Ransomware has become its own industry – a multi-billion dollar industry to be more precise. In 2021, it was estimated that the cost of ransomware to businesses would exceed $20 billion.
What is Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a service offered by cyber-criminals that enables those without the relevant technical skills to launch their own ransomware campaigns. Ransomware-as-a-Service vendors offer a variety of subscription models, which include monthly subscription plans, a one-time license fee, affiliate programs, and other types of shared profit schemes.
RaaS kits are available on the dark web, which come with various features such as 24/7 support, user reviews, forums, and bundled offers, all of which are offered by legitimate SaaS providers. The pricing for RaaS kits ranges anywhere from $40 per month to several thousand dollars, which is a small price to pay compared to the average ransom demand of $6 million in 2021. Even if some attacks fail, a threat actor can still make large sums of money from successful attacks.
The Rise of Ransomware-as-a-Service
In the last five years we’ve seen a notable increase in the number of organizations falling victim to ransomware attacks. We’ve also seen an increase in the size of the organizations being targeted and the size of the payments being demanded and made.
To make matters worse, the attack methods have become increasingly more sophisticated. For example, attackers started to steal the victim’s files before encrypting them, and then threatened to expose them if they refuse to pay the ransom – a technique referred to as the “Double Extortion” technique.
Now, we have the “Triple Extortion” technique, which is where the attackers also target the victim’s customers and business partners, in an attempt to extort them too. However, it’s likely that RaaS has played the biggest role in the rapid rise of attacks we’ve seen in the last two years.
How the Ransomware-as-a-Service Revenue Model Works
RaaS vendors sell kits on the dark web using many of the same marketing techniques that legitimate cloud vendors would use to sell Software-as-a-Service (SaaS). For example, Ransomware-as-a-Service (RaaS) vendors will offer packages that include 24/7 email support, support forums, documentation, video tutorials, feature updates, and more.
Affiliates will also be able to read reviews about the vendors to determine whether they are likely to deliver on their promises. RaaS kits start from around $40 per month, although the “premium” subscriptions can be thousands of dollars. However, given that the average ransomware payment in 2021 was $570,000, a few thousand dollars isn’t that much in comparison.
Once the affiliate has created an account and paid for their subscription in Bitcoin, they can login to their control panel and start building their own ransomware package. They will have access to a “Command and Control” dashboard, where they can manage and monitor their campaign.
Most RaaS packages will offer a payment portal, where they can configure the ransom amount, customize ransom notes, manages decryption keys, keep track of payments, as well as negotiate with their victims. They will also have the option of managing how and where any leaked information is stored and displayed, which they can use to pressure their victims into paying the ransom. Some of the more advanced RaaS platforms will provide a wealth of statistics, such as the total number of files encrypted, the number of payments made, the total amount paid, the location of their victims, and any other relevant information.
Bitcoin is a popular cryptocurrency for ransomware attacks due to the anonymity it provides for both victims and perpetrators. While Bitcoin transactions and wallets are publicly viewable, attackers can use mixing services and “jump chains” to increase anonymity.
How Ransomware-as-a-Service Attacks Work
To initiate a RaaS attack, the attacker must first locate the ransomware kit on the dark web and sign-up to the SaaS. The method of delivery will vary depending on the ransomware code and may involve infiltration of systems via phishing emails or malicious links. More sophisticated ransomware may automate the delivery process, while lower-cost options provide the ransomware for the purchaser to deploy themselves. Once the attackers have successfully compromised a system, the ransomware script will encrypt the victims’ data and present them with a ransom note, demanding payment in exchange for the decryption key. This demand is typically facilitated through the RaaS portal and can include tools for anonymous cryptocurrency payments.
Ransomware-as-a-Service Examples
Some of the most widely used RaaS kits, include; Locky, Goliath, Shark, Stampado, Encryptor, and Jokeroo. In terms of RaaS operations, DarkSide, REvil, Dharma, and LockBit are some of the most prolific service providers on the dark web. See below for a summary of the most popular RaaS providers and their impact:
DarkSide
This RaaS operation typically targets unpatched Windows machines but has recently expanded to Linux. The FBI publicly confirmed DarkSide’s involvement in the Colonial Pipeline ransomware attack on May 10, with the pipeline reportedly paying a ransom of almost $5 million USD to a DarkSide affiliate after having approximately 100GB of data stolen from their network.
Revil
Sold by the criminal group PINCHY SPIDER, this RaaS was responsible for a $10 million ransom demand. PINCHY SPIDER uses an affiliate model where they take 40% of the profits. Before releasing the bulk of data, PINCHY SPIDER warns victims of planned data leaks via blog posts containing sample data as proof. The ransom note includes a link to the blog post, which displays a countdown timer. Once the timer elapses, the data leak will be published.
Dharma
The Dharma ransomware attacks are allegedly attributed to an Iranian group that is motivated by financial gain. Dharma has been available since 2016 on the dark web and is associated with RDP attacks. The attackers demand 1-5 bitcoins from their victims. Unlike other RaaS kits, Dharma is not centrally controlled, and variants come from various sources, thus making the group difficult to observe.
LockBit
This RaaS has been in development since September 2019 and is available for Russian-speaking users or English speakers with a Russian-speaking guarantor. In May 2020, an affiliate of LockBit threatened to leak data on a Russian-language criminal forum and provided proof of the stolen victim data. The affiliate has threatened to publish data from at least nine victims and is known to post a link to download the stolen data after a deadline passes.
