Microsoft Cyber Signals: Tracking and defending against the new ransomware landscape

Microsoft’s publication of the second edition of Cyber Signals, a quarterly cyber threat intelligence brief based on the latest Microsoft threat data and research, focused on the evolution of the ransomware-as-a-service (RaaS) business model. This edition of Cyber Signals identifies the rise of RaaS and the fueling of ransomware attacks as part of the evolving cyber threat landscape, where ransomware can be deployed by criminals regardless of their technical expertise.

Instead of performing the attacks themselves, cybercriminals are now renting or selling their ransomware tools for a portion of the proceeds, and attacks often involve multiple cybercriminals at different points of the intrusion. The RaaS business model involves an arrangement between an operator, who provides the infrastructure for the attacks, and “affiliates”, who deploy ransomware payloads against targets after purchasing access to vulnerable organizations.

With online threats increasing in volume and sophistication, the European Union Agency for Cybersecurity (ENISA) reported that about 10 terabytes of data were stolen each month by ransomware threat actors between May 2021 and June 2022, with 58.2% of that stolen data involving employees’ personal information.

The Cyber Signals report

In this edition of Cyber Signals, the spotlight on RaaS uncovered that over 80% of ransomware could be traced to common configuration errors in software and devices. In an environment where cyber criminals are emboldened by the growing underground ransomware economy, this has enabled the purchase of access to ransomware payloads and data leakage in addition to payment infrastructure. With lower barriers to entry that obfuscate the identity of attackers behind the ransoming, anyone can join the RaaS gig economy since RaaS kits are significantly easy to locate on the dark web. As a result, defenders face a heavier challenge when it comes to uncovering the culprits behind the attacks.

The ease facilitated by RaaS for cybercriminals to exfiltrate an organization’s data and extort money by threatening to release said data means that this will remain a challenge for organizations worldwide. Through Microsoft’s intelligence gathering on the ever-evolving threat landscape and threat actors, organizations can gain visibility into ransomware threat actors’ actions.

Directing the removal of more than 531,000 unique phishing URLs and 5,400 phish kits between July 2021 and June 2022, Microsoft’s Digital Crimes Unit led to the identification and closure of over 1,400 malicious email accounts used to collect stolen customer credentials.

In addition to extorting payment from victims, most existing RaaS programs also leak stolen data, engaging in what is known as double extortion. Cyber Signals recommends enforcing multifactor authentication (MFA) on all accounts, and on all devices, to ensure that attackers do not gain access to credentials through stolen passwords and unprotected identities, which are key features in most successful ransomware attacks. Basic defenses such as MFA are essential in neutralizing RaaS threat actors since once cybercriminals identify vulnerabilities in a network, they can create a commoditized attack chain by establishing ransomware infiltration routes.

Improving protection

Moreover, unprotected networks with missing or misconfigured security products serve as an open invitation for attackers to exploit weaknesses in systems, allowing them to even disable certain protections. This is in addition to intruders being able to gain access through duplicative or unused apps, especially if they are in their legacy configurations. Accordingly, closing security blind spots by ensuring that security tools are operating at optimum configurations and undertaking regular network scans can help organizations pre-empt ransomware attacks. 

Ultimately, older vulnerabilities too are a primary driver of attacks, with vendor patches requiring to be applied immediately in most cases. In this case, keeping systems up to date by ensuring continuous software inventory and estimating the opportune moment to transition to cloud-based services is a critical feature in defending against ransomware infiltration.

Cyber Signals further disclosed that should a victim fall for a phishing email, the median time for an attacker to access private data is one hour, 12 minutes. For endpoint threats, the median time for an attacker to begin moving laterally within a corporate network if a device is compromised is one hour, 42 minutes. Accordingly, security hardening and investments in cybersecurity hygiene are vital in setting up defenses against the avoidable disaster of ransomware.

Given the current security landscape, Microsoft’s Cyber Signals aim to provide organizations with the necessary tools to meet the ransomware threat and arm themselves accordingly. This is in large part thanks to its insights on the threat landscape from 43 trillion security signals and 8,500 security experts.

Note: Minor edits have been made to the article for clarity