Ransomware makes up a prominent percentage of cyber terror. Ransomware as a Service (RaaS) is an adapted business model.
In this article at Hackingloops, we will talk about the development and properties of RaaS, characteristics, models, variations, threat groups, and prevention methods. We will also talk about the beneficiaries of RaaS and give exposure to your liking.
Ransomware, malware, spyware, viruses, and injections, are some of the most common ways the cyber world terrorizes us. Ransomware has evolved and turned into a full-fledged business. Finding the RaaS variant is pretty easy as it is openly sold on the dark web.
In 2021, we saw the largest international meat producer, tech companies, and major fueling pipelines falling under ransomware threats. Threats increased compared to the previous year as the world fell victim to coronavirus and threat actors become more active. Businesses falling victim are more likely to pay a ransom to get back sensitive information nowadays. It is making RaaS an excellent business strategy for threat actors.
What is Ransomware as a Service (RaaS)?
Ransomware operators sell their products as full-fledged services to other threat actors. Those threat actors may lack the skills, resources, or time to develop a native version of Ransomware. It is then they seek help from ransomware operators who sell services in bulk.
Ransomware services are also sold in custom modules. It is easy to define targets, change its execution methods, etc. The ready-made version of Ransomware is available throughout the web, easily acquirable by literally anyone.
On a Sunday, JBS, the largest meat processing company globally, went through a rough cyber-attack compromising its business in North America and Australia. The company gave out a briefing that they suffered ransomware attacks. Even though the damage recovered quickly, it impacted meat prices to go higher.
Even large tech companies often fall under ransomware attacks. They lose terabytes of customer data, release information, remote codes, etc. This kind of targeted attack can easily cripple the functionality of any business or individual.
RaaS kit includes 24×7 support, user reviews, forums, offers, affiliates, and other similar services offered by SaaS providers. We see bundle packages with subscription purchases for many services used. RaaS tool kit works similarly but to victimize targeted potentials.
RaaS kit starts from $40 or $100 a month. Depending on complexity, functionality, and deliverables, it can expand up to thousands of dollars. In 2021, the average demand for the RaaS kit exceeded $6 million.
Carnegie Mellon University’s Software Engineering Institute (SEI) said Ransomware as a Service (RaaS) is “a new business model for ransomware developers.” They do not need to be the attacker nowadays and can profit from selling their Software and scripts to third parties. The arrangement includes ransomware amounts as part of the agreement. The agreed portion goes to the developer, and the rest is revenue.
Before, ransomware was only used by experienced attackers. who used their expertise and knowledge to cause conflict. As the ransomware ecosystem develops, script kiddies and attackers define themselves as developers who sell it as a service.
Some RaaS attacks are more complicated than others. APT-like sequencing, data capturing, encrypting, and locking backups are some of the advanced formats. Victims can fall into double extortion, some of which fall under RansomOps attacks. Unlike typical ransomware attacks, RansomOps attackers can amplify their damage and ask for more in ransom. It can exceed millions of dollars from a single capture point.
As RaaS kit is vastly available on the dark web. a non-programmer can easily purchase the gears and cause havoc. Similar to Software as a Service (SaaS), RaaS has subscription-based modules to victimize companies, large organizations, development firms, power grids, and government and private sectors.
The Ransomware as a Service (RaaS) Model
The RaaS model is diversified between RaaS operators and affiliates. RaaS affiliates and operators hide beneath the shield of the dark web. On the surface web, searching hard enough can hint typical sources too.
RaaS affiliates pay to use ransomware software and agree to pay as per collected ransom, which keeps the developers in check to make the most flawless and advanced programs. Operators give affiliates access to building their panel of Software, and affiliates ensure victims, demands, and configures to post-compromising messages.
The RaaS model has four primary models. According to CrowdStrike, they are:
- Monthly subscription model or a flat fee
- Affiliate programs pay after every successful execution. It may vary from 20%-30% of the revenue.
- One-time licensing fee.
