Protect Your Business from Ransomware as a Service

Cloud-based business models such as infrastructure as a service and software as a service have ballooned in popularity, gaining mainstream acceptance in recent years. Cloud providers benefit from superior economic models that scale and reduce their development risk and complexity. 

However, with success comes attention, so it’s only logical that criminals have emulated these models. 

Like advanced enterprise applications, ransomware is complex malware, requiring custom code that runs on end points, as well as a network of command and control (C&C) servers. In addition, there are back-end requirements to store unique keys, collect ransoms, and deliver decryption keys. It requires significant testing and support to operate smoothly, along with continuous development and updates to avoid detection. 

Therefore, after years of simply selling source code on the dark web, criminals have taken their cues from these scalable cloud businesses and begun selling ransomware in an as-a-service model. 

So, how does ransomware as a service (RaaS) work? How do providers maintain anonymity and avoid law enforcement? And most importantly, what do IT and business leaders need to know to protect their businesses against a RaaS attack? 

 What is Ransomware as a Service? 

RaaS is a software delivery model that provides prebuilt tools for executing ransomware attacks. With RaaS, a provider can write code once and sell it many times—making it economical to deploy. Complex infrastructure can be built, and RaaS instances can dynamically scale up and down as needed. 

Most importantly, criminals don’t have to be programmers and/or DevOps experts to use ransomware to attack their victims. In fact, all it takes is a reliable email list and an alluring tactic to get people to click on a link or open a file. The RaaS provider takes care of the rest.

There were more than 300 million ransomware attacks in 2020, according to Statista. However, there are typically less than 200 new ransomware code variants introduced each year. This indicates that most attacks use the same code, and the rise of RaaS may be the reason. Indeed, the most famous ransomware groups are probably REvil and DarkSide, which are known RaaS providers.

The Role of the Dark Web

RaaS services are typically offered through the dark web. It’s a part of the internet not indexed by traditional search engines, and specific software and configurations are required to access content there. 

At a minimum, a user needs a special Tor browser that uses encrypted traffic over dozens of relay nodes around the world. Users and servers are both equally anonymous, and the Tor network has been used legitimately to help relay whistleblower complaints to journalists around the world. 

Unfortunately, the network can also be used to advertise, sell, and deliver illegal goods and services anonymously. Payments are made in cryptocurrencies and real names are never used in those transactions. Law enforcement from various countries actively prosecute these marketplaces, so they often disappear and reappear to evade capture. 

Author's note: Most people would be well advised to steer clear of the dark net. Hackers aggressively attack computers connected to the dark net, so users need to employ layers of VPNs, virtual machines, and other techniques to avoid being attacked themselves. For instance, trained researchers use dedicated Linux-based virtual machines with Tor browsers that are completely deleted after each session.

Typical RaaS Business Models

RaaS providers experiment and differentiate using different business models, like any other cloud provider. Over time, four common revenue models have emerged: 

• One-time licensing fees, similar to a software license 
• Monthly or annual subscription services, for a fixed price 
• Subscription services with lower fixed prices, plus a percentage of the profits—typically between 20% and 30% 
• Pure profit sharing with no up-front fees, with the provider getting at least half of the profit 

A Real-Life RaaS Provider

Examples of RaaS are not difficult to find on the dark web. In fact, RaaS providers build web pages, advertise, and drive social media feeds, just like legitimate companies. Many can be found using search engines on the dark web, post customer reviews, and even link to mentions in mainstream media. 

We will take a typical example and call it Exxxxxx. (We’ve disguised the actual name, for obvious reasons.) On the home page, Exxxxxx advertises that it provides pre-configured and compiled ransomware and a decrypter. They also provide a free, anonymous C&C dashboard via the dark web, so users can manage clients. 

The provider supports additional customizations and takes no fees from end-clients. This service provides a 12-month package for $1,400, with no revenue split. It includes features such as delayed starts, mutex, editor disablers, UAC bypass, desktop wallpaper changer, IP tracking, offline encryption, and technical support. 

For an additional fee, this RaaS provider includes a dropper (to add a cyber criminal’s own network backdoor) or an “unkillable process.”

There’s a lower-level package with less customization, as well as cheaper packages for cyber criminals to test the service before they scale up. The website includes a table to compare the features in each package. 

To order, cyber criminals simply send the required amount to a bitcoin address, and then send an email to the RaaS provider with details on their chosen package and the bitcoin address used to send the money, as well as any options they selected. Upon receipt of payment, the RaaS provider sends an email with links to the files (ransomware and decrypter) and a link to the C&C dashboard. 

 Lowering the Bar for Cyberattacks

RaaS greatly reduces the level of specialized expertise required to launch a ransomware attack. A criminal with an email list only needs to sign up for the service and get a victim to click a link to get started.

No coding or infrastructure knowledge is necessary. The transaction between the cyber criminal and the RaaS provider is completely anonymous, and the criminal can repeat the attack with as many victims as possible during their service period. 

Questions can be directed to a technical support team. Many of the larger RaaS vendors even have telephone support to walk victims through the process of purchasing cryptocurrency to pay their ransoms. 

RaaS also changes the equation for who can expect to get attacked. Small to mid-sized businesses don’t typically see themselves as potential targets because of their size, but they’re more likely to face RaaS attacks because these services are easy to access and deploy, meaning criminals don’t have to go after big targets to turn a profit. 

Protect Your Organization Against RaaS Now 

Given the simplicity of this business model, we can anticipate that ransomware attacks will continue to grow in volume. 

Ransomware code is often obfuscated to get past firewalls and evade intrusion detection. However, once ransomware appears on a target machine, it is possible to detect many RaaS attacks by their signatures (including files and artifacts) and behavior, because there are still a relatively small number of ransomware variants. 

In fact, that is exactly what the Egnyte platform does. It detects known signatures of ransomware files and potential ransom notes, and updates signatures once new ones are found. The platform also detects the behavior of a ransomware attacks, based on the number of files touched and increasing file entropy. If ransomware does get through, Egnyte helps you to recover by reverting file versions, so ransomware is no longer a debilitating concern.

To learn about the latest ransomware trends and to see a demo of Egnyte’s capabilities, check out the following video.

‍

‍