The hydra effect: Why shutting down RaaS is like playing whack-a-mole

As a CISO in Residence, one of my favorite activities is presenting on various topics at regional security summits. It lets me share ideas that I am truly passionate about with new and interesting people. Recently, I had the privilege of attending an ISACA event where I was asked about ransomware-as-a-service (RaaS). Specifically, people want to know why it is so prevalent and why it can’t simply be shut down.

I’ve been a seasoned cybersecurity veteran for some time and watched the evolution of cybercrime firsthand. RaaS are particularly nasty beasts, and dismantling them is frustratingly difficult. Based on my experience and engagement with local, state (yes, US citizen here), and federal law enforcement personnel, let's explore why RaaS is hard to stop. We’ll also look at how businesses can minimize their exposure to RaaS risks.

Stopping RaaS is like chasing shadows

Here's the grim reality - even if we identify a RaaS group, taking them down permanently is a monumental challenge. Why?

1. Global reach: RaaS thrives in a borderless world. Operators can be scattered across the globe, which makes coordinated takedowns complex. Imagine chasing a criminal across continents, each region with its own legal jurisdiction and level of cooperation. Coordinating criminal takedowns in a timely manner with the various authorities is nearly impossible. Another hurdle, the amount of evidence needed to prove a crime varies from country to country, as do the penalties. Let's not forget, these groups are often operating out of several different countries simultaneously. Yes, the global nature of cyber crime groups makes prosecuting them extremely hard. Even when a threat group takes credit for an attack, we can’t necessarily attribute the crime to known individuals in the real world, afterall, they don’t operate by their given name but by an avatar or a handle. 
2. Dark web infrastructure: RaaS operates on the dark web, a shadowy corner of the internet shrouded in anonymity. Think of it as a secret marketplace, nearly impossible to infiltrate and dismantle. Law enforcement officers (LEOs) have to spend time creating a digital persona and building their reputation to gain the trust of the underground world - much like an undercover agent does when infiltrating a drug cartel or a gang. The dark web isn't the same as the internet,  infiltrating groups isn't as simple as creating a new account and joining websites. It takes time to infiltrate, to build trust, and to get known by the gangs. 
3. Franchise model: RaaS follows a franchise model. The core group develops the ransomware, then affiliates (think cyber criminals with varying skill sets) buy or rent access to their resources to launch attacks. Picture a fast-food chain – shutting down one outlet doesn't stop the entire franchise. The franchisers make a percentage (be it 10 - 20%) while the franchisee keeps the rest. RaaS operations may even employ additional departments and set up organizational structures like call centers. The call centers may be part of the larger criminal ruse, or they may walk victims through the process of making a payment and get a decryption key. Like a legitimate business, RaaS operators want their bad organization to maintain a good reputation for smooth transactions.Unfortunately, there are nearly a dozen RaaS providers operating in the world. When one gets shut down, the others will take up the slack and grow their market share. This is why this article’s title mentions the hydra effect - every time one head is vanquished others arise. 
4. State actors: There's a distinct possibility that some RaaS groups operate under the protection of  nation-states. This creates a complex web of international diplomacy that hinders investigations. Some of the challenges involved with attributing attackers to specific sovereign governments goes back to point #2. It is difficult to positively identify anyone on the dark web, but the advanced tactics of some groups strongly suggest they are government affiliated.

If you haven't read or listened to the Lazarus Heist by Geoff White, you're missing out. Geoff is a remarkable story teller and his research is extraordinary. I highly recommend you listen to the BBC podcast or pick up a copy of the book. 

Educate to Mitigate: Building a Defense

While dismantling a RaaS operation entirely is an uphill battle, there are still ways to combat them. Businesses can significantly reduce their exposure to RaaS groups by focusing on proactive defense strategies including:

1. Educating employees: Phishing emails are a common delivery mechanism for ransomware. Train your staff to identify and avoid suspicious emails and attachments. Employ solutions allowing them to easily report suspected phishing attempts. Let them know that it's ok to submit anything suspicious even if they are not 100% sure it is dangerous. It is better they submit something innocuous than click on a real threat and put the company at risk. 
2. Patching and updating: Unpatched systems are vulnerable. Implement a rigorous patching schedule for all software and operating systems. If a patch isn't available, consider a work-around or a configuration change that will minimize risk. 
3. Backups, backups, backups: Regular data backups are your safety net. Ransomware attacks prey upon the fear of data loss. Having a secure, up-to-date backup allows you to restore data without paying the ransom.
4. Segmentation and attack surface reduction: Don't let a ransomware infection spread like wildfire. Segregate your network to limit the impact of ransomware attacks. Reducing your external attack surface will limit the number of entry points an attacker can use to compromise your organization. By reducing attack surface and implementing segmentation your organization can minimize the blast radius when a single device, application, or user is compromised. Limiting the reach of participants in your enterprise also restricts the damage they can inflict when breached. 
5. Threat Intelligence: Stay informed! Subscribe to reputable threat intelligence feeds to stay ahead of evolving tactics and vulnerabilities. There are several public and private threat intelligence resources available to help you stay on top of the latest cyber threats.

One of the problems with ransomware (which grew throughout 2023 and into 2024) is that its implementation is evolving. Attacks are no longer limited to data encryption and ransom demands. Threat actors are increasingly embracing  extortionware or double ransomware. This is a tactic that involves stealing data and using blackmail techniques to pressure victims into paying. If a company refuses to pay, the cyber criminal threatens to upload stolen data to the dark web and/or leak it to the  media. In fact, in one instance the cyber criminals alerted the SEC that the victim failed to report the breach. The fact that attackers now enlist government agencies to extort their victims simply highlights that they are criminals, not our friends.  

I hope this article has helped you understand why ransomware-as-a-service providers cannot be easily eliminated. It's more than an attribution issue or connecting events back to actual people. It's the problem of finding where they operate, getting past jurisdictional issues, and  dismantling their globally distributed hardware infrastructure. This doesn't mean that law enforcement officers aren't actively working to shut them down - they are. 

Yet, private organizations must take steps to protect themselves from RaaS providers. Since many attacks are launched through email, educating users and implementing email security should be a top priority. Organizations need to  implement controls that reduce attack surface and promote segmentation. Close proverbial doors on attackers by quickly deploying patches when they are available and have been properly tested. Here are a few quick tips that can also help secure your organization: 

• Enable backups of all critical systems and data 
• Monitor accounts and private accounts 
• Employ configuration management or, even better, CNAPP protections 

Employing standard cyber hygiene makes it much more difficult for the attackers to exploit you. Don’t be an easy target. Let's stay safe out there! 

What to read next 

The leadership tightrope: Why leading in today's workforce is a balancing act

From the trenches: A CISO's guide to threat intelligence

How cybersecurity and AI will influence global elections in 2024