Table of Contents
What is Ransomware?
Ransomware is a type of malware that focuses on preventing victims from accessing the data, such as files, databases, or applications, by using encryption methods and holding the information at ransom. It can easily spread to a network and targets critical databases and file servers. This process can halt the operation of the target organization. The attacker demands a ransom from the victim to grant access. It became one of the most common cyber attacks recently that generates billions of dollars in payments to cyber criminals.
Most hacker groups are demanding ransom in cryptocurrencies. The severity of this method caused various companies to shut down due to high ransom demands. Ransomware is currently the biggest cyber threat, especially for organizations that depend heavily on digital infrastructure.
Although most government agencies advise not to pay the ransom since it would encourage these criminal groups, it can also cause an organization to go bankrupt due to the halt in their operations, thus most organizations prefer paying the ransom. However, researches show that approximately 50% of victims who pay the ransom face another ransomware attack soon, especially if they didn’t mitigate the vulnerabilities causing the incident or didn’t clean the malware from the system.
Ransomware gangs mostly use asymmetric encryption. This method creates two keys for encryption and decryption, uniquely generated by the attacker for the victim. Without the private key, it is almost impossible to decrypt the encrypted files. Once the ransom is paid, the attacker shares the private key with the victim, allowing them to decrypt and access the files. Recently, some ransomware gangs also started to steal sensitive information before encrypting it.
In case the organization denies paying the ransom, the gangs threaten them to leak the stolen files online, to put the organization in a tough spot. Leaking users’ sensitive information online can cause serious lawsuits and can damage their reputations drastically.
For more information: What is Ransomware?
What is Ransomware as a Service?
RaaS, which stands for Ransomware as a Service, is a business model in which affiliates pay ransomware operators to launch attacks on targets. It can be considered as a type of software as a service model. Anyone who paid for RaaS services can launch an attack on the target they prefer without any technical skill or knowledge. Ransomware operators provide RaaS kits to affiliates allowing them to use the service. Also, similar to other legitimate solutions, operators provide a panel to create their ransomware package and command and control dashboard to affiliates.
Just like legitimate services, RaaS services come with 24/7 support, bundles, user reviews, a community board, and some other features depending on the provider. The price range for these kits starts from less than $100 to thousands of dollars. Most ransomware gangs demands at least millions of dollar as ransom from victims.
RaaS services can be found easily on both the dark web and the legitimate web. The providers are advertising their offerings on multiple websites and can offer discounts or extra features to attract more customers. RaaS arrangements mostly come with four revenue models:
Monthly subscription: Affiliate pays a monthly flat fee and earns a small percentage of a successful ransom.
Affiliate program: In this model, the operator gets a small percentage of the profits.
One-time license: The affiliate pays a one-time fee and doesn’t share the profit with the operator.
Profit sharing: Profits are divided among affiliates and operators according to the percentage both sides agreed on prior to attacking.
How does Ransomware as a Service work?
In Ransomware as a Service, the developer of ransomware creates malware, purpose-built with a cloud-native architecture to be able to support multiple end users and licensing schemes. When the payment is made, which is mostly made in Bitcoins, the operator starts the campaign and infects the victim. In most cases, operators use phishing and social engineering to trick users to be able to deploy the malware.
Once the malware is executed, the data in the victim’s system becomes encrypted and basically useless. Then the operator displays the message to the victim, which includes the instruction about paying the ransom. After that, the operator waits for the victim to send the ransom or contact them. If the victim pays the ransom, the money is divided according to the agreement between the affiliate and the operator.
Most RaaS services include either a compiled ransomware or its source code, customization tools for ransomware, other malicious tools capable of extracting data before encrypting, an infrastructure purpose-built to manage the ransomware, a control panel, 24/7 technical support, a forum, or some sort of platform to exchange information, and instructions.
Examples of Ransomware as a Service
Some of the most notorious ransomware is available as a RaaS on the dark web. Some well-known RaaS kits are REvil, Dharma, LockBit, Conti, Maze, Encryptor, Goliath, Jokeroo, Locky, Shark, and Stampado.
A well-known example of ransomware as a service is REvil, which was used to attack Kaseya in 2021.
Dharma is also a very common RaaS, which emerged in 2016.
Another well-known RaaS operation is DarkSide, which mainly focused on Windows systems and then expanded to Linux. FBI stated that the Colonial Pipeline attack was made by the DarkSide group.
LockBit is also a very notorious RaaS service since late 2019. The gang leaks data on a popular Russian criminal forum.
Another service named Maze is known for threatening the victims for sharing the stolen data publicly.
FAQ
Is Ransomware as a Service illegal?
As well as hacking a system and encrypting the data, paying for someone to do it is also a crime. Since ransomware as a service is illegal, most ransomware gangs are using Dark Web and extra careful when it comes to contacting the affiliates. The payment is made with cryptocurrencies which makes it even harder to track these cybercriminals. However, we have also seen many ransomware gang members getting arrested. Shortly, paying for someone to launch a cyber attack is a crime and can end up in serious lawsuits.
What was the first Ransomware as a Service?
Although ransomware dates back to the late 1980s, RaaS is a relatively new model. The first known ransomware was the AIDS trojan, released on a floppy disk in 1989. It demanded $189 from its victims, which should be sent to a post office box in Panama. The first RaaS service is believed to be Dharma. The ransomware initially emerged in 2016 as CrySis. It is available on the dark web since 2016 and is associated with remote desktop protocol attacks.