The emergence of ransomware-as-a-service (RaaS) has produced an eerily successful business model. It provides a would-be attacker with turnkey software that can easily be leveraged to stage attacks against businesses and home-based users.
If this makes ransomware sound scarier than you thought, you’re on the right track. The development of RaaS is arguably the biggest reason behind the rapid growth of ransomware attacks. And, as RaaS developers get more skilled in what they do, it raises a question: can Big Tech use the pages of RaaS-provider playbooks to combat this rise?
The RaaS Business Model
The developers of RaaS tech go to great lengths to keep interactions with their tools as simple as possible. This hides the underlying complexities within the products they sell and expands the available audience that can use ransomware tools. RaaS providers typically offer one or a combination of these four types of services:
- One-time fee with no profit sharing
- Strictly profit sharing
- Flat-rate subscription fee, typically on a monthly basis
- Programs where a percentage of the profits go to the RaaS developer
RaaS providers are often paid based on the results that their products generate for their customers. This keeps RaaS developers invested in customer success, resulting in closer relationships and the formation of strong partnerships. This has formed a foundation for building an agile business structure, making it possible to build and maintain momentum.
In addition to these flexible terms, RaaS providers have become known for providing exceptional customer service. Some provide updates to tools when new vulnerabilities are discovered. Others will provide detailed instructions to walk victims through paying via cryptocurrency. These contribute toward making it even easier for a would-be attacker to successfully launch a profitable attack on unsuspecting victims—in many ways come putting Big Tech companies to shame.
The Big Tech Conundrum in Responding to RaaS
The simplicity and ease involved in planning and executing a ransomware attack has placed Big Tech companies in a tight spot. The majority—Microsoft and Google in particular—work diligently to get patches out to their broad audiences as rapidly as possible. But despite these efforts, they are not as nimble as their RaaS counterparts.
A big part of this comes from a lack of understanding changes in the social and user behaviors which impact how customers use their products. This causes Big Tech to fall further behind their better-briefed and more agile RaaS developer counterparts.
RaaS developers understand how the mature business strategies of Big Tech companies hamper their responsiveness to customers and ability to respond to security flaws. These weaknesses, which the Bad Guys prey upon, include the knowledge that:
- Patching newly discovered vulnerabilities is reactive, not proactive
- Most operating system and software updates are subject to user interference
- Social and user behavior often work against, rather than for, Big Tech’s fight against ransomware
- The user-friendliness of Big Tech support channels is questionable at best
- The customer relationship ends shortly after a purchase, due in part to limited post-sales support options
The typical Big Tech focus on meeting future R&D targets, managing branding and staffing costs, and balancing post-sales support across multiple products, create a perfect storm of distractions not seen in the world of RaaS.
Lessons to Be Learned by Big Tech in a Ransomware World
There are some important lessons to be learned here by Big Tech companies. But given the discrepancies in how Big Tech companies work with their customers, versus the closer relationships built by RaaS providers, it will be an uphill climb. Here are some examples of what Big Tech can do to stay in step with the development efforts of ransomware architects.
- Make update and patching management as basic as possible for the typical end user
- Add and update one-liners to application splash screens or hints pages to educate users on common modes of social phishing used for initiating an attack
- Make customer service more accessible and easier to use. One example of a productive level of customer service among Big Tech is Apple’s model
- Become hypervigilant in how products and operating systems can be accessed by unauthorized parties. This is especially important when you consider that every vulnerability uncovered by a third party has already been targeted by malicious parties by the time it reaches the ear of the product owner
Hypervigilance, excellent customer service, and further simplification of customer-facing aspects of the security experience will go a long way toward helping Big Tech catch up with the RaaS community, and will help to make the world of connectivity a safer place.