What is ransomware as a service?

A
specific distribution model for a particular type of malware, ransomware as a
service (Raas) is a significant threat to cybersecurity. This affiliate-type
scheme gives more would-be cybercriminals the opportunity to launch attacks
without the necessary technical and programming expertise, thus making ransomware
attacks more prevalent.

Given how damaging
ransomware can be, it is especially important for companies to understand the
RaaS implications for cybersecurity and how protecting systems from ransomware
is so crucial.

Understanding
ransomware as a service

Ransomware as a
Service (RaaS) is a business model that specializes in a particular type
of malware—ransomware—and
operates on the dark web. In the simplest terms, it is a malicious evolution of
the more traditional, and legal, Software as a Service (SaaS) model, which is
used by many major corporations including Microsoft, Adobe, Shopify, Zoom, and
Dropbox. The RaaS business model sees operators
create the ransomware (and
often, an entire ecosystem around it) and offer it to third parties. Cybercriminals
can “subscribe” to Ransomware-as-a-service (RaaS) for free. Once they
become partners in the program, they pay for the service after the attack
happens in the form of a percentage from the ransom.

Cyber attackers who
want to execute ransomware attacks but lack the time and ability to
develop their own malware can simply pick a RaaS solutionon the dark web. they
can access the ransomware and all the necessary components, such as
command-and-control (C2) panels, builders (programs for quick creation of
unique malware samples), malware and interface upgrades, support, instructions,
and hosting. Then they can launch their attack, without having to do all the
development work. As such, malicious actors can execute a sophisticated chain of
ransomware attacks without having any kind of knowledge or experience in
developing these types of malware.

Often, operators
offering ransomware as a service develop an entire product offering around
their malware. This can include a wide range of services such as community
forums, playbooks for strategic attacks, and customer support. This is
especially useful to would-be attackers with no experience in launching cyberattacks.
The additional RaaS services may include:

  • Customization
    tools to create highly targeted attacks
  • Additional
    tools, such as programs for data exfiltration
  • Community
    forums for advice and discussion
  • Playbooks
    for strategic attacks
  • Instructions
    for setting up the panel and the product
  • Manuals
    on attacks which include a description of tools, tactics and techniques for
    attackers.

Whichever type of
ransomware as a service the attacker chooses to use, the end goal is always the
same: to compromise an individual’s—or organization’s—network and steal or  decrypt data, and then get the target to pay a
ransom.

The
difference between malware, ransomware, and ransomware as a service

Malware is a general
term for any type of malicious software that is used to gain unauthorized
access to an IT system or electronic device. This could be for a range of
purposes, including data stealing and system disruption, for example. However, ransomware is a malware  that is used to infect a target’s system and
encrypt or destroy its data; the target can be required to pay a ransom—hence
the name—in order to stop the attacker from publicly releasing the information,
or to receive a decryption key to restore the data if it was encrypted

What are
the legal implications of ransomware as a service (Raas)?

Given that RaaS
enables a particular type of cybercrime and that it operates on the
dark web,
it should be abundantly clear that the entire business model is illegal. Any
type of involvement in the industry—whether as an operator or an affiliate (“subscriber”)
—is unlawful. This includes making RaaS available for sale, purchasing a RaaS
with the intent of executing ransomware attacks, breaching networks, encrypting
data, or extorting ransoms.

How does
ransomware as a service work?

RaaS operates on an
organizational hierarchy. At the top of the ladder is the operator, usually a
group that develops the ransomware and makes it available for sale. The
operator essentially acts as an administrator, overseeing all aspects of the
RaaS’s business operations, including managing its infrastructure and the user
interface. Often, the operator also handles the ransom payments and provides
the decryption key to those victims who pay. Within the operator group, there
may be smaller designated roles, including administrators, developers, and testing
teams.

RaaS affiliates—the
“clients”—buy access to the RaaS in order to use the operator’s ransomware in
attacks. They identify the opportunities for attack and deploy them. The role
of the affiliate is to identify targets, execute the ransomware, set the
ransom, manage post-attack communication, and send decryption keys when the
ransom is paid.

In Kaspersky’s recent
findings for Anti-Ransomware Day 2023, the major initial vectors of
ransomware attacks in 2022 were unveiled. The report revealed that over 40% of
companies experienced at least one ransomware attack last year, with small and
medium-sized businesses paying an average of $6,500 for recovery, and
enterprises shelling out a substantial $98,000. The study pinpointed the
primary attack entry points, including the exploitation of public-facing
applications (43%), compromised user accounts (24%), and malicious emails
(12%).

Once the ransomware
is downloaded onto the system, it tries to disable  endpoint security software, Once the attacker
has gained access, they can then reinstall tools and malware This will allow
them to move around the network and then roll out the ransomware. They can then
send out a ransom note, after encrypting files. In general, this is done
through a TXT file that appears on the victim’s computer, which instructs them
that their system has been breached and they must pay a ransom to receive a
decryption key to regain control.

