Ransomware as a Service: Beginning of The End?

2020 was a lucrative year for cybercriminals, who thrived while businesses struggled to adapt to new working conditions and remote configurations. Hackers were able to attack larger targets and demand more money using ransomware. We have seen the rise of Ransomware-as-a-Service (RaaS), which flourishes in underground forums.

Ransomware operations are becoming an all-too-successful enterprise on the dark web. Total ransomware revenues for 2020 were approximately $20 billion.

Thus, business owners and IT professionals must keep abreast of the evolving ransomware technologies, tactics, and deployment practices. If left unchecked, these RaaS threat actors pose a substantial threat to enterprises across industries. 

For 2021 and beyond, the first defence against RaaS is to understand the threat that the RaaS business model poses. The next step, of course, is to take the necessary steps to protect your systems against cyber-attack.

Ransomware Overview

Ransomware is perhaps the most prominent security threat that businesses now face and certainly one of the most aggressive forms of cybercrime. It often starts life as malicious malware that infects a single PC or infiltrates the entire network, including servers, and seize control of critical data. Once infected, the ransomware element encrypts documents and files.

Most ransomware arrives through a phishing email with a malicious attachment or link. An employee clicks on the attachment and inadvertently downloads the malware. More complex ransomware campaigns take advantage of compromised websites, webserver plugins, or free downloadable tools.

Once a victim of a successful ransomware attack, you face a choice. You can either pay up and possibly regain access to your files, restore your files using backups, or start from scratch. Often, the malware reaches backup storage drives and encrypts backup data, leaving the victim company little recourse.

What Is Ransomware as a Service (RaaS)?

RaaS is a business model adopted by ransomware developers. They lease ransomware variants the same way that legitimate software developers lease their software as a Service (SaaS) products. 

RaaS grants the ability to deploy ransomware attacks, even with little technical knowledge of ransomware. Wannabe cybercriminals sign up for the service and can be up and running in a few minutes.

RaaS kits allow malicious participants to skip the time and effort of developing their own ransomware. What’s more, they can find ransomware kits on the dark web easily because the developers advertise them the same way legitimate SaaS companies advertise on the internet.

These RaaS kits sometimes include 24/7 support, bundle offers, forums and other features you’d find with legitimate SaaS packages. The price is agreeable as well. They range from $40 per month up to thousands of dollars, which are trivial amounts compared to a single successful ransom demand.

How Is Ransomware as a Service Used?

Typically, RaaS is delivered in three common service models. 

• A monthly subscription where the cybercriminal pays a flat fee per month. 
• A profit-sharing model with a lower monthly fee, though the RaaS operator receives a percentage of the profits. 
• A one-time licensing fee with no profit-sharing.
• Affiliate method where the subscriber gets a cut of any successful attack they instigate.

Subscribers often have access to support, communities, documentation, and updates, the same as subscribers to legal SaaS products. The more sophisticated RaaS providers even have customer portals that let subscribers see the status of their targets, including infection rates, payments, and total encrypted files. 

The RaaS market goes beyond customer portals. They are part of a competitive market and have marketing campaigns just like any other business. You can find white papers, videos, and even social media presence on Twitter and other platforms.

4 RaaS Threats To Be Aware Of

DarkSide Ransomware as a Service

DarkSide is a RaaS operated by organised criminals who actively recruit people on the dark web to participate in their affiliate program. This is a ransomware franchise opportunity for anyone who wants to use DarkSide to extort businesses worldwide. 

If the ransom is paid, DarkSide guarantees it will assist its victims in restoring their systems during the decryption process. However, they also threaten to leave the system locked and publish the stolen data if the ransom is not paid.

DarkSide is providing anonymous franchise access to their ransomware on a global scale. On August 8, 2020, the Darkside operators published a press release on the dark web to promote their extortion kit, which came about through partnering with other well-known ransom groups.

DarkSide was responsible for the attack that caused Colonial Pipeline to shut down 5,550 miles of its pipe, which stranded countless shipments of gas, diesel, and jet fuel along the Gulf Coast.

Thanos Ransomware as a Service

Thanos, which emerged in 2019, is a RaaS that provides customers and affiliates with a customised tool designed to build unique payloads. The Thanos tool is more complex than its predecessors like Project Root or NemeS1S. 

