Ransomware as a service

Last updated

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. [1] Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. [2]

Contents

The "ransomware as a service" model is a cybercriminal variation of the "software as a service" business model. [3]

Revenue models

Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing. The most advanced RaaS operators provide portals that allow their subscribers to track the status of infections, payments, and encrypted files. This level of support and functionality is similar to legitimate SaaS products. [4]

The RaaS market is highly competitive, with operators running marketing campaigns and developing websites that mimic legitimate companies. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting the significant financial success of RaaS. [3]

Microsoft Threat Intelligence Centre (MSTIC) regards RaaS as different from previous forms of ransomware as it no longer has a tight link between tools, initial entry vector and payload choices. [5] They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it. [5]

Extortion methods

Ransomware threat actors use different techniques to extort money from victims. Some of the main methods include:

Double extortion

In a double extortion ransomware attack, the threat actors first encrypt the victim's data. They then threaten to publicly release exfiltrated data if the ransom is not paid. This puts additional pressure on the victim to pay the ransom to avoid having sensitive data leaked. [6]

According to analysis from cybersecurity firm Zscaler, 19 ransomware families adopted double or multi-extortion approaches in 2021. By 2022, this number grew to 44 families using this technique. Groups like Babuk and SnapMC pioneered double extortion ransomware. Other actors like RansomHouse, BianLian, and Karakurt later adopted it as well. [6]

Multiple extortion

Multiple extortion is a variant of double extortion. In addition to encrypting data and threatening to leak it, threat actors also launch DDoS attacks against the victim's website or infrastructure. This adds another element to pressure victims into paying. [6]

Pure extortion

In a "pure extortion" or "encryption-less ransomware" attack, the threat actors exfiltrate sensitive data but do not encrypt any files. They threaten to publish the stolen data online if the ransom is not paid. This approach allows threat actors to skip the complex technical work of developing encryptors. [6]

Groups like LAPSUS$ and Clop have used pure extortion techniques in high-profile attacks. Since victims' systems are not locked, this method tends to cause less disruption and draws less attention from authorities. However, the financial impact on targeted organizations can still be severe. [6]

Main actors

Several well-known examples of RaaS kits include Hive, DarkSide, REvil (also known as Sodinokibi), Dharma, and LockBit. These operators continually evolve and create new iterations of ransomware to maximize their impact. [7]

Examples of RaaS kits include Locky, Goliath, Shark, Stampado, Jokeroo and Encryptor. [1]

Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The US Department of Justice seized two servers belonging to Hive, disrupting their operations. [3]

DarkSide primarily targeted Windows machines but has expanded to Linux systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate. [3]

REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million. [3]

See also

Related Research Articles

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Cryptovirology refers to the study of cryptography use in malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

Vice Society is a hacking group known for ransomware extortion attacks on healthcare, educational and manufacturing organizations. The group emerged in the summer of 2021 and is believed to be Russian-speaking. Vice Society uses double extorsion and does not operate a ransomware as a service model.

<i>The Ransomware Hunting Team</i> 2022 nonfiction book by Renee Dudley and Daniel Golden

The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime is a 2022 nonfiction book on computer security by Renee Dudley and Daniel Golden. It was published in the United States in October 2022 by Farrar, Straus and Giroux, and is about a group of volunteer freelance computer experts who crack ransomware and help victims recover their data without them having to yield to extortion. Sections of this book had previously featured in a ProPublica podcast, The Extortion Economy: Exploring the Secret World of Ransomware, in December 2021.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">LockBit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

The U.S. Ransomware Task Force (RTF), also known as the Joint Ransomware Task Force, is an interagency body that leads the American government's efforts to address the threats of ransomware attacks. It is jointly headed by the Department of Homeland Security’s cyber arm, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation.

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.

References

  1. 1 2 Baker, Kurt (2023-01-30). "Ransomware as a Service (RaaS) Explained How It Works & Examples". Crowdstrike . Retrieved 2023-02-11.
  2. Palmer, Danny (2021-03-04). "Ransomware as a service is the new big problem for business". ZDnet . Retrieved 2023-02-11.
  3. 1 2 3 4 5 "What is Ransomware as a Service (RaaS)? - CrowdStrike". crowdstrike.com. Retrieved 2023-07-10.
  4. "What is Ransomware as a Service (RaaS)? - CrowdStrike". crowdstrike.com. Retrieved 2023-07-10.
  5. 1 2 "Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself". Microsoft Threat Intelligence Centre. 2022-05-09. Retrieved 2023-02-11.
  6. 1 2 3 4 5 Ross Kelly (2023-06-29). "Encryption-less ransomware: Warning issued over emerging attack method for threat actors". ITPro. Retrieved 2023-07-31.
  7. Baker, Kurt (2023-01-30). "Ransomware as a Service (RaaS) Explained How It Works & Examples". Crowdstrike . Retrieved 2023-02-11.

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.