Ransomware-as-a-Service is a model for cybercrime in which ransomware creators sell or license their software for use by accomplices, who usually launch ransomware attacks. Even with very little or no technical know-how, individuals can hence become active participants in a highly sophisticated ransomware attack.
RaaS runs just the same as any other Software-as-a-Service, offering user-friendly interfaces, tutorials, customer support, and profit-sharing options at different levels for users interested in selling encryption software for potential profits.
How does it work?
RaaS works in the same way as any SaaS platform but helps a cybercriminal use pre-developed RaaS tools without high-level coding or cybersecurity knowledge. Hence, it really helped in the broad increase of ransomware attacks since it lowered the entry level for perpetrators to begin this type of crime.
Selling via Dark Web Marketplaces
After being developed and properly packed, it gets sold or leased through the dark web forums and underground marketplaces.
This functions along the same lines as what is known in the e-commerce world: availability of a detailed product description, pricing options, user reviews, and, in some cases, customer support to assist with any questions a potential buyer may have.
Several options are used to entice new affiliates: most offer a kind of subscription, where criminals pay every month, while RaaS, in less common cases, is sold for a one-time fee.
In many cases, RaaS uses a profit-sharing model whereby affiliates use the RaaS product free of charge but must share a specific percentage of the ransom payments.
Development of the Ransomware
At the core of RaaS is a talented development team that creates highly functional ransomware variants that are capable of encrypting files, avoiding security defenses, and requesting ransom payments.
They constantly update the malware, ensuring it doesn't get caught in the eyes of antivirus programs and cybersecurity solutions.
One of the noteworthy qualities embraced by ransomware built for RaaS platforms includes, but is not limited to, strong encryption algorithms, evasion techniques used throughout to bypass security software.
In some cases, automated deployment options; the latter gives affiliates the benefit of distributing ransomware effortlessly while complicating the restoration of affected files by the victim, with restoration to only be realized after paying the demanded ransom.
Recruitment of Affiliates
RaaS operators recruit individuals or groups interested in breaking into a system and conducting an attack based on an affiliate program using the provided Ransomware. These affiliates may range from complete novices to experienced hackers.
The RaaS operators often provide step-by-step guides, user dashboards, and even technical support to help affiliates launch their attacks successfully. Affiliates act to find targets and launch ransomware attacks using several different means.
Some RaaS empires govern the affiliates and prohibit them from attacking specific sectors, like healthcare or regions. Many affiliates are unconcerned. Nonetheless, RaaS-based cyber attacks occur everywhere.
Ransom Demand and Payment
Once the ransomware successfully encrypts files on the victim's computer, a ransom note pops up on their screen, demanding that they pay a specified amount in cryptocurrency like Bitcoin or Monero in exchange for a decryption key.
Depending on who the targets are, the ransom amount could be lower for individuals and really high for businesses. Many RaaS groups also adopt double extortion tactics, where, in addition to encrypting the files, sensitive data is also stolen before the encryption occurs.
If the victim refuses to pay, the attackers threaten to publish the stolen information, adding extra reassurance to their demands.
Some groups, however, also indulge in triple extortion, demanding additional ransom amounts from third parties affected by the data breach, such as clients or business partners of the victim.
Deployment of Ransomware
Having expunged RaRansomwarerom the massive PDF version and folded the second trouser leg over, affiliates would use varied ways to deploy the malware and infect victims' systems.
One of the most common attack vectors is phishing emails, wherein cybercriminals tend to trick the victims into downloading ransomware, malicious attachments or links.
Others include using outdated software vulnerabilities, compromised credentials through RDP to access the systems involved, and ads placed on legitimate websites that themselves are malicious.
Because of this, most variants of Ransomware are also spread through drive-by downloads, meaning that the user is infected simply by visiting a compromised website, thereby downloading trojans and virulent malware.
Top RAAS Variants
Ransomware as a Service model that made it easy for people with little knowledge or technical ability to participate in cybercrime has been a real game changer indeed, since a lot of neophytes now have access to building their Ransomware or easily buy a kit or subscription that allows them to execute attacks without themselves building the malware.
RaaS has alternatively hugely boosted the number of these ransom attacks all around the globe. Here are some noteworthy RaaS variants that have invaded both companies and individuals worldwide:
DarkSide
The RaaS model offered ransomware to affiliates, taking a cut of the ransom proceeds. The group claimed never to attack hospitals, non-profit organizations, and governments, though their attacks indeed reduced the efficiency of critical infrastructure.
Although it ceased to exist in service after the Colonial Pipeline incident, DarkSide was effectively followed by other ransomware groups that leveraged its code and operational model.
REvil (Sodinokibi)
REvil or Sodinokibi was founded in 2019, quickly establishing itself as one of the most infamous RaaS operations to date, most likely due to its development from the GandCrab ransomware family.
The group is known for conjuring up multi-million-dollar ransom demands for firms they had targeted since Sodinokibi is known for its double extortion, or encrypting all files and threatening to publicly release stolen data should demands not be made.
Several attacks that have been linked to REvil include those that were made against JBS Foods and Kaseya.
LockBit
The LockBit group follows the model of an affiliate, in which attackers use their ransomware in exchange for a cut of the ransom they collect.
The group constantly adds new features to its malware for LockBit to make it more effective than before, unlike other ransomware groups.
The group has also developed LockBit 2.0 and LockBit 3.0 to further improve the methods for delivering attacks and mechanisms for encryption.
LockBit's attacks have been linked with multiple attacks across the globe, positioning it among the most persistent and dangerous RaaS operations.
Maze
In the case of this ransomware, it was the one that first pioneered the double extortion tactic, which means that what they did was not only encrypt the data but also steal that sensitive information and thereby threaten to leak it if the ransom was not paid.
More importantly, Maze was responsible for leaking the stolen data of several different victims after they refused to pay the ransom.
This group said it would shut down in late 2020, but its techniques became the basis for operations by other groups such as Egregor and Sekhmet, thus carrying its legacy in another form into the world of cybercrime.
Conti
Conti was a ransomware group engaged in highly organized cybercrime that resembled the operation of a general corporate entity.
Conti has been responsible for some of the most high-profile attacks against hospitals, emergency services, law enforcement agencies, and big corporations, regularly demanding, in some cases, more than a million-dollar ransom.
A dramatic leak of Conti's internal communications and source code in 2022 exposed a lot about how the group operated. It was made public that Conti actually ran like a business with development crews, negotiators, and affiliate managers.
This attack caused considerable disruption, during which time the Costa Rican government declared a national emergency.
Though Conti officially went dark, several of its former affiliates and members joined other ransomware groups. Therefore, its methods continued to be employed in cyberattacks after its demise.
BlackMatter
BlackMatter emerged in 2021 as a successor to DarkSide, merging advanced encryption with evasion techniques. The group targeted large enterprises while claiming to avoid attacks on critical infrastructure.
BlackMatter attacked a number of sizable organizations, including agricultural companies and supply chain firms. One of the major attacks executed by BlackMatter targeted New Cooperative, a U.S. agricultural firm.
BlackMatter eventually went dark in late 2021 after intense scrutiny from cybersecurity firms and law enforcement. Many of its members very likely joined other ransomware operations.
Top comments (0)