Ransomware as a Service Threat Grows Against Local Governments

What Is Ransomware as a Service?

Ransomware as a Service  gets its name from the nomenclature generally used for cloud services, says Adam Meyers, CrowdStrike senior vice president of counter-adversary operations. Just as a government may contract for a Software as a Service solution, such as Zendesk for help desk communications or Slack for internal messaging, criminals may turn to RaaS for a tool that they can use to attack government IT. 

Circa 2014, bad actors largely attacked financial institutions seeking big paydays through wire transfers or credit cards. But they began deploying “crypto lockers” that would freeze a machine until the victim paid a ransom. In 2015, CrowdStrike began tracking a bad actor called Boss Spider.

“They pioneered the modern enterprise ransomware where they started targeting large organizations by blocking every system and then demanding increasingly higher payments. From there, other groups took notes and pivoted from traditional botnet activities to ransomware,” Meyers says.

LEARN MORE: Focus on these three areas to improve cyber resilience.

Groups began creating malware similar to Tox, widely considered to be the first RaaS threat, and LockBit, which IBM identifies as one of the most pervasive RaaS variants.

“They recognized that they could do only so many ransomware operations at any given time,” Meyers says. “But if they opened up their ransomware, which had good cryptography and a good back end, then they could let other people use it for a fee, and so they got into revenue-sharing.”

With RaaS solutions, criminals don’t have to build their own ransomware. They can go to a threat group, use its RaaS kit and pay the creators a percentage of the ransom. “Now, we’ve got a whole mosaic of these Ransomware as a Service operators out there looking to generate revenue by building the ransomware and then letting others use it,” Meyers says.

How Has Ransomware as a Service Evolved Over Time?

Ransomware grew in sophistication in four stages to produce today’s RaaS threats, says Ryan Anschutz, North America head of incident response at IBM X-Force.

In the early days of ransomware, state and local governments saw mostly custom-built ransomware used in one-off attacks. Then, between 2016 and 2020, organized groups began leveraging ransomware for cyberattacks. These groups operated like a business and offered 24/7 support to their customers, who were individual attackers.

“That was really the jump into industrialization of Ransomware as a Service,” Anschutz says of this second stage.

Since 2020, RaaS experienced two distinct stages of growth. In 2023, attackers began not only encrypting data but stealing it as well. “And when they steal it, they then threaten to leak the sensitive information if that ransom isn’t paid,” Anschutz says. Organized criminals thus sought to gain the most value from stolen data.

Beginning in 2023, RaaS experienced decentralization.

“Law enforcement has really cracked down a lot more efficiently and effectively on these threat actor groups,” Anschutz says. “And that has pushed these threat actors to shift their operating model to smaller, more agile groups. These groups have leveraged an affiliate model to try to stay resilient against disruption to a law enforcement takedown.”

State and local governments remain uniquely vulnerable to ransomware threats generally because many of them maintain aging IT infrastructure, he adds. They also have limited cybersecurity budgets that make it difficult to buy and deploy strong defenses.

“State and local governments have what we call high-impact services. Ransomware can disrupt essential services like 911 dispatch, emergency response and public utilities. That increases the pressure of state and local governments to maybe pay a ransom,” Anschutz says.

“Additionally, not only do we have high-impact services at the state and local level but the data sensitivity that state and local governments possess is very valuable to those threat actors. Governments store personal, financial and legal records that seem very valuable to attackers,” he adds.

RELATED: Removing technical debt is crucial to cybersecurity and incident response plans.

How Can Local Governments Defeat Ransomware as a Service Attacks?

Citizens will pressure state and local governments running critical services to bring them back online more quickly if attacked by ransomware, which makes them attractive targets, IBM’s Anschutz says. Government agencies often lack a deep bench of cybersecurity resources and they may not have made significant cybersecurity investments.

“For every minute of downtime, you can figure out how much money you’re losing and so there’s this calculus that goes into how much downtime can we accept before it’s cheaper to pay,” he adds.

Meyers and Anschutz agree that regular cyber hygiene and training are key to defeating RaaS. Government IT administrators should run regular patch management to address vulnerabilities, such as bad actors attempting to deliver ransomware through established attack vectors like email phishing. Admins can defeat phishing emails by training government employees to spot and report them.

Meyers advises government organizations to adopt multifactor authentication for identity verification when logging in to systems. In addition, CrowdStrike, which pioneered endpoint detection and response technology, provides comprehensive threat detection and defense, scanning for anomalous activity such as ransomware attacks.

“Governments must strengthen their cybersecurity posture and bring it back to the basics,” Anschutz says. IBM X-Force works with governments to develop comprehensive response plans and to test and evaluate tools and tactics.

According to data from the Multi-State Information Sharing and Analysis Center, 16% of all ransomware attacks against state, local and tribal governments in 2022 were identified as attacks by LockBit, and many of those attacks targeted municipal and county governments as well as emergency services.

SUBSCRIBE: Sign up for the StateTech newsletter for weekly updates.

Will the Threat of Ransomware as a Service Grow Thanks to Artificial Intelligence?

When ALPHV attacked Alexandria, the group said that it stole 80GB of city data. LockBit knocked out payment systems for the Wichita city government and disabled the local airport’s Wi-Fi access. 

Does the rise of artificial intelligence empower these RaaS gangs to do even more damage? Meyers says bad actors will use AI for automation. They may discover vulnerabilities with AI scanners, but they are unlikely to “build ransomware” with AI.

Anschutz cautions that RaaS gangs will use AI to scale like businesses use AI to scale. “They use quick access to automation and large language models to more efficiently distribute or create phishing emails and other attacks,” he says.

With AI, bad actors may become more adept at social engineering, creating AI-generated voicemails and videos to impersonate government officials and to manipulate employees.

“AI is a double-edged sword, where attackers use it to enhance the cyberthreat, but as defenders and responders, we also leverage it to strengthen security postures,” Anschutz says.

UP NEXT: Synthetic full backups greatly enhance backup and recovery.