Ransomware as a Service: Unravelling this Ecosystem
Keeping track of ransomware groups, their attack methods and their targets is no easy feat, but thanks to threat intelligence research and information sharing, we continue learning more about these adversaries.
The cybersecurity industry continuously tracks how ransomware groups attack and who the newest victims are. However, we sometimes forget to look at how all these groups work behind the scenes and what kind of resources they use before and after an attack, from affiliate services to “client support” platforms. What’s behind this boom? Jose Miguel Esparza, head of threat intelligence at Outpost24, explains how RaaS operations work in today’s ecosystem.
The word ransomware is ever present in today’s world, with the number of attacks increasing exponentially. Indeed, threat actors and ransomware groups are utilizing Ransomware as a Service (RaaS) to its fullest. What is the RaaS ecosystem, and what advice can security professionals provide to best protect their organizations?
Keeping track of ransomware groups, their attack methods and their targets is no easy feat, but thanks to threat intelligence research and information sharing, we are continuing to learn more about these adversaries. These include examining their online forums, understanding how they deploy their attacks using tactics, techniques and procedures (aka TTPs), and reviewing the hacking tools and malware samples in use. Many wrongly believe ransomware groups are dysfunctional groups made up of lone hackers and scammers, but this couldn’t be further from the truth. They are highly motivated and organized businesses that are well-resourced. They do their due diligence behind the scenes before an exploit and linger long after. RaaS and the many nefarious RaaS groups that have launched many successful attacks are at the forefront of their growing successes.
See More: Managing Cybersecurity Needs When Talent Is Scarce and Alerts Are in Overload
I’ve previously discussed the advancement of ransomware which covered the history, its ecosystem and the current landscape of this highly popular cyberattack method. Over time, ransomware has become more targeted, which has coincided with the development of newer technologies, techniques and services within the cybercriminal underworld. This enables advanced attackers to methodically penetrate corporate networks and move laterally to study the system(s). The malware is then deployed in a calculated manner designed to cause the biggest obstruction to business operations possible, thereby maximizing the chances of being paid. We are now seeing multi-international enterprises hit by ransomware attacks as these hacking groups seek to increase their profit. Hitting bigger organizations means higher ransoms.
To begin with, threat actors would create and deploy their own ransomware families. However, this also made attribution easier for law enforcement services to track and shut them down. For instance, the Russia-based group, Evil Corp (once described as the world’s most wanted hackers), was revealed by the FBI to have been behind many of the malicious DRIDEX-based malware attacks, so sanctions were levied against them.
To avoid further detection and sanctions, Evil Group pivoted to RaaS and began using a variety of malware families, including BitPaymer, WastedLocker, Hades, Phoenix Locker, PayloadBIN and Macaw Locker malware.
The Layers within Ransomware as a Service
There are quite a few components within Ransomware as a Service, which itself is a more advanced evolution of Malware as a Service (MaaS) where a provider supplies a client with malware code and botnet management as well as other services. Within the RaaS model, some multiple layers and components make it function the way it does.
Administrators
Firstly, you have the administrators who supply the buying party (or affiliate) with access to the malware and the infrastructure to house and deploy the malware. They also provide support during the negotiation stages with the ransomware victims. Within the RaaS package, there are a few options available to the buyer, which include a dedicated leak site for the victim information to be posted, an online portal to allow the affiliate to manage victims and create further malware coding as well as a communications site to allow the hackers to liaise with the victims. There is even the option to have an instant messaging-style line of communication.
For their work, administrators are usually given a percentage of the ransom, but they are not directly involved with attacking the victims.
Who are the sellers?
There are options available for buyers to purchase a private RaaS offering whereby the negotiations will be conducted privately, either through instant messaging or forums – these are typically only offered to cyber criminals who are well-known or have a higher profile within the online underworld. The sellers and resellers facilitate and manage the sales process across the underground forums for all other users.
However, since May 2021, merely discussing or using ransomware terminology has been banned on these forums because of the pressure brought by law enforcement, who were increasingly shutting down these online platforms.
Yet, just like the mythical hydra creature, as soon as one forum was taken down, more were created, almost instantly, to take its place. In July 2021, a new forum called RAMP appeared where ransomware offering advertisements were more than welcome.
Who is an Affiliate?
An affiliate is a name given to the actual hacker using the ransomware attack, typically obtaining access to an enterprise’s network – either using their own means or going through an Initial Access Broker (IABs) – before deploying the ransomware, which was purchased via the RaaS.
Their main goal is to infect as many systems as possible without getting caught and to cause the most disruption. If successful, the affiliate will upload the stolen details onto the portal (depending on the RaaS program used) and begin communication as quickly as possible to increase the likelihood of getting the ransom paid before the authorities are alerted.
Initial Access Brokers (IABs)
As mentioned, IABs can play a pivotal role in how a threat actor can enter the targeted organization’s infrastructure. Found on underground forums, IABs are financially motivated and make their money by selling intelligence and remote access software and tools to help hackers access corporate networks or exploit vulnerabilities.
IABs are the go-betweens that help streamline a ransomware operation giving the threat actor an entry point to focus on to begin their attack. Regardless of the organization’s location, size, sector, or yearly revenue, IABs are likely to know an entry point.
The unfortunate victims
It is always unfortunate to be the victim of a ransomware attack, but the victims or “clients” are a key element in the RaaS ecosystem, as, without them, the whole business model fails. Without their ransom payments, they hope to get their sensitive data back and the systems online. Of course, there are always instances where the hackers have received payment and didn’t give access back to the victims, but those are rare these days as it reduce the likelihood of payment for future victims. Moreover, on top of the risk of significant financial loss, organizations (the victim) also have to deal with reputational damage as news circulates of the ransomware attack.
See More: The Authentication Problem: Rethinking Passwords
Evolving with the Ecosystem
With RaaS usage increasing, targeted ransomware attacks will continue to be an issue for enterprises. Whether or not you are a security professional, understanding how threat actors operate and utilize the RaaS business model is essential. For enterprises, it’s necessary to incorporate threat monitoring, vulnerability management and digital risk protection tactics into your defense because it will provide you with actionable information on whether your organization might be a possible target, enabling you to be proactive and reduce the risk of being attacked. Taking these steps will better secure your business against the threat of cyberattacks like ransomware.
Are you happy with your protection against ransomware? Share your thoughts on Facebook, Twitter, and LinkedIn. We’d love to know!
MORE ON RANSOMWARE
