Ransomware-as-a-Service (RaaS) is a fairly new threat in cybersecurity. Similar in structure to software-as-a-service (SaaS), this illegal and increasingly popular business model leases or sells ransomware variants to anyone willing to pay the fee. RaaS has traditionally lived in underground forums on the dark web, but it is becoming very popular for RaaS providers to use chat apps such as Telegram to communicate and spread malware.
Ransomware developers have learned it’s less risky and less labor intensive if they create malicious software and sell or lease it to less-skilled hackers than if they perform the attacks themselves. For those who want to commit cybercrime but don’t have advanced knowledge of coding, RaaS gives them all the tools they need to execute the malware. Some RaaS operators offer solutions so easy to use that almost anyone can use them to create a successful attack. In fact, there are initial access brokers who charge a fee to remove all technical requirements from the picture and facilitate network access in the first stage of a ransomware attack. Essentially, anybody willing to pay for RaaS can launch an attack.
According to the IBM Security Data Breach Report 2022, the first known attack using RaaS occurred in 2016, and in the six years since then, RaaS has grown to account for 11% of all cybersecurity attacks.1 The study also found that it takes 287 days to identify a ransomware threat and 87 days to repair the damage done, costing companies an average of $4.62 million per breach.
Illegal in most countries, RaaS operations have been found in Russia, China, North Korea, Iran, and Cuba, as well as in countries where rule of law is not enforced.
You may have heard of these popular RaaS attacks:
Dharma
LockBit
DarkSide
REvil
This list will continue to grow as other malicious actors pursue this highly lucrative business model.
RaaS operators typically offer affiliate arrangements via a monthly fee or profit sharing, and they may even sell the ransomware outright.The monthly cost for an affiliate subscription runs from under $50 per month to several thousands of dollars per month, depending on the sophistication of the package offered. Designed for the inexperienced hacker, RaaS operators deliver the exploit code and customized do-it-yourself toolkits to non-technical affiliates who use it to deploy malicious malware attacks.
Potential affiliates visit the RaaS company’s website on the dark web, create an account, and pay the fee. Next, they share the specifics of what they want to accomplish, including:
The kind of exploit they want to send
The type of encryption needed
The target operating system
Who the victim is
What the ransom demand will be
The text for the ransomware note
In turn, the RaaS developer:
Reviews the request
Creates exploit code according to the affiliate’s stated specifications
Delivers the easy-to-use ransomware toolkit to the affiliate
A typical RaaS toolkit contains the ransomware exploit code and a variety of other helpful tools or services for the affiliate, such as:
24/7 customer support
Software updates
User forums
User reviews
How-to-videos
Step-by-step instructions
A knowledge base
Live expert assistance
A dashboard to monitor attacks
It’s sometimes hard to remember that RaaS is 100% illegal because the business model feels so familiar. RaaS salespeople visit dark web forums and chat rooms to promote their service and recruit potential customers, their marketing departments run marketing campaigns, and they advertise bundles and special offers. While they may operate similarly to legitimate organizations, it’s important to remember their services are illegal and there are victims on the other end.
WHO ARE THE VICTIMS?
RaaS cybercriminals often choose victims in healthcare, educational systems, financial institutions, and all levels of government because they’re the most profitable targets due to the protected nature of the data they store.
RaaS scams usually spread to victims via social engineering and phishing. It can target single individuals, whole companies, or only certain parts of an organization (infecting laterally throughout the organization as time goes on).
A scam typically starts when the affiliate sends potential victims an email with an infected attachment or a link to an infected website, just like any other type of malware. If the victim falls for the scam, the malicious code steals and encrypts files, locks the device so it can’t be used, and sets up a ransom scenario where the victim must send money to get access to their files.
After receiving an ominous message like the one above, a chat box may pop up that allows the victim to communicate with the attacker. Within the chatbox, the attacker tells the victim exactly what they need to do to regain control of their computer and retrieve their files. This chat box is part of the affiliate’s customer support, which makes it seem oddly normal.
If the victim decides to pay the ransom the affiliate has demanded, the victim signs into a payment portal that belongs to the RaaS operator (not the affiliate). In the payment portal, the victim pays the ransom to the operator, usually in bitcoin. After the victim pays, the RaaS operator divides up the profits and gives the affiliate their agreed-upon percentage (the affiliate never touches the victim’s money).
If the victim doesn’t pay, depending on the intent of the attack, the hacker may release the victim’s information to a data leak website that sells it, or they may make it freely available on the dark web.
If the victim pays, the affiliate typically gives them a decryption key with instructions on how to get their files back–but since they are criminals, there is no guarantee that they’ll do what they promised. It’s possible that the victim could pay the ransom but never see their files again, or that their files will be unlocked but then sold on the dark web anyway. This is why protecting yourself against an attack in the first place is the best option.
RaaS operators have put malicious code into the hands of unskilled hackers, which has increased the number of attacks exponentially. Despite the increased scope and scale of threats, many companies remain unprotected and unprepared, leaving their employee and/or customer data at risk and vulnerable to these bad actors. To meet stakeholder expectations and due care obligations, the best defense is a good offense: Defend and protect your network, devices, and systems with smart user behavior and strong cybersecurity tools.
Reduce the likelihood of threats by:
Constantly monitoring your infrastructure
Segmenting your network so the threat of lateral attacks is mitigated
Conducting multiple regular and frequent backups saved on different devices and different locations (offsite) from the rest of the network
Testing and validating these backups
Practicing restoring critical systems such as domain controllers
Promoting a culture of security at your organization with employee awareness and training modules
Scheduling penetration testing that looks for vulnerabilities
Implementing multiple layers of protection, like multi-factor authentication
Set yourself up with top-notch pre-attack protection with:
Real-time, comprehensive cybersecurity software
Endpoint protection and response tools that look for abnormal processes and application behavior in your network, devices, workstations, etc.
Anti-phishing and anti-spoofing protection
Backups stored separately from production data so they can be used to restore operations
If you’re attacked:
Isolate the infected zone immediately, even if it means shutting down your entire system
Identify the entry point (phishing scam, out-of-date software, etc.)
Strengthen your security software
Reinforce user training
The RaaS business model has grown in popularity because it makes it easy for less-skilled cyber criminals to carry out their own sophisticated ransomware attacks on unsuspecting victims. The threat is growing, but cybersecurity professionals are working hard to train users and create solutions that find malicious ransomware before it can inflict damage.
Ping Identity can help you stay protected by adding additional layers of defense for some of the most common attack vectors. Learn more about Ping’s single sign-on solution and multi-factor authentication solution.
Source:
1IBM. IBM Security Data Breach Report 2022.
Related Resources
Start Today
Contact Sales
See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.
Request a FREE Demo