Ransomware as a Service (RaaS)

Ransomware as a Service (RaaS) continues to threaten enterprises of all sizes. RaaS is provided by organized crime for other criminals to use. The primary software creator is responsible for fixing bugs, evolving the functionality of the software, and even providing advanced customer support. The attackers that will use the RaaS software are responsible for developing the email campaign, identifying the target email addresses, and more. The RaaS business is estimated worldwide to be well into the billions of dollars, both for ransom paid and for remediation costs for those organizations did not pay the ransom. In some cases, organizations paid the ransom and still never received the key to decrypt their business.

In 2019, attacks spiked in certain industries, with over 70 state and local governments being targeted by ransomware. Ransomware continues to hit hospitals, businesses, and major universities. One major RaaS variant, Ryuk, has successfully attacked over 500 schools. Particularly insidious, the Ryuk ransomware strain waits until it spreads across a computer’s network before launching the complete attack. Earlier attacks like WannaCry and NotPetya have also caused extreme and widespread damage.

These attacks can cost millions to successfully remediate. The city of Atlanta alone spent over $2.5 million to restore its system after a major ransomware attack.

As we have seen recently, the number of total ransomware attacks has decreased somewhat, but the impact of targeted RaaS attacks has raised the risk profile for business and raised the bar in terms of total ransom per attack. Many targeted accounts are now being hit with six- or seven-figure ransom demands.

In fact, recent ransomware attacks are truly an existential threat. In Arkansas one telemarketing firm, The Heritage Company, was compelled to send over 300 employees home. Its IT team was unable to recover and restore its data in the wake of a ransomware incident that happened late in 2019. This unfortunate decision was made just a few days before the Christmas vacation in a letter sent by the company CEO.

“Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the ‘key’ just to get our systems back up and running,”
wrote Sandra Franecke, the company’s CEO.

According to the media, Franecke said that its servers were attacked by hackers and the ransomware they deployed. The firm then paid them to get the decryption “key” to its systems. The Heritage Company operates branches in Sherwood, Jonesboro, and Searcy.

Per the CEO Franecke, the company has lost hundreds of thousands of dollars due to this ransomware attack.

A year ago, consumers were the most heavily targeted by ransomware. Now the attacks are biased against businesses, with over 50 percent of all attacks directed towards U.S.-based companies.

Ransomware typically gets into a system and the local networks via phishing. Phishing is, of course, spam email which includes a malicious attachment or directs you to a malware-laden website. Once the malware is in place on the target’s computer, through social interaction the attackers gain access to administrative features. Some ransomware, such as NotPetya, targets vulnerabilities to continue the attack on the computer. Once the files are encrypted, it is difficult to impossible to recover the data without paying the ransom and getting the decryption key from the attacker.

Deception technology is a new way to identify a ransomware attack and enables you to stop it before the kill chain can be completely executed. So long as you can stop the attack before your files are encrypted, you have prevailed. Ransomware is the disease and Acalvio has the cure!

Acalvio ShadowPlex-R is a comprehensive distributed deception solution for the early, accurate, and cost-effective detection and mitigation of ransomware. ShadowPlex-R is based on Acalvio’s patented Deception 2.0 technology, which delivers automated and authentic enterprise-scale deception with low IT impact.

ShadowPlex-R integrates with Splunk® Enterprise Security (Splunk ES) to deliver comprehensive threat intelligence and ensure timely and efficient remediation for customers. Acalvio is a member of the Splunk Adaptive Response Initiative, which brings together leading vendors to leverage end-to-end context and automated response to help organizations better combat advanced attacks through a unified defense. ShadowPlex-R’s patent-pending algorithms quickly detect and stop ransomware and its crippling effects.

ShadowPlex-R presents attackers with a comprehensive palette of realistic and non-finger printable decoys, lures, baits, and breadcrumbs that blend in with an organization’s production assets. These serve as sensors and any compromise to them results in very high fidelity detection. ShadowPlex-R employs a DevOps approach to deploying deceptions. By dynamically and automatically deploying the most effective and relevant deceptions, ShadowPlex-R dramatically reduces the cost of operation compared to first-generation deception products.

Find out more about Acalvio and how deception technology can help you reduce risk and maintain compliance. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect the most health care institutions around the world.