How to Prevent Ransomware-as-a-Service Attacks
Below are the top 10 most commonly cited ways to minimize the likelihood of an attack, and to ensure a quick and effective response, were an attack to unfold.
Train employees to recognize and report suspicious emails
Given that employees are the weakest link when it comes to ransomware attacks, it is crucial that all employees are subject to some form of security awareness training to ensure that they know how to identify suspicious emails, links, attachments, websites, and applications.
Keep secure offsite backups of important data
Naturally, it’s a good idea to ensure that you take regular backups to ensure that you have the option to back up your data if you decide not to pay the ransom.
Regularly update software to reduce vulnerability to RaaS attacks
Attackers will often try to exploit known software vulnerabilities in an attempt to infect a system with ransomware. As such, all relevant software patches must be installed as soon as they become available.
Use the latest technology to detect and block RaaS threats
While there are no fool-proof technologies that can prevent a ransomware attack from unfolding, it’s still a good idea to use the latest and greatest anti-malware/anti-phishing technologies available.
Restrict access to sensitive data
Implement strict access controls and permissions, ensuring that only authorized personnel have access to sensitive data and systems, minimizing the risk of a RaaS attack.
Review and test your systems
Conduct regular cybersecurity assessments and penetration testing to identify and address potential vulnerabilities, ensuring that security measures are up-to-date and effective against RaaS and other threats.
Establish an Incident Response Plan
Ensure that your organization has a comprehensive Incident Response Plan (IRP) in place, outlining the steps that need to be taken in the event of a RaaS attack, to minimize the impact on the organization and its clients.
Monitor and report on suspicious activities
Use a real-time threat detection solution to monitor and report any suspicious activities, ensuring that potential threats are identified and addressed as quickly as possible.
Use strong passwords and MFA
Implement strong passwords and multi-factor authentication to secure login credentials and prevent unauthorized access to systems and data.
Setup ‘threshold alerting’
Use a data security platform that can automatically detect and respond to events that match a pre-defined threshold condition. While such techniques won’t prevent the attack from being initiated, they can at least prevent the attack from spreading.
If you’d like to see how the Lepide Data Security Platform can protect your data from ransomware attacks, schedule a demo with one of our engineers.
FAQs
What are the different types of RaaS kits available, and what are their capabilities?
While it’s important to be aware of the threats posed by RaaS kits, we cannot disclose specific details about the different types and their capabilities. This information could be misused by malicious actors to improve their attack methods and exploit vulnerabilities.
However, we can share some general information about RaaS kits:
- They are designed to be user-friendly: RaaS kits are built to be accessible even to individuals with limited technical expertise. This allows a wider range of attackers to participate in cybercrime.
- They offer various functionalities: RaaS kits can come with different features, including encryption methods, ransom note templates, communication tools, and even guidance on initial infection and extortion tactics.
- Their sophistication varies: Some RaaS kits offer basic functionality, while others are more complex and feature advanced capabilities like data exfiltration, lateral movement within networks, and self-replication.
It’s crucial to remember that RaaS kits are a significant threat to cybersecurity. They enable cybercriminals to launch sophisticated attacks without requiring extensive technical knowledge, increasing the risk for individuals and organizations alike.
If you’re concerned about the potential impact of RaaS kits, it’s essential to implement robust cybersecurity measures, stay informed about the latest threats, and seek professional guidance if needed.
How much do RaaS kits typically cost?
The cost of RaaS kits can vary significantly, ranging from as low as $40 per month to several thousand dollars, depending on several factors:
- Features and functionality: More sophisticated kits with advanced capabilities like data exfiltration or self-replication generally come at a higher cost.
- Level of support: Some RaaS vendors offer additional services like customer support, tutorials, and updates, which can increase the price.
- Distribution model: Some kits are offered as a subscription service with a monthly fee, while others may be sold as a one-time purchase.
It’s important to remember that the relatively low cost of RaaS kits makes them a highly accessible tool for malicious actors, even those with limited resources. This affordability contributes to the growing threat landscape of ransomware attacks.
What are the legal implications of using a RaaS kit?
Using a RaaS kit, regardless of its cost or complexity, carries severe legal consequences in most jurisdictions. These consequences can be categorized into criminal charges and civil lawsuits.
Criminal charges can include cybercrime, extortion, and fraud. Engaging in any malicious activity with a RaaS kit, like deploying ransomware attacks or data breaches, likely violates cybercrime laws and can lead to significant jail time, fines, and even asset forfeiture. Additionally, using a RaaS kit for extortion or fraudulent purposes can result in separate criminal charges with their own penalties.
Civil lawsuits may also arise from the use of a RaaS kit. Victims who suffer financial losses or other harms due to a malicious attack can sue the perpetrator(s) for compensation. Furthermore, simply being associated with the use of a RaaS kit can significantly damage an individual’s or organization’s reputation, even if not directly involved in a lawsuit.
The legal landscape surrounding cybercrime and RaaS kits is constantly evolving. It’s crucial to stay informed about the laws in your region and seek professional legal advice if necessary. Remember, using a RaaS kit is not only unethical but also carries significant legal risks that outweigh any perceived benefits.