Ransomware As A Service: The Latest, Biggest Risk To Your Business

The IT industry is has a well-deserved reputation for being fast-moving. What was new one day is old the next – and although in our individual businesses we may not feel the effect of that change day-to-day, we can usually look back and see obvious changes.

For example, nowadays everyone has a smartphone, but the iPhone itself is only (“only”) 14 years old. Using Zoom and Teams for meetings used to be a rarity. Most businesses had a physical server in the office for storing files and emails, and now virtually every business has theirs in the cloud.

With all of the technology that we use and can’t imagine not using, there came and went what Malcolm Gladwell called “The Tipping Point” – the idea that with anything in common use there was a day when those things were rare as hen’s teeth and noteworthy, and then virtually the next day they were ubiquitous and everywhere.

What happens as far as the customer is concerned is that any product (whether IT or not) goes through an “innovation adoption lifecycle” where the product at first has no users, but slowly gets taken up a small number of early adopters – these people who like tinkering, or playing around with products to get them working properly. Once the early adopters get the product looking better, the first wave of “majority adopters” take it up, having seen the efficacy of the product been proven by the early adopters. The come the “late majority”, and eventually we get to the “laggards” or long-term holdouts. At some point in that process, we get past the tipping point.

However, structurally behind the scenes the IT industry is hugely motivated to get their products to reach and then get past the tipping point – there is no money to be made in niche products, the real money gets made when a product gets mainstream. If we go a bit further down the rabbit hole, what we have underneath the software that “normal” people use is a whole load of class (or “genre”) of technology products that gets built to support development of that software.

For example, we all now use cloud-based software in our businesses – for things like email, CRM, video conferencing, accounting, etc. It’s relatively rare to use software that we have to physically install, usually all we need is Windows (or macOS), an internet connection, and a web browser. In order for this to happen, there has to be a huge swathe of products built and sold that are foundational, i.e. products that underpin development of software that is sold to normal people. (A builder doesn’t really need to know how a brick is made to build a house, but somewhere underneath all that there’s a whole industry of companies that build machines that make bricks.)

Within the industry, we tend to call type of underpinning software by the name “as a service”. The purpose of “as a service” is that it is intended to strip away a lot of the complexity around doing difficult things – the vendor takes some money and provides the customer with some magical service that does something inherently complex without the customer needing to know exactly how it is done.

This is an important mechanism in how software is built – or rather an important mechanism in how the end customer, e.g. a normal person running a normal business, receives the value and functionality that they want from their software. “As a service” dramatically reduces the complexity involved in software engineering by being able to handover a lot of the heavy lifting involved in software construction to a third-party. “As a service” gets you better software, and at a lower cost.

In reality, it’s difficult to overstate the importance of this shift to “as a service” thinking. Amazon earned $13.5 billion in profit in 2020 providing “infrastructure as a service” to software companies. Not sales — profit.

Where this comes back to a normal person running a normal, non-techie, business is that we are now starting to see the first “blossoms” of “ransomware as a service” – and this is something that should get everyone worried.

Ransomware is already a huge problem for businesses, but today the impact is relatively minor. You do have to be quite unlucky to get hit by a ransomware attack – you can think of your business getting hit by one of something of an “early adopter” scenario.

The reality is that today ransomware is hard to build and hard to run – so if you get hit by it, someone somewhere has lucked out. “Ransomware as a service” though looks to “productise” ransomware attacks by delivering an easy-to-use, cheap, software platform that anyone can use to deliver an attack. All the would-be hacker has to do is visit a website on the “dark web”, put in a (stolen) credit card number or transfer some Bitcoin, select their victims from a list, and wait for the money to roll in. Everyone wins – well, apart from the victim – in particular the developers of the “ransomware as a service” platform get a huge influx of cash and an equally huge growth in market potential. Like all good commercial software endeavours, this cash can flow straight back into R&D and product development, making the ransomware as a service platform more reliable, cheaper, and capable.

What all this means is that we are fast approaching the tipping point of a new breed of ransomware, where it’ll stop being an issue of “if” you get affected by it to “when”.

In my experience, most businesses do not do enough to properly understand the threat of ransomware and put up protections against it. It’s worth getting started on that process today.

By Matthew Reynolds