The growing threat of ransomware as a business model for criminal activity

Ransomware-as-a-service is a growing threat model that threatens governments’ ability to defend networks. Zero-trust practices are increasingly critical to shore up defenses.

Chester Wisniewski is principal research scientist and next-generation security leader Sophos. With more than 20 years of experience, he’s helped organizations design enterprise-scale defense strategies, served as the primary technical lead on architecting Sophos’ first email security appliance and consulted on security planning with some of the largest global brands. Today he works with SophosLabs to analyze, distill and share attack data to improve the industry’s understanding of evolving threats and build effective security defenses.  

Cyberattack attribution – identifying the perpetrators, whether individuals or entire nation-states, behind an attack – is a key factor in how governments respond to threats and prioritize their security efforts. But today’s organized criminal groups are almost as sophisticated as nation-states, adopting the same tactics, techniques and procedures (TTPs). The lines between private criminal groups and full-fledged nation-state attackers are getting increasingly blurred, making it more difficult to discern criminal group activity from foreign adversaries.


Chester Wisniewski, Principal Research Scientist and Next-generation Security Leader, Sophos

When every potential threat actor is equally as capable and dangerous as another, many of the assets on agency networks are going to be valuable to someone. It’s just not a matter anymore of creating stronger security protections around assets that would only look appealing to nation-states, like state election systems or social security databases.

Zero-trust security is the best way forward to do just that. Zero trust forces users to verify their identities continuously while accessing a network. More than that, the zero-trust model assigns users access privileges to only the specific applications they may need on a network. This ensures that, when they’ve verified their identity, that verified user isn’t just given carte blanche across the network; they’re limited only to the applications, locations and other assets that they have explicit permission to access.

This has the dual benefit of both limiting users only to what they need, and attackers — in the event they compromise a legitimate account — from being able to trawl across the whole network.

 Ransomware isn’t just random criminal activity; it’s a business model.

Over the last two years, the Sophos Rapid Response team has been called to investigate hundreds of cases involving ransomware attacks, the data from which was recently included in the Sophos 2022 Threat Report: Interrelated Threats Target an Interdependent World.

The report takes a close look at a few areas where cyber threats are evolving rapidly and demand attention from government leaders, including:

  • Ransomware’s evolution from business model to a more specialized service offering, also known as ransomware-as-a-service (RaaS)
  • The future of mobile and infrastructure attacks
  • The risks that artificial intelligence tools pose in accelerating the speed and effectiveness of potential future attacks

These trends point to how quickly cyber threats, including ransomware, are becoming more sophisticated, more dangerous and harder to defend against. But what may be even more alarming is the normalization of these threat actors’ TTPs. According to SophosLabs, the development of the RaaS model — where ransomware attack methods are developed by one group and then leased out to criminal affiliates— is vastly expanding the landscape of potential attackers. You no longer need to have any kind of special coding skills to deploy a ransomware package against a target; someone will create it for you now.

In 2021, a disgruntled affiliate of the Conti RaaS service published a trove of documentation and guidance about the attack methods that most RaaS affiliates were employing. This was a major revelation, showing the security community for the first time the inner workings of how these ransomware instructions guide trained affiliates into exploiting people successfully. One group develops and builds ransomware programs, while another conducts virtual breaking-and-entering activities. Each of these activities requires a distinct skillset that can be developed and scaled out under this new model.

Staying ahead of threats requires a zero-trust approach to security

We’ve repeatedly seen state and local governments make headlines as victims of ransomware. Though this is not necessarily because of a particular lack of cybersecurity. The reality is, even the best protected organizations can and will still fall victim to ransomware, because the attack methods have grown so robust in such a short period of time.

When lateral movement through a network can make any asset vulnerable to a cyberattacker, the only way to respond is by creating a universal baseline level of security across the board. A patchwork of solutions with differing levels of security protections will only result in holes that attackers can exploit. But a zero-trust security framework can provide a universal standard of security, for everyone, everywhere.

State governments don’t have much time to waste on this. Every day state agencies, employees and contractors aren’t operating on a zero-trust model is another day that a threat actor may be burrowing their way into a government network.

The White House’s recent Executive Order on Cybersecurity, which included provisions for a governmentwide zero-trust strategy, provides a useful model for how state and local governments can form their own zero-trust strategies. It is a great roadmap for states to adopt a zero-trust security framework of their own, with strategies for deploying measures like multifactor authentication and stronger endpoint protections that can better tighten network access for users and potential intruders. And while the goals and timelines in this EO are currently set for federal agencies, state leaders would be wise to adopt those goals and timelines as their own, too. Cyberattackers aren’t waiting; government leaders shouldn’t, either.

Additionally, getting involved with the broader security community can help state government leaders learn about what tools and approaches are working, so they don’t waste valuable time and resources going down a wrong path. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a great place for state security leaders to engage with their counterparts across the country. Unfortunately, while most states are members, participation is still very unequal.

We see more participation in using the ISAC as a resource with the Research and Education Networking Information Center (REN-ISAC). In this group, stakeholders tend to consult with multiple administrators before making any strategic decisions. And because they are not competitors — like in the private sector — it makes it easier to share information and best practices.

This level of threat intelligence sharing and collaboration – on both education and real-world deployments of zero-trust solutions – will be essential to giving state governments faster and more efficient methods for responding to, or thwarting, an increasingly dangerous ransomware landscape.

Read more in the survey to learn about how ransomware attacks are posing greater threats to interdependent organizations.

Latest Podcasts