Subscription malware on the criminal fast track - already heard of Ransomware-as-a-Service?
by Svenja Koch
According to a study by the IT security provider Sophos, around half of the smaller companies surveyed in the study were affected by a cyber attack in 2020. For larger companies with 1,000 or more employees, this rate was even somewhat higher. Ransomware in particular, i.e. software that can encrypt data and whose release is usually only possible after payment of a ransom, is very high on the cybercriminals' popularity scale. Cyber attacks with malware of all kinds, phishing or even sophisticated Advanced Persistent Threats are not a new threat. The situation is quite different with a new "service" that is currently enjoying criminal success on the darknet and posing a new challenge to the IT security of companies worldwide. Ransomware-as-a-Service (RaaS) is the name of the new trend - and it can turn any petty criminal into a cyber extortionist in no time at all. This article explains what exactly Ransomware-as-a-Service is and what this form of cyber attack means for IT security.
Ransomware-as-a-Service: Cyber attacks made easy
Until now, cyber criminals had to have at least a minimum of programming skills to get malware onto the victims' computers. With Ransomware-as-a-Service, this minimum requirement is now no longer necessary - because the latest form of extortion software can be easily and conveniently rented on the Darknet. In principle, anyone with sufficient criminal energy can carry out cyberattacks - a mouse click is enough and the malware lands in the shopping basket.
How does the Ransomware-as-a-Service business model work?
In the software sector, rental models have long since ceased to be marginal. Whether it's Microsoft with its Office 365 package or Adobe with Photoshop and co.: more and more software providers are making it possible to rent their products. This service is convenient for users because they can access high-quality software that is always up to date. The software-as-a-service model is also lucrative for the providers, as they bind their customers to their own company in the long term. Cybercriminals are also jumping on the service bandwagon and using the darknet as a practical distribution channel for their malware. Without any technical skills, anyone can theoretically book blackmail software as a service - and subsequently attack private individuals, companies or organisations.
What advantages does Ransomware-as-a-Service offer developers?
Any use of malware, whether "simple" phishing or sophisticated Advanced Persistent Threats, are always associated with a certain risk for the attackers. The same applies, of course, to ransomware. Here, the weak point is the payment process of the ransom. Because even if ransoms are mostly paid using cryptocurrencies: Digital currencies are not as anonymous as Bitcoin and Co. are promoted as a means of payment. On the contrary, the blockchain, the underlying technology behind the coins, records every transaction. This is an optimal opportunity for a well-positioned IT security to track down the blackmailers.
With Ransomware-as-a-service as a distribution model, the criminal developer distances himself from the victims of his malware - and benefits from a significantly lower personal risk. The malware developer does not carry out cyberattacks himself, but has them carried out by other actors. And in return receives a certain percentage of the ransoms paid. These surprisingly powerful affiliate networks make it possible for any "forest-and-meadow criminal" to secure a piece of the lucrative ransomware pie. As a result, corporate IT security is facing major new challenges.
The discount battle rages - also for Ransomware-as-a-Service
Last year, security researchers from Group IB identified 15 new providers for RaaS. This number may not be impressive on its own, but it proves that the market for malware as a service is growing. In addition, there is competition between the service providers for Ransomware-as-a-Service. As in any market, high competition in RaaS leads to discounts. Discounts make offers even more interesting, so that small-scale criminals (and those who want to become one) hardly have any barriers to entry when it comes to pricing. For businesses, organisations and individuals, this makes the situation even more dangerous.
What does RaaS cost per month and what do cybercriminals get for it?
Ransomware-as-a-service is available for around $50 monthly fee on the darknet. A real bargain considering the ransom demands possible due to the nature of cyberattacks. Especially in the case of attacks on US or Indian companies, the demands can easily reach six figures. Cybercriminals who use the service of RaaS receive the ransomware code and the associated decryption key. But more is possible. Some of the Ransomware-as-a-Service offerings include real customer service, available to answer any questions about the malware's deployment. Dashboards that allow cyber attackers to monitor the status of the attack and, of course, incoming ransom payments have also long been part of the service offering. Professionalism and efficiency have long been standard with Ransomware-as-a-Service. New versions, fresh updates and multi-level subscription models are the rule rather than the exception with RaaS providers.