- The pure profit-sharing model collaborates with affiliates and operators with the kit developers with a single goal.
There are tons of known unknown variants of RaaS. Let’s go through some of them to have better practical knowledge about them.
DarkSide is one of the core variants of RaaS and is, associated with the eCrime group and CARBON SPIDER. The RaaS was behind disruptions of some of the significant pipeline facilities. Windows machines are typical targets making up for most global computing operating systems. New Linux ecosystems who think they are safe by procuring the open-source likening system, unpatched VMware ESXi hypervisors, or vCenter credentials.
The Colonial Pipeline powers almost half of the fueling channels on the East Coast of the United States. On May 10, the FBI reported that it was behind the disruption. It caused the pipeline to lose almost 100GB of data, and the organization allegedly paid $5 million to an affiliate.
Even though every major country that dictates how the world’s critical tech infrastructure runs are falling victim to broken attack patterns. The diversified defense is not enough. A recent protocol came in where the United States, UK, and the European military of defense, government cyber security bodies, and a few other top decision-makers came to sign a pledge. The pledge was to fight global attacks in a single formation.
Formerly known as Sodinokibi, REvil is one of the most dangerous RaaS groups. The White House gave out a $10 million bounty for REvil attacker’s information.
REvil, ran by the Pinchy Spider criminal organization and Twisted Spider. They use the same Ransomware to cause havoc. Once infiltrated, they post on blogs or socials and warns victim to expose all the files gained through vulnerabilities.
On the other hand, REvil sets up a clickable link within the ransom note. If the victim can’t pay the ransom in time the leaks are going to the public attached to the timer.
Dharma RaaS protocol is relatively standard in the cyber threat department. Unlike centralized RaaS services such as REvil. Dharma is more accessible. According to cyber threat analysts, Dharma is a 100% match among all sample files. The primary source for Dharma remains Iranian threat groups and has been widely available on the dark web since 2016. Most of the time, Dharma is detected with remote desktop protocol (RDP) attacks. Ransom for Dharma victims remains widely available crypto such as BTC and ETH.
The only difference among the Dharma sample is the encryption keys which vary from victim to victim. Contact detail and a few other customizable identifiers are also variant differences. We may know how Dharma works and its protocols, but it is hard to detect its source.
LockBit remains one of the dangerous variants of RaaS attacks as it uses the double-extortion method. It encrypts data and threatens to leak if victims do not wish to pay. We started seeing LockBit turning into RaaS as early as 2019. LockBit is capable of automatically vetting for valuable targets, spreading infection, and encrypting every system in the network.
LockBit targets large enterprises and organizations with vast resources to protect. A minor breach can cause severe damage both to customers and the organization. The threat group behind LockBit is known to publish exploited data in Mega cloud drive once the ransom deadline passes.
Defending against Ransomware as a Service (RaaS) operations
Though the stages of defense are becoming harder and harder, it is not impossible. As they go after victims’ money, they are not good enough to do it themselves. They need someone or organizations to put it in their account. So, it is a form of low-level attack. Organizations following the latest cyber defense mechanism, upgrading components frequently, keeping the workforce in check, and constant monitoring help quite a bit.
The anti-ransomware protocol is now a default add-on with privacy protection software. The proper way to defend against RaaS is to know Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs).
We can easily fight of RansomOps attacks if the activities are carefully monitored. It is essential to give the most attention to the critical asset, data for enterprises and SMBs.
We all know how costly and mind bothering it can be to recover files suffering from Ransomware. It is best to utilize available prevention methods against Ransomware as a Service (RaaS) rather than being vulnerable. IT managers perform frequent backups of their data. Reliable modern endpoint protection should be adequately managed but not be used as the sole protection mechanism. Multiple backups help if they are stored in a different place. Similar to the patches we receive in our applications, security patches, network segmentation, throughout monitoring should be there.
Last but not least, proper training of employees is crucial. We’ve seen a decline in RaaS and other malicious attacks because companies prioritized training their employees.