort in order to become truly cyber-resilient.
Email has historically been the undisputed champion of ransomware attacks. Today, it is still the number one delivery method for an attack. But. as businesses shift to the cloud environment, so do emails and, so do attackers.