Which Ransomware-as-a-Service developers are known?
As is usual in criminal activities, malware developers also try to remain largely unknown. Nevertheless, some RaaS developers have been identified on the dark web. In 2017, for example, the Philadelphia ransomware from RainMaker Labs caused a stir. The hacker group not only used appealing websites to promote their ransomware, but also produced high-quality promotional videos. Besides RainMaker Labs, GandCrab, Sodinokibi and Jakeroo are among the well-known representatives of RaaS developers.
How easy is it to foist Ransomware-as-a-Service on potential victims?
The easier a product is to use, the higher the interest of the clientele. This also applies to RaaS. Even if the product here, the malware, can be highly sophisticated in conception - the distribution of the malware is almost child's play. The most popular method for delivering malware - and thus also ransomware - is still phishing. 67 percent of all cyber attacks with ransomware are sent via fake phishing emails. The reason is clear: phishing emails can be created without much expertise and sent to an almost unlimited number of recipients in a very short time. And there is also a solution for newcomers to the subject of phishing: criminal phishing specialists offer their own SaaS services that actively support the spread of ransomware.
The Corona Pandemic as an Accelerator
Since the start of the Corona Pandemic in 2020, the proportion of employees working from home offices has increased dramatically. To the same extent, the number of publicly accessible Remote Desktop Protocol servers has exploded. Just like remote access via VPN or VDI, RDP is considered an invitation for cyber attacks - because the unsecured interfaces are an invitation to penetrate the systems. Yet RDP servers can be secured quite reliably with small measures. If preset passwords are changed immediately and access is only allowed to certain IP addresses, a large part of the potential danger is already averted. Multi-level authentication and regular security updates do the rest to protect RDP servers or VPN accesses from cyber attacks.
How do companies reliably protect themselves against blackmail by malware?
No company has to accept extortion by ransomware without defence. However, the basic assumption of any IT security must be that cyber attacks can - and will - take place at any time. External security service providers who monitor the company networks around the clock and in real time represent an effective early warning system - and a perfect supplement to the company's internal IT security. In addition, critical data should of course be backed up - either offline or in a secure cloud environment. It goes without saying that operating systems and applications must be updated regularly and that the latest security patches must be applied promptly after their release. The biggest vulnerabilities - even in otherwise well-secured companies - are still uninitiated employees. Therefore, security education and training are an essential part of any plan of action to improve IT security within a company. And last but not least: advanced phishing protection that reliably detects and blocks phishing mails is indispensable to close this popular gateway for malware of all kinds.
The times when ransomware was mainly developed, programmed and distributed by more or less talented hackers in the quiet are over. Today, a short search on the darknet in combination with sufficient criminal energy is enough to conveniently rent ransomware of all kinds. Shared risk is half the risk - this is especially true for the providers of Ransomware-as-a-Service, who, thanks to extensive affiliate networks, earn money from every successfully executed extortion.
Of course, this does not make the job any easier for IT security, on the contrary: the more semi-professional cybercriminals jump on the RaaS bandwagon, the more widespread the cyberattacks become. Companies from the USA and India in particular would rather pay high ransoms than forego valuable company data. However, the same applies to RaaS: there is always a defence strategy against every cyber attack. Just as with Advanced Persistent Threats, external IT security service providers should be activated in addition to the company's internal IT security in the case of ransomware attacks. In addition, security patches, regular updates and, of course, comprehensive training of all employees in cyber security are an effective means of keeping malware of all kinds away from computers and servers. And especially in the case of phishing e-mails, which are considered the main gateway for Ransomware-as-a-Service, the motto must be: Think first, then click.