WSO2 5 minutes

Ransomware-as-a-Service

Rob Blaauboer
Senior Business Consultant
Ransomeware-as-a-Service
Scroll

A couple of weeks ago, Garmin fell victim to a ransomware attack by the Russian hacker group Evil Corp. Garmin’s services were inaccessible for days. It is getting easier to do these kinds of attacks because, believe it or not, there is such a thing as Ransomware-as-a-Service.

Everything as a service

You might be familiar with the trend ‘as-a-Service’. We, as Yenlo, offer Integration-as-a-Service, like our Connext Go! (iaaS) or Connext Platform (iPaaS). You can start integrating your systems without having to worry about installation, maintenance and updates of the WSO2 stack. It allows you to focus on the things that really add value to your organization.

With Ransomware-as-a-Service you buy or rent a ransomware module on the dark web, and then use it to extort organizations or companies. Those who offer it, even have a helpdesk if you have any questions. Not a real helpdesk with a telephone number I guess but more online / email sort of approach. And the reason is simple: there is a business model behind it!

Business Model

In this case, as opposed to, for example, a virus attack, there really is a business model. For the attackers to get help in setting up the ransomware attack. But also for the victims of the attack.

There the business model is about getting the money (often bitcoins). If you, as an organization or person, have become a victim, you can come into contact with someone who can help you to unlock the files again, for a fee of course!

It is important to realize that if an organization is willing to pay, you do not ask too much (in that case the organization cannot bear the cost or the cost outweigh the alternatives), but also not too little in that you actually do not make enough money for the attack. Finding the sweetspot is key in this case.

The decryption must also work. Often one file will be allowed to be decrypted to show that it works. The amount of money depends on the financial situation of the organization / size of the company and the sense of urgency. According to Sophos: “A full-scale ransomware attack costing on average an eye-watering US$755,991 USD”.

How does it work?

The first infection can happen, for example, via email, where someone clicks on a certain link. The link is of course infected with malware. Then the infection actually starts because, for example, at that moment, encryption of files is started locally, for example by downloading and executing a number of powershell scripts on the computer. The attack will access all drives and directories it can connect to and start encrypting the files. Often it will attach it to a boot sequence so that after restart the process continues. Wherever the software can access it to go through the encryption process.

Evil corp

The name of the group who did the hack with Garmin is Evil Corp. The adage “Nomen est Omen” was never more true. Targets for the group can be any one or any organization. Universities and hospitals, as long as they get the money, they don’t care. This indicates that anyone can actually be a victim. But at the moment there is also a lot of concern about attacks targeting hospitals and other parties that play a role in the fight against the corona pandemic. The idea is that they will pay because of the circumstances and pressure.

Why Garmin ?

The question remains of course: why Garmin? The answer I am afraid, remains guesswork. 

In general, when it comes to ransomware one thing is important and that is payment. Organizations must be willing to pay, otherwise it makes no sense for the hackers. I am leaving political games out of the equation.

When are you more willing to pay? For example, because services are at a standstill, loss of turnover and costs become too high or, and that is all the evil part of it, you are part of the critical infrastructure.

What to do?

Sophos, a security tools vendor that provides a suite of detection tools for this. But the tool is only one part. There are a number of things important, for example that you have backups and a plan, in case you are unexpectedly attacked with ransomware.

Of course, you have to make sure you have backups. Not one backup at one location, but multiple backups at multiple locations, none of which cannot be reached from the network itself. These backups must be made and checked regularly. In addition to the general fact that your security must be in order, you can also think of specialist software such as Sophos intercept X Advanced that is able to stop ransomware attacks in the same way that a virus scanner can stop a virus.

Paying is dangerous

Payment is certainly an option, otherwise these types of attacks would not continue. I will disregard political motivations for a moment, but payment is also a risk. According to Sophos, you will automatically be placed on a different list and the chance that you will again become the target of the ransomware attack in the short term is considerably greater. 

The adage is of course always: don’t pay. But you also have to be firmly in your shoes. Imagine you are in a hospital where you can no longer access your patient files, will you pay the ransom? The criminals are hard to catch since they often operate outside of your country in other jurisdictions.

Keys

There is also a site with all kinds of keys for decryption. Some of the older ransomware ‘strains’ have been decrypted and keys are for instance on the Dutch site https://www.nomoreransom.org/ but as is often the case, it is always the game between the good and the bad, where we as good guys are always a few steps behind. 

Conclusion

It is best to make a plan, make sure your backups are in order, and look for detection software to stop the attacks early. Security, in the broadest sense you can imagine is vital. Criminals will look for the easiest way to gain entry first but will also look for other ways to gain entry. Can we be sure that they will not exploit weaknesses in APIs to start their ransomware attacks?  No attacks have been used via API… Yet. 

Yet is the operative word here. Make sure that your API definition is iron clad and you validate payloads against a schema to minimize chances of attacks. Take a look at our webinar on WSO2 API Manager and 42Crunch for this topic.

But as with many things, guarantees that you will not become a victim are not given.