This version is configurable with over 42 options and features—many of these options a designed to evade endpoint security using RIPlace. Thus far, Thanos is the only commonly recognised RaaS that uses the RIPlace technique.

Thanos is an example of how robust ransomware services are. With its specialised focus on evasion and the attention to customer needs when it comes to features, Thanos is positioning itself as an essential tool for lower-level criminals. It’s effective, easy to use, and customisable to target groups. 

Avaddon Ransomware as a Service

Avaddon ransomware is a RaaS that combines extortion with encryption and data theft and had its start in 2019 but became aggressively prominent in June 2020. Most often, they deliver the ransomware through phishing campaigns and spam that drop malicious JavaScript.

In addition to the typical threat of data encryption, Avaddon ransomware users threaten their victims by exposing data to the public via the Avaddon leak site. Distributed Denial of Service (DDoS) attacks are also part of their threats. These extortion tactics increase pressure on victims to pay the ransom.

According to a 2021 report, the operators responsible for Avaddon ransomware are very selective about their affiliates/users as well as their targets. They have stated publicly that they do not support attacks on government, educational, healthcare, or charity organisations. There are some reports that Avaddon is ceasing its operation. 

SunCrypt Ransomware as a Service

SunCrypt ransomware encrypts files and prevents its victims from accessing them. It also renames all those encrypted files adding a string of characters to the extension.

You would also see a file titled “YOUR_FILES_ARE_ENCRYPTED.HTML” file in all the folders that serve as the ransom message. This message could appear in English, French, German, Japanese, and Spanish. Victims are directed to restore access to the files through a chat program or through the Tor browser.

SunCrypt’s reputation precedes them. They do not send the decryption key when the ransom is paid. Therefore, victims are never advised to pay the ransom, even though there is no known way to recover the files other than to restore backups.

How To Defend Against Ransomware

You don’t always know what you need.. until you need it. Here is a review of 4 key areas that we advise all of our customers to focus on from a ransomware protection perspective.

1. Backups

Aside from protecting your systems, having current backups is essential to restoring your services in the event of a ransomware attack. Backups are critical parts of any disaster recovery and business continuity plan. 

It is vital that you maintain regular daily and monthly backups, storing them in multiple locations. Cloud services allow you to store your data in an alternate location, but these can still be compromised by ransomware if not set up correctly. 

Securus Communications have the next-generation of secure backup solution covered. We offer a private cloud backup solution with immutable data locks and airgap technology that stops ransomware from altering your backup files in any way.

2. Email Filtering

Most often, ransomware enters a network through an attachment sent through a phishing email. One way to defend against this is with email filtering. Anti-ransomware software analyses incoming emails, flags potential phishing content and then moves those emails to a quarantine folder.

Are you feeling unprotected? We can provide your business with an easy-to-manage anti-phishing/anti-malware email solution to stay one step ahead of malware threats. What’s more, our solution is constantly updated with the latest threat signatures.

3. Antivirus Software

Antivirus software often has ransomware protection built-in, especially now that ransomware is a rising form of malicious criminal activity. 

Be sure that your antivirus software is up to date everywhere on your network, including individual user devices and printers. Antivirus software should be installed on all laptops, computers servers, tablets, mobile devices, mobile phones. Bring Your Own Devices (BYOD) are especially vulnerable.

Antivirus protection that is running the latest signature detection is often overlooked. Securus offer effective antivirus services that provide centralised alerting and estate-wide protection.

4. Security Education and Awareness

Cybersecurity training for your employees is a must. Cyberattacks are possible because individuals inadvertently activate phishing links. We can help train your staff on how to handle sensitive data to minimise accidental leaks. We also provide training on the most common cyber threats, explaining to employees how to identify and report suspected attacks.

Conclusion

Ransomware has become a booming enterprise, with criminals boldly advertising their ransomware service offerings. It is up to cybersecurity professionals and business stakeholders to keep up with evolving ransomware software and protect networks and the valuable data contained within from ransomware attacks.

Please get in touch if you would like to discuss any aspect of your security requirements in further detail. Also, please check out our article with more detailed information on how to defend against ransomware attacks.

Further Technology Articles