Blog

Ransomware-as-a-service lowers the bar for entering the entering the cyber extortion game

Ransomware isn’t a new threat. It first rose to prominence back in 2016, when Hollywood Presbyterian Medical Center shelled out $17,000 in bitcoin after an attack took the hospital offline. Since then, ransomware has only become more popular, especially for hackers targeting the healthcare industry or government organizations. Used to be, launching a ransomware attack required at least some technical prowess; at a minimum, hackers had to possess sufficient coding skills to write a ransomware program. Then, ransomware-as-a-service (RaaS) came on the scene and changed the game.

What is ransomware?

Before delving into RaaS, let’s quickly review ransomware. Ransomware is malware that encrypts all or part of a system, rendering it inoperable until a ransom fee, usually demanded in bitcoin, is paid to the hacker, who will then supposedly provide a key to unlock the encryption. As opposed to data breaches, which seek to steal credit card information, Social Security Numbers, and other sensitive data, ransomware doesn’t access files or data. It just locks everything down.

Paying the ransom is a dicey bet. Even after getting the money, hackers may not send a key, or they may send one that doesn’t work, or that doesn’t fully work.

What is ransomware-as-a-service (RaaS)?

At its simplest, RaaS is a criminal offshoot of software-as-a-service (SaaS), the myriad of cloud-hosted software solutions sold by legitimate vendors to both people and businesses. Just like SaaS applications, RaaS is sold on a cloud-based subscription model to anyone who can ante up the subscription fee. In some cases, there is no subscription fee; many RaaS developers use “affiliate” models where the developer collects all of the ransom money extorted by affiliates, takes out some percentage as commission, and passes on the remainder.

While RaaS applications vary in complexity, in general, they are designed to be very easy to use. They’re deployed using online portals with simple user interfaces, and no coding is required. Many enterprising RaaS “vendors” even offer online customer service, just like an SaaS developer would, to help subscribers get their ransomware campaigns up and running.

The dangers of ransomware-as-a-service

The biggest danger of RaaS is that it made it possible for just about anyone to become a cyber extortionist. Undoubtedly, the advent of RaaS contributed greatly to the exponential growth of ransomware attacks.

RaaS gives users all the benefits of a regular ransomware attack, without the hassle of writing their own code. Ransomware took off because it tends to be much more lucrative than data breaches. Once hackers breach a system and steal data, they must procure a buyer and negotiate a price. This can take time, and the data may not be worth as much as the hacker thought it would be. Ransomware and RaaS attacks come with built-in “buyers”: the businesses who are locked out of their systems, who are often not in a position to negotiate on price.

Preventing RaaS attacks

RaaS attacks are launched just like regular ransomware attacks; usually, through a phishing email. The same proactive measures employed to prevent ransomware are also used to prevent RaaS, including:

• Using email filters to prevent phishing emails from reaching employees’ inboxes.
• Using reliable anti-virus programs and other security software.
• Keeping operating systems and application software up to date.
• Educating employees on cybersecurity hygiene, including how to recognize phishing emails and the steps to take if they receive a suspicious email.

Organizations must also regularly back up systems and data so that they can be restored in the event of an RaaS attack, as well as have an incident response plan and business continuity and disaster plans in place. In addition to shielding your organization from some of the fallout of a ransomware attack, these measures will also mitigate the damages from other cyber attacks, real-world crime or vandalism, or a natural disaster.

The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to cybersecurity regulations, maintain compliance, and secure your systems.

A guide to SOC 2 compliance for SaaS developers and other cloud services providers

As cyber threats present greater risks to enterprises of all sizes and in all industries, more are requiring that their SaaS providers and other cloud services vendors have an SOC 2 certification. Let’s examine what an SOC 2 certification is and why your cloud services business should get one.

What is an SOC 2 report?

The SOC 2 is part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) reporting framework, utilizes the AT-101 professional standard, and is based on the five AICPA Trust Services Principles. Companies undergo SOC 2 audits to assure their clients that their organizations have implemented specific controls to effectively mitigate operational and compliance risks.

SOC 1 vs SOC 2 vs SOC 3

An SOC 1 report utilizes the SSAE 18 standard and reports on internal controls over financial reporting (ICFR), while an SOC 2 attestation is performed in accordance with AT-101 and addresses non-financial controls. The SOC 2 was developed to meet the needs of technology service providers, so that they could attest to their adherence to comprehensive data security control procedures and practices. Distribution of SOC 1 and 2 reports is restricted to certain stakeholders, such as compliance officers, auditors, or business partners.

The SOC 3 is a simplified version of an SOC 2. It reports on the same information, but the report is shorter, contains fewer details, and is meant for a general audience. Distribution of SOC 3 reports is unrestricted; they can be shared with anyone, including via posting on the company’s website.

What are the AICPA Trust Services Principles?

Companies undergoing an SOC 2 audit must attest to their compliance with one or more of the AICPA Trust Services Principles:

• Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
• Availability: Information and systems are available for operation and use to meet the entity’s objectives.
• Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
• Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
• Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Reporting organizations are not required to address all five Trust Service Principles; SOC 2 attestations can be limited to the principles that are relevant to the services being provided.

SOC Type 1 vs Type 2

An SOC 2 Type 1 audit provides a snapshot of an organization’s controls at a point in time, while an SOC 2 Type 2 audit examines them over a specified period. Because the Type 2 is far more rigorous, this is the certification most companies will want their SaaS and cloud providers to have.

The benefits of an SOC 2 Type 2 attestation

Unlike regulatory standards such as PCI DSS and HIPAA, SOC 2 attestations are not required by law. However, they are well worth the investment. Companies that undergo SOC 2 Type 2 audits are demonstrating to their customers that they have comprehensive internal security controls in place and that these controls have been tested over time and proven to work. This is a major competitive differentiator in our increasingly dangerous cyber threat environment. Companies that have a choice between two cloud services vendors, one with an SOC 2 Type 2 and the other without, will choose the one with the certification.

How much does an SOC 2 audit cost?

The cost of an SOC 2 audit depends on your organization’s size, data environment, and current security controls, as well as the method your auditor uses to perform your SOC 2 audit. Lazarus Alliance utilizes Continuum GRC’s IT Audit Machine (ITAM), the number-one-ranked IRM GRC audit software solution for AICPA SOC audits, which allows us to get our clients from start to compliant quickly and effectively while dramatically reducing their costs.

The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to cybersecurity regulations, maintain compliance, and secure your systems.