What is Ransomware as a Service?
Ransomware as a Service (RaaS) is a business model where affiliates commission ransomware developers (RaaS Operators) to use their tools for executing an attack, then in return share a percentage of the profits. Think of RaaS as a variation of Software as a Service (SaaS), where you would pay software owners to use their tools for conducting business.
An Affiliate will seek reputable ransomware operators (one whose software has a high chance of success and a low chance of discovery) and then strike a deal. In the past, ransomware activists would be required to code their own ransom tool, meaning the barrier for entry was quite high.
Nowadays, paying a ransomware group to use their tools, then splitting profits, has a much lower barrier for entry. Because of this, we can see an increase in ransomware activity globally. The number of ransomware incidents reported to the FBI’s Internet Crime Compliant Centre (FBI IC3) increased by 20% from 2019 to 2020, with the average ransom amount increasing by 225%. Following this, the number of incidents increased a further 62% from 2020 to 2021, with the average ransom increasing by a further 20%.
RaaS revenue models
RaaS typically comes in 4 different revenue models:
- One-time License Fee
Affiliates pay a one-time fee, with no profit sharing.
- Monthly Subscription
Affiliates pay a flat amount every month to the RaaS Operators and earn a small percentage of each successful ransom.
- Profit Sharing
Profits are divided between Affiliates and RaaS Operators.
- Affiliate Program
A small percentage of profits goes to the RaaS Operator, with the goal being to run more efficiently.
But why does knowing the different RaaS revenue models matter? Since we know the plan of attack, we can look at the plan of defence! As RaaS Operators become harder to detect, EDR solutions equally become smarter at detecting malicious activity.
How do RaaS attacks work?
Before an attack, a RaaS operator will conduct recon on the victim by monitoring their environment using vulnerability tools and sniffers. It’s also beneficial for the operator to look up high-privilege users in the organisation to target via spear-phishing, such as senior IT personnel, payroll or company directors.
Now that they’ve scoped the environment, the operator can begin the attack – typically using the aforementioned spear-phishing technique or noisier phishing campaigns. The phishing email will contain either a link for the victim to click or a file for the victim to download, both resulting in the operator getting their “foot in the door”. Next, a malicious scheduled task will start on the victim’s computer which will execute the ransom script at a future date.
Protecting against Ransomware as a Service
It’s almost impossible to completely block ransomware, however, we can focus our defences on where it matters most; to mitigate impact and risk.
Here are our 5 top tips for protecting your organisation from RaaS attacks:
- Cyber Security Training
Ensure all employees are regularly trained to spot phishing emails, as most cyber attacks start here – Reinforce your first line of defense!
- Principle of Least Privilege (PoLP)
Ensure all user accounts are given the minimum level of system access to perform their job. Granting too much access opens up attackers to spear-phishing or privilege escalation.
- Regular Data Backup
It’s important to regularly back up your organisation’s data offsite or offline. This adds an extra layer of security as attackers will need physical access to the storage drives. Should any critical data get encrypted by ransomware, you can safely backup to a previous restore point.
- Monitor Software
Keeping a close eye on current software versions in your environment will help identify outdated packages. These pose as a risk to users and devices, as unpatched software could be vulnerable to attack. Additionally, you can monitor the execution policy of programs in your environment, which will prevent unsigned/unfamiliar binaries from running.
- Monitor Scheduled Tasks
Most ransom scripts run via Scheduled Tasks, so monitoring these within your environment can give you an early advantage in stopping the ransom before it starts.
There are many different types of RaaS on the dark web, but the popular ones to look out for are:
- LockBit – Starting in 2019, LockBit has become a household name in the cyber security industry. Formerly known as ‘ABCD’. LockBit utilises a self-spreading operation to quickly and efficiently ransom a network.
- Egregor – This is believed to be a replacement for Maze RaaS, which was shut down in September 2020. Egregor is targeting mostly European organisations, such as Crytek and Ubisoft.
- REvil – Known for taking ransom money from victims and ignoring the ransom request messages, they put the Evil in REvil. Starting in 2019 by exploiting Oracle WebLogic servers, then evolving to launch an $11 million attack during the Covid pandemic as well as attacking an Apple supplier to steal confidential schematics to upcoming products!
- Dharma – The Dharma family of ransomware are one of the oldest operating gangs, first appearing in 2016. They are known for being the most profitable RaaS solution for a new cybercriminal to partner with (Developers earn 30-40% of any ransom).
How can Aspire help
At Aspire, we offer a range of managed cyber security services to combat all types of online threats. From hosted firewalls and content filtering to advanced threat protection, anti-virus and endpoint detection and response, we will work with you to design and implement a full security solution.
We can implement tailored incident response plans, managed next-generation EDR & SIEM, e-mail protection, vulnerability management and more.