How is
ransomware as a service monetized?

Cybercriminals can
“subscribe” to Ransomware-as-a-service (RaaS) for free. Once they
become partners in the program, they pay for the service after the attack
happens. The payment amount is determined by a percentage of the ransom paid by
the victim, typically ranging from 10 percent to 40 percent of each
transaction. However, entering the program is no simple task, as it entails
meeting rigorous requirements.

Examples of
ransomware as a service to know about

Cybercriminals have
become adept at evolving their ransomware services so that they can always meet
the demands of the “clients” who buy RaaS. There are a wide variety of
ransomware as a service (Raas) programs available on the dark web and having an
overview of these can be useful in understanding how and why they are a threat.
Here are a few ransomware as a service examples that have become widespread in
recent years.

  • LockBit:
    This particular ransomware has breached the networks of many organizations by
    exploiting Server Message Blocks (SMB) and Microsoft’s PowerShell automation
    and configuration management program.
  • BlackCat:
    By using Rust programming, this ransomware is easy to customize and can
    therefore be deployed against numerous system architectures.
  • Hive:
    An especially nefarious RaaS, Hive places its targets under significant
    pressure, forcing them to pay the ransom by publicly releasing details of the
    system breach and often counting down to when the stolen information will be
    leaked.
  • Dharma:
    Emails are the most common method for executing phishing attacks, and this
    RaaS, which has been responsible for hundreds of attacks, mimics these attacks
    by targeting victims through email attachments.
  • DarkSide:
    The malware from this ransomware Group is believed to have been responsible for
    the 2021 Colonial Pipeline breach.
  • REvil:
    Perhaps the most pervasive RaaS group, this ransomware has been responsible for
    the 2021 attacks on Kaseya, which affected some 1,500 organizations, and CAN
    Financial.

10 Tips for
protecting devices from ransomware

Ransomware is just
one of numerous threats that people must be cognizant of while online, and one
that can be challenging—and expensive—to recover from. While it is impossible
to neutralize these threats completely, there are a wealth of measures and best
practices that can enhance cybersecurity against RaaS—and, indeed, mitigate
against many digital attacks. Here are 10 tips for protecting electronic
devices from ransomware:

Regularly
back up data on a separate device—create multiple back-ups if necessary;
organizations should also have a data recovery plan in place in case of an
attack.

Use
robust endpoint protection software that regularly scans and removes potential
threats.

Ensure
all software remains up to date and is running the latest security patches.

Enable
multifactor or biometric authentication where possible.

Remember
password hygiene—Use a reliable password manager to generate and store strong
passwords, and create different logins for different accounts.

Implement
strong email scanning software to catch malicious emails and potential phishing
attacks.

Develop
and Maintain a Robust Cybersecurity Policy: Pay attention to the outer
perimeter and create a comprehensive cybersecurity policy that covers the
entire organization. This policy should address security protocols for remote
access, third-party vendors, and employees.

Since
the stolen credentials may be put up for sale on the dark web, use Kaspersky
Digital Footprint Intelligence to monitor shadow resources and promptly
identify related threats

Use
the principle of least privilege to minimize administrative or system access to
as few people as possible.

Implement security awareness training
that covers RaaS cybersecurity and other potential threats.

Avoid clicking email links unless the
source is known and trusted—if in doubt, type the website into the browser’s
search bar and navigate to the page manually.

Of course, even the
most stringent protection measures will not always prevent a ransomware attack.
When the worst happens, there are still a few options to mitigate the fallout of these attacks.

The
enduring threat of ransomware as a service

Ransomware is a
cybersecurity concern in and of itself. But the ransomware as a service
business model has turned this particular malware into a much larger threat by
giving more potential cybercriminals the ability to launch these attacks
without any particular expertise or knowledge. Because these attacks can have
such serious financial implications for the organizations—or individuals—who
are targeted, it is important to understand the various methods of protecting
systems from ransomware attacks. Many of these are basic cybersecurity best
practices, but organizations may want to consider further efforts such as
security training and regular backup on disparate systems.

Get
Kaspersky
Premium + 1 YEAR FREE
Kaspersky Safe Kids. Kaspersky Premium received five AV-TEST awards for best
protection, best performance, fastest VPN, approved parental control for
Windows and best rating for parental control Android.

Related
Articles and Links:

Top ransomware attacks

The biggest ransomware threats

Malware detection and prevention

Related
Products and Services:

Kaspersky
Standard

Kaspersky
Premium

Kaspersky Endpoint Security Cloud

Kaspersky VPN Secure Connection

Leave a Reply

Your email address will not be published. Required fields are marked *