We recently conducted research (a study of 500 C-level executives at UK businesses with over 2,000 employees) aimed at investigating how organisations perceive today’s ransomware threats and how prepared they are to respond in the face of an attack.
Our study found that 94% of respondents were either concerned or very concerned about being hit by ransomware, not a surprising attitude given that 58% of our respondents admitted to having experienced a ransomware attack.
To understand the motivations of attackers, you first need to understand the business models by which they operate and drive profit. In this part of our blog series on ransomware, we, with our partner CrowdStrike, explore the relatively recent phenomenon of Ransomware-as-a-Service (RaaS), the business model driving ransomware’s popularity among criminal enterprises.
Business models driving the popularity of Ransomware
Business models exist using ransomware which allow any criminal to become a cyber criminal. RaaS supports the creation, distribution and management of ransomware attacks without the need for technical, coding or development knowledge. This development has had the effect of expanding the number of possible threat actors and attacks and volume of attacks that you can be exposed to.
Being aware of RaaS, how it works, and some typical examples will give you the situational awareness needed to develop a strategy to deter, detect, protect against and respond to ransomware threats.
What is Ransomware as a Service (RaaS)?
In the same way legitimate software developers lease or licence Software as a Service (SaaS) products, ransomware developers follow similar business models giving criminals the ability to launch ransomware attacks just by signing up for a service in the form of RaaS kits advertised and easily accessible on the dark web, the purchasing and engagement process is as easy as using any legitimate online marketplace.
RaaS kits are not just the code or malware, they also typically include customer service features such as:
Users are also offered a whole host of other features that are identical to those offered by legitimate SaaS providers, making it a much easier user experience for those looking to commit malicious cyber acts.
The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000 and trending upward. A threat actor doesn’t need every attack to be successful in order to become rich.
How do criminals make money?
There are four common RaaS revenue models:
Monthly subscription for a flat fee
Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20-30%) going to the RaaS operator
One-time license fee with no profit sharing
Pure profit sharing
A customer simply logs into the RaaS portal, creates an account, pays with Bitcoin, enters details on the type of malware they wish to create and clicks the submit button. Subscribers may have access to support, communities, documentation, feature updates, and other benefits identical to those received by subscribers to legitimate SaaS products. The most sophisticated RaaS operators offer portals that let their subscribers see the status of infections, total payments, total files encrypted and other information about their targets.
The RaaS market is competitive. In addition to RaaS portals, RaaS operators run marketing campaigns and have websites that look exactly like your own company’s campaigns and websites. They have videos, white papers, and are active on Twitter.
RaaS is big business: total ransomwarerevenues in 2020 were around $20 billion in 2020, up from $11.5 billion the previous year.Some well-known examples of RaaS kits include Locky, Goliath, Shark, Stampado, Encryptor and Jokeroo, but there are many others and RaaS operators regularly disappear, reorganise and re-emerge with newer and better ransomware variants.
Examples of RaaS
DarkSide is a RaaS operation associated with an eCrime group. DarkSide operators traditionally focused on Windows machines and have recently expanded to Linux, targeting enterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials. On 10 May 2021, the FBI publicly indicated the Colonial Pipeline incident involved the DarkSide ransomware. It was later reported Colonial Pipeline had approximately 100GB of data stolen from their network, and the organisation allegedly paid almost $5 million USD to a DarkSide affiliate.
REvil, also known as Sodinokibi, was identified as the ransomware behind one of the largest ransom demands on record – $10 million – and sold by criminal group PINCHY SPIDER, which sells RaaS under the affiliate model and typically takes 40% of the profits.
Like TWISTED SPIDER’s initial leaks, PINCHY SPIDER warns victims of the planned data leak, usually via a blog post on their DLS containing sample data as proof (see below). Before releasing the bulk of the data after a given amount of time. REvil will also provide a link to the blog post within the ransom note. The link displays the leak to the affected victim prior to being exposed to the public. Upon visiting the link, a countdown timer will begin, which will cause the leak to be published once the given amount of time has elapsed.
Dharma ransomware attacks have been attributed to a financially motivated Iranian threat group. This RaaS has been available on the dark web since 2016 and is mainly associated with remote desktop protocol (RDP) attacks. Attackers usually demand 1-5 bitcoins from targets across a wide range of industries. Dharma is not centrally controlled, unlike REvil and other RaaS kits.
Dharma variants come from many sources, and most incidents in which Dharma was identified revealed nearly a 100% match between sample files. The only differences were the encryption keys, contact email and a few other things that can be customized through a RaaS portal. Because Dharma attacks are nearly identical, threat hunters are not able to use an incident to learn much about who is behind a Dharma attack and how they operate.
In development since at least September 2019, LockBit is available as a RaaS, advertised to Russian-speaking users or English speakers with a Russian-speaking guarantor. In May 2020, an affiliate operating LockBit posted a threat to leak data on a popular Russian-language criminal forum:
In addition to the threat, the affiliate provides proof, such as a screenshot of an example document contained within the victim data. Once the deadline passes, the affiliate is known to post a mega[.]nz link to download the stolen victim data. This affiliate has threatened to publish data from at least nine victims.
Worried about ransomware?
To find out more about Adarma and how we can help prepare and protect your organisation against ransomware attacks, please Contact us now.
Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.