The ransomware as a service (RaaS) it has become an increasingly popular attack technique. In this way, cybercriminals who want to carry out the attack and do not have the technical level to do so do not have to worry too much about it in order to carry out the attack. All they have to do is get a RaaS kit on the dark web with everything they need and then make it work. To pay for it they have to pay a fixed amount, and also those who sell it to them usually keep a percentage of the profits made in the attack.
These types of attacks starts at first with a primary access, usually through a malware infection or by exploiting a security vulnerability. From this point they can move on to credential theft to gain a higher level of access to a network.
But the goal is always the same: extract critical data for ransom for them. Many RaaS-based attacks employ a double extortion strategy, whereby valuable data is obtained on the one hand, and on the other it is publicly leaked unless a ransom is paid to avoid it.
Fortunately, there are several steps you can take to protect your business or organization from such an attack, such as those proposed by microsoft in a report posted on his security blog. The first seems logical: avoid the primary access, which is the one that later triggers the attack. To do this, it is necessary to prevent harmful code from being executed by monitoring the management of macros and scripts.
The second is to segment the organization’s network. In this way you will be able to prevent attackers from making lateral movements based on account privileges. It does this by using different levels of privileges for different accounts.
At the same level of importance, as a third recommendation, is the performance of an audit of account credentials. In this way you will be able to know how exposed they are to the outside, and you will not only avoid ransomware attacks, but also cyber attacks in general. It is also convenient to work on the reduction of privileges for accounts that do not need to have access to certain areas.
On the other hand, it is necessary to reduce the available attack surface. You can achieve this by creating concrete rules that can help stop attacks in their early stages. Having a multi-factor authentication system for all accounts is also helpful. In the case of those with administrator access, it is a priority to activate it.
In recent years, it has also become necessary for users who have a hybrid or remote work scheme. In this case it is necessary for all the devices they use, and from all the points from which they work. It’s also important to enable passwordless authentication, such as FIDO keys or authenticator apps, for supported sites and services.
On the other hand, you need to verify that your security products are installed correctly and are tested regularly. Also make sure that they have the proper configuration, and that there is not a single area of your network left to protect.
It may also help to remove duplicate or unused apps. In this way you will eliminate the risks of having uncontrolled services. Some apps, like TeamViewer, are a target for cybercriminals, so make sure where and how you allow them.
The cloud is also another area to protect, as attackers increasingly target the resources stored in it. That is why it is necessary to take care of the assets that you have in the cloud as much as those that you store locally. And of course, always have an inventory of your software tools and systems ready so that you know where you need to prioritize support and security, and so that you can quickly patch the most critical and sensitive assets.
