The Ransomware as-a-Service (RaaS) Economy
In the RaaS economy, the service provided is the infrastructure required to perform a ransomware attack. RaaS operators maintain the ransomware malware, offer a payment portal for victims, and may provide the “customer service” that victims might need (since many ransoms are demanded in Bitcoin or other cryptocurrencies). Their affiliates are responsible for spreading the ransomware, and any ransoms paid are split between the operators and the affiliate (typically with the operator receiving 30-40%).
這項安排為交易的雙方提供好處。 運營商獲得了不太可能在內部實現的規模,並可以專注於維護後端基礎架構。 另一方面,附屬機構可以存取勒索軟體及其後端基礎設施,並可以將注意力集中在滲透網路和感染電腦上。
這種專業化能力對於網路犯罪分子來說是一個主要優勢,因為很少有人能夠同時完成惡意軟體開發和網路滲透。 RaaS模式是近年來勒索軟體攻擊能夠持續穩定成長的主要原因之一。
Top Known Ransomware as-a-Service Variants
許多勒索軟體領域的知名人士也是領先的 RaaS 營運商。 一些最豐富和危險的 RaaS 變體包括:
- 琉克: Ryuk 勒索軟體是現有最多產、最昂貴的勒索軟體變種之一。 據估計,去年大約三分之一的勒索軟體感染是由 Ryuk 造成的。 該勒索軟體還能夠有效說服目標支付贖金要求,迄今估計已獲利 1.5 億美元。
- Lockbit: Lockbit has been around since September 2019, but it has only recently entered the RaaS space. It focuses on rapidly encrypting the systems of large organizations, minimizing the defenders’ opportunity to detect and eliminate the malware before the damage is done.
- REvil/Sodinokibi: REvil competes with Ryuk as the greediest ransomware variant. This malware is spread in various ways, and REvil affiliates have been known to exploit unpatched Citrix and Pulse Secure VPNs to infect systems.
- Egregor/Maze: The Maze ransomware variant made history as the first to introduce “double extortion”, which involves stealing data as part of a ransomware attack and threatening to breach it if a ransom is not paid. While Maze has since ceased operations, related ransomware variants – like Egregor – are still operational and run under the RaaS affiliate model.
這些只是利用 RaaS 模型的勒索軟體變體的一部分。 許多其他勒索軟體組織也與附屬機構合作。 然而,這些勒索軟體團體的規模和成功意味著他們有能力吸引專家傳播他們的惡意軟體。
防止 RaaS 攻擊
勒索軟體攻擊持續成長,RaaS 意味著網路犯罪分子可以專門充當惡意軟體作者或網路滲透專家。 組織必須部署能夠在關鍵文件加密之前檢測和修復勒索軟體感染的端點資安解決方案。
Check Point SandBlast Agent provides comprehensive endpoint security protections. It incorporates a wide range of anti-ransomware functionality, including:
- Complete Attack Vector Coverage: Ransomware can be delivered in a number of ways, including via phishing emails, drive-by downloads, compromised user accounts, and more. SandBlast Agent provides complete protection against all potential ransomware delivery vectors.
- 行為防護:可以根據勒索軟體的一些核心行為來識別勒索軟體,包括檔案加密和刪除作業系統備份。 SandBlast Agent 會監控這些異常行為,使其能夠在惡意軟體加密有價值的資料之前終止感染。
- 自動修復: SandBlast Agent 提供針對勒索軟體的執行時間保護,即使在執行時間模式下也是如此。 這包括對整個勒索軟體攻擊鏈進行全面修復,消除惡意軟體的所有痕跡。
- Secure Backup and Restore: Ransomware commonly deletes OS backups such as shadow copies of files. SandBlast Agent stores backups in memory accessible only to Check Point programs, enabling it to restore files even if OS backups are deleted.
- 威脅追蹤支援: 威脅搜尋使安全團隊能夠主動搜尋其係統上惡意軟體感染的跡象。 SandBlast Agent 收集、組織和分析關鍵數據,使威脅搜尋更加有效率和有效。
Ransomware protection should be part of any organization’s security strategy, and SandBlast Agent provides peace of mind in the face of the ransomware threat. To learn more about SandBlast Agent and its capabilities, check out this solution brief. You’re also welcome to request a personalized demo to discuss how Check Point can help to improve your organization’s ransomware defenses.
反映意見