The Ransomware as a Service (RaaS)

Ransomware is evolving from a linear attack model to an insidious Ransomware as a Service (RaaS) model: attackers are increasingly focusing on program development, while letting third parties identify victims and deploy malicious software.

 

What is Ransomware as a Service?

Ransomware as a Service (RaaS) is a business model used by ransomware developers, in which they lease ransomware variants in the same way that legitimate software developers lease SaaS products. 

RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service.

RaaS kits allow malicious actors lacking the skill or time to develop their own ransomware variants to be up and running quickly and affordably. 

They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.

A RaaS kit can include 24/7 support, user reviews, forums, and other customer support features. 

The price of RaaS kits can range from $40 a month to several thousand dollars – insignificant amounts, considering that the average ransom demand in 2020 was $170,404 and trending upward (source: “The State of Ransomware 2021” – Sophos).

 

How the RaaS Model Works

There are four common RaaS revenue models:

• Monthly subscription for a flat fee

• Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20-30%) going to the RaaS operator

• One-time license fee with no profit sharing

• Pure profit sharing

A customer simply logs into the RaaS portal, creates an account, pays with Bitcoin, enters details on the type of malware they wish to create and clicks the submit button. 

Subscribers may have access to support, communities, documentation, feature updates, and other benefits identical to those received by subscribers to legitimate SaaS products. 

The most sophisticated RaaS operators offer portals that let their subscribers see the status of infections, total payments, total files encrypted and other information about their targets.

The RaaS market is competitive. In addition to RaaS portals, RaaS operators run marketing campaigns and have websites that look exactly like your own company’s campaigns and websites. 

RaaS is business, and it’s big business: total ransomware revenues in 2020 were around $20 billion in 2020, up from $11.5 billion the previous year.

Some well-known examples of RaaS kits include Locky, Goliath, Shark, Stampado, Encryptor and Jokeroo, but there are many others and RaaS operators regularly disappear, reorganize and re-emerge with newer and better ransomware variants.

 

Examples of RaaS

DarkSide

DarkSide operators traditionally focused on Windows machines and have recently expanded to Linux, targeting enterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials. 

On May 10, the FBI publicly indicated the Colonial Pipeline incident involved the DarkSide ransomware. 

It was later reported Colonial Pipeline had approximately 100GB of data stolen from their network, and the organization allegedly paid almost $5 million USD to a DarkSide affiliate.

REvil

REvil, also known as Sodinokibi, was identified as the ransomware behind one of the largest ransom demands on record: $10 million. 

It is sold by criminal group PINCHY SPIDER, which sells RaaS under the affiliate model and typically takes 40% of the profits.

PINCHY SPIDER warns victims of the planned data leak, usually via a blog post on their DLS containing sample data as proof, before releasing the bulk of the data after a given amount of time. 

REvil will also provide a link to the blog post within the ransom note. 

The link displays the leak to the affected victim prior to being exposed to the public. 

Upon visiting the link, a countdown timer will begin, which will cause the leak to be published once the given amount of time has elapsed.

Dharma

Dharma ransomware attacks have been attributed to a financially motivated Iranian threat group. 

This RaaS has been available on the dark web since 2016 and is mainly associated with remote desktop protocol (RDP) attacks. 

Attackers usually demand 1-5 bitcoins from targets across a wide range of industries.

Dharma is not centrally controlled, unlike REvil and other RaaS kits.

Because Dharma attacks are nearly identical, threat hunters are not able to use an incident to learn much about who is behind a Dharma attack and how they operate.

LockBit

In development since at least September 2019, LockBit is available as a RaaS, advertised to Russian-speaking users or English speakers with a Russian-speaking guarantor. 

In May 2020, an affiliate operating LockBit posted a threat to leak data on a popular Russian-language criminal forum.

In addition to the threat, the affiliate provides proof, such as a screenshot of an example document contained within the victim data. 

Once the deadline passes, the affiliate is known to post a mega[.]nz link to download the stolen victim data. 

 

Preventing RaaS Attacks

Recovery from a ransomware attack is difficult and costly, and as a result it’s best to prevent them entirely. 

The steps to prevent a RaaS attack are the same as preventing any ransomware attack, because RaaS is just ransomware packaged for ease of use by anyone with ill intent:

• Implement reliable and modern endpoint protection that can work on advanced algorithms and works automatically in the background around the clock

• Perform regular and frequent backups. If a backup is only performed every weekend, a ransomware attack could cost an entire week of work product

• Make multiple backups and store them on separate devices in different locations

• Test backups regularly to ensure they can be retrieved

• Maintain a rigorous patch program to protect from known and unknown vulnerabilities

• Segment the network to hinder proliferation across the environment

• Implement advanced anti-phishing protection

• Invest in user training and build a culture of security

For companies:

• Train staff in the conscious use of IT tools; educate them to be prudent in opening emails and attachments, surfing the internet, and managing security credentials

• Keep all systems updated and monitored, from network devices to servers, PCs and devices connected to your data network

• Use reliable anti-virus and anti-malware solutions

• Establish adequate IT security policies in work and data flow

• Establish and monitor an efficient backup system

All this could make the difference: work peacefully and focus on the productivity of your company or fight with data loss, work stoppages, economic losses and damage to image. 

Being aware of the actions to secure your company often means being aware of not being able to evaluate on your own the goodness of the actions taken. 

For this reason it becomes essential to contact a qualified cybersecurity consultant. 

It is understood that exploiting tools such as the vulnerability assessment helps companies to identify all kinds of security flaws.

1
1