Unfortunately, malicious minds typically find a way to divert otherwise good ideas for malevolent purposes. A recent example of this defect in human nature can be seen in the introduction of ransomware-as-a-service (RaaS). As if cybersecurity teams needed additional work, RaaS democratizes the ability to launch damaging ransomware attacks. RaaS makes it possible for virtually anyone to initiate a ransomware attack.
What is Ransomware-as-a-Service?
RaaS is a business model in which operators offer affiliates paid access to ransomware resources with the ability to launch attacks. It’s a variation on the standard SaaS delivery model that eliminates the need for criminals to have the necessary skills or time to develop ransomware themselves. RaaS operators offer their services on the dark web and advertise them in the same way legitimate software companies do on the Internet.
How Does RaaS Work?
An RaaS operator typically recruits affiliates on dark web forums. The affiliate agrees to the terms which usually include agreeing to use one of these four revenue models:
- A flat fee for a monthly subscription;
- Affiliate programs in which the developer gets a percentage of the profits in addition to the subscription fee;
- A one-time license with no profit sharing;
- Straight profit sharing with no upfront fees.
After payment arrangements are made, the operator provides the affiliate with access to the ransomware. The affiliate selects a target, sets ransom demands, and creates a ransom note. They then compromise the victim’s assets and execute the ransomware. The operator furnishes a payment portal and may help the affiliate with victim negotiations. The affiliate controls the decryption keys while an operator may provide a website that can be used to leak sensitive data to encourage the victims to pay.
The Evolution of RaaS
The RaaS model began to gain popularity in 2019. Since that time, ransomware variants previously used exclusively by their developers have been identified in RaaS attacks. The list of RaaS providers includes:
- Darkside - This group is reputedly responsible for the May 2021 attack on Colonial Pipeline. The attack affected consumers and airlines in the eastern U.S. for several days. Colonial paid the hackers for the decryption keys necessary to restart their systems.
- DoppelPaymer - Attacks using this RaaS include one in Germany in 2020 that may have contributed to the death of a patient.
- LockBit - The gang behind LockBit runs an efficient and businesslike organization that has resulted in the widespread use of this ransomware by affiliate groups.
Defending Against Ransomware
Defending against any type of ransomware attack involves the coordination of multiple secure initiatives that include:
- Implementing reliable backup and recovery procedures;
- Installing security patches promptly;
- Employing multi-factor authentication;
- Anti-phishing software and user education to avoid compromised credentials;
- Extended detection and response solutions to identify sophisticated risks.
As much as we like to highlight the positive characteristics of cloud computing, the unfortunate reality is that the same resources that can be used to add functionality to your business can also be used for nefarious purposes such as promoting ransomware as a service.