The Cyber5 Podcast

EP91: Democratizing Ransomware as a Service

Episode 91 | Mar. 29, 2023

In Episode 91 of TheCyber5, we are joined by Paul Malcomb, Intelligence Advisory for Nisos.

Episode 91 | Mar. 29, 2023

In Episode 91 of TheCyber5, we are joined by Paul Malcomb, Intelligence Advisory for Nisos.

Paul brings over 15 years of experience from Fortune 500 security teams and the public sector including incident response, threat intelligence, and third-party risk management.

In this episode, Paul explains how the ransomware-related ecosystem is evolving and provides insights to some of the newer threats organizations face.


Here are the Three Major Takeaways


1. Ransomware actors no longer need to be end-to-end capable and are now very decentralized:

Gone are the days where threat actors have to be masters of all, with the democratization of services, affiliates with little to no technical knowledge can now execute sophisticated cyber attacks. Ransomware operators needed to possess the full scale of technical and non-technical capabilities within an organized criminal group. Initial access brokers, supporting operators, and/or the actual malware developers no longer need to be the same entity. Today, individual attack components are outsourced in order to provide an affiliate with end-to-end solutions filling nearly any unmet need to include but not limited to: payment negotiations, money laundering, infrastructure creation, payment collection, etc.

2. CTI, Red and Blue teams must unite and move faster to adjust to the decentralization:

It is becoming more and more critical to fuse CTI teams with their respective Red and Blue team components in order to emulate an organization’s most pressing threats. Blue teams sometimes have minutes to detect and remediate a ransomware actor once the initial access is gained. This initial access is often gained through misconfigurations or unpatched vulnerabilities on legacy systems. Similarly, privilege escalation and lateral movement tactics commonly leveraged can also be mimicked enabling Blue team detections to be optimized against a specific adversary. This type of adversary emulation is only possible through the fusion of the three (3) teams (CTI, Red & Blue). Smaller and medium sized businesses (SMBs) have almost no chance to avoid ransomware unless they are using managed services to detect, correlate and respond to events. Managed Intelligence Service providers have experienced personnel, proven processes and the appropriate tools needed to accurately scope RaaS-related-risks and help guide SMBs through the challenge of hardening their systems focusing on cost effective risk reduction strategies.

3. Living Off the Land attacks make detection harder by an order of magnitude:

With the growing percentage of attacks not having any type of signature file or easily identifiable IOCs, timely adversary threat intelligence focused for a specific organization is often the only early warning indicator capable of identifying potentially malicious activity pre-impact. When ransomware attackers use the same commands and tools that are native in an Enterprise environment, attackers become significantly more challenging to detect because it looks like expected or business-as-usual (BAU) traffic. Over 70% of ransomware is now non-malware attacks meaning ransomware groups don’t need to use custom malware that can be detected from a file hash.The new formula requires only initial access then common administration tool know-how and thanks to the democratization of RaaS, now even these components can be purchased and all an Affiliate needs is the desire to attack and the finances to pay the ecosystem to act.