Think of RaaS as a franchise model for cybercrime. The core RaaS operators are highly skilled developers who create and maintain the ransomware malware, handle payment infrastructure, and manage a “customer support” desk for victims. They then recruit and sell access to this toolkit to a network of affiliates, who are responsible for conducting the actual attacks, infiltrating networks, and deploying the ransomware.
The operators and affiliates share the profits, typically on an 80/20 split, with the affiliate keeping the larger share. This model has professionalised ransomware, allowing less-skilled actors to execute highly effective campaigns.
The Latest RaaS Trends in the ANZ Region
The ANZ threat landscape is changing rapidly. Here are the key trends that Orro’s threat intelligence team is observing.
-
The Proliferation of “Double Extortion” ⚠️
Beyond simply encrypting data, RaaS affiliates are now routinely stealing sensitive data before encrypting it. They then threaten to publicly leak the data on the dark web if the ransom is not paid. This double extortion tactic puts immense pressure on a victim, as they face not just operational downtime but also severe reputational damage, regulatory fines under the Notifiable Data Breaches (NDB) scheme, and a complete loss of customer trust.
- Example: RaaS groups like Akira and Qilin have been particularly active in the ANZ region, using this tactic to target a wide range of industries including healthcare and financial services, where sensitive data is a goldmine.
-
Exploiting Supply Chain and Cloud Vulnerabilities
RaaS affiliates have shifted their focus to targeting the weakest links in an organisation’s network. This often includes a company’s managed service providers (MSPs) or third-party software vendors. By compromising one trusted vendor, they gain a foothold to launch attacks against multiple downstream customers. Attacks targeting cloud infrastructure are also increasing, as misconfigurations and stolen credentials provide a direct path to sensitive data.
- Example: A supply chain compromise could allow an attacker to gain access to a software vendor’s platform. They can then push a malicious update to all of the vendor’s customers, effectively distributing ransomware through a trusted channel. This kind of attack is on the rise and poses a significant risk to interconnected industries.
-
Increased Speed and Sophistication
RaaS toolkits are becoming more sophisticated, allowing affiliates to move from initial access to full-scale data encryption in a matter of hours, rather than days or weeks. This drastically reduces the time a security team has to detect and respond to a threat. The use of AI-powered phishing has made social engineering attacks more convincing than ever, with highly tailored messages that are difficult to spot.
- Key Indicator: The rapid evolution of RaaS toolkits has led to a constant change in the most prominent groups. While some years ago Conti and LockBit were dominant, new groups like Akira and INC Ransom are now rising in prominence, indicating a highly adaptable and competitive criminal ecosystem.
How to Protect Your Business from RaaS
Defending against the modern RaaS threat requires a multi-layered, proactive security strategy. The old-school approach of “just a firewall” is no longer enough.
- Implement the Essential Eight: The ACSC’s Essential Eight is a foundational step. Controls like Multi-Factor Authentication (MFA) on all remote access and key accounts, as well as a robust patching policy, are your best defences against initial compromise. Recent data suggests attackers are now using sophisticated methods to bypass MFA, underscoring the need for advanced endpoint protection.
- Enforce Zero Trust Principles: Assume that a breach is inevitable. Implement network segmentation to contain a potential attack and limit the lateral movement of an attacker. Monitor all network activity and verify every request, regardless of its origin.
- Prioritise Incident Readiness: Have a detailed and well-rehearsed Incident Response Plan. You need a clear chain of command and pre-defined actions for isolating systems and communicating with stakeholders. Regular tabletop exercises simulating a ransomware attack can be a game-changer.
- Secure Your Supply Chain: Vet your third-party vendors’ security postures. Ensure they have strong security controls and contractual obligations to notify you of a breach.
At Orro, we provide the technology and expertise to combat these trends. Our Managed Security Services offer 24/7 monitoring and response from our Australian-based SOCs, ensuring we can detect and neutralise threats before they cause significant damage. We help businesses not only build strong defences but also develop the resilience needed to recover from an attack, giving you peace of mind in an increasingly hostile cyber environment.
