We all know that Software as a Service (SaaS) makes managing software easier, but there’s a dark side to every technology, and the dispiriting truth about SaaS is that it makes the deployment of ransomware easier too.
Ransomware, for those who aren’t familiar with the term, allows hackers to illegally access – and encrypt – a third party’s sensitive data. The ransom-requester then notifies the victim of the attack, demanding funds – usually in the form of hard-to-trace bitcoin – if they want the data decrypted. If the attacker’s initial “request” does not yield the desired revenue, the next step is for the ransom-requestors to threaten to make the compromised information public.
Here’s where SaaS often comes in: Ransom as a service (RaaS) providers offer a malware kit that’s free to any cyber-criminal who wants to use it to inflict malware on a third party. A percentage of the ransom (between 20 and 30 per cent) goes to the RaaS malware provider and the rest to the cyber-criminal. The RaaS malware kit is usually designed for ease of use: no programming skills are required for the cyber-criminal to use it, s/he just has to register on the RaaS site, specify the recipient of the ransomware, and enter the ransom amount. That’s it! The RaaS provider does the rest.
The question is, what can be done about it? Can there be RaaS legislation similar to gun control legislation? Even if such legislation can be designed, who could enforce it? The legislation could only apply within the country where it was passed. It is pointless to pass legislation in one country to control what erstwhile RaaS providers are doing from far-flung nations like Nigeria, China, or Russia, to say nothing of an ISIS sympathizer holed up in his mother’s basement.
One way to protect against RaaS is to aggressively focus on implementing strategies to protect critical data against ubiquitous cyber-criminals and their ransomware demands. Having the usual security features such as firewalls and up-to-date software are musts, but not enough to protect an organization from being hit by malware. Additional security controls such as host intrusion prevention are needed, as are frequent backups using different media (e.g. the cloud, stand-alone hard drive, etc.), one of which should be offsite.
As noted on this site, the ransomware industry is still in its infancy, and guaranteed to get worse. Sonicwall’s annual report, for example, shows that the number of attacks grew from 4 million in 2015 to 638 million in 2016. We must get ready for this new type of criminal endeavour, which might as well be called cyber mafia; only instead of using guns to threaten, practitioners use RaaS.
Yes, this is a depressing and scary blog, meant to be a wake-up call not just for businesses, but across the country, not to mention the world.
There is a need for an initiative to counteract RaaS at an international IT level, sort of a cyber security Interpol. If it is not done, RaaS will increase, a 21st century crime akin to robbery on the high seas, but instead of waving flags, the pirates will just pop a notice on your computer system and you’ll know you’ve been had.