Software Engineering Institute

The proliferation of tools and techniques to disrupt enterprise systems has evolved from those capable of supporting merely opportunistic attacks to those enabling targeted attacks. Furthermore, attackers continue to develop methods for monetizing their efforts, resulting in ransomware, a very disruptive threat to business as well as governmental departments and agencies. Ransomware developers are now selling their tools as a service, enabling attackers (individual criminals, organized crime, ideological hackers, or nation-state teams, all hereafter referred to as affiliates) to use tools they do not build or maintain to attack vulnerable systems.

In the last few years we have seen a rise of successful ransomware affiliates that purchase the malware that they use and incorporate it into a ransomware tool chain that is targeted to a specific victim. These attackers lock victims out of their own data, usually by encrypting it, and attempt to extort money to restore the victim’s access to the enterprise data under threat of data destruction or disclosure as a response for non-payment. Recent high-profile cases, including attacks attest to the seriousness of the problem. In each case, the victims suffered operational disruptions with monetary losses.

This report, loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.