Fighting Ransomware-as-a-Service

Melissa DeOrio at S-RM describes the dark business model driving ransomware attacks

 

Ransomware-as-a-Service (RaaS), the business of selling or renting ransomware operations, enables cyber-criminals of all skill levels to execute sophisticated and highly damaging ransomware campaigns without technical capabilities, which have traditionally been a barrier to entry for criminals online.

 

There is a clear draw to RaaS models for seasoned threat actors, too. The creators of the ransomware, often referred to as ‘operators’, share in the profits raised by the affiliates, and typically benefit from increased levels of anonymity given their lack of direct engagement with victims. The RaaS model also enables scalability and increased profitability by enabling large-scale distribution to affiliates around the world.

 

Ransomware attacks create a headache for any organisation, whose operations can be brought to an instant halt, not to mention the additional financial losses incurred if a ransom is paid. It’s therefore critical that cyber-security professionals are diligent in their efforts to crack down on both RaaS administrators and the individuals using their services.

 

A profitable cyber-crime model

Ransomware attacks have become a favoured weapon for cyber-criminals over the past decade, and 2024 shows no signs of reversing the trend. Malign actors continue to utilise ransomware attacks in their operations, notably targeting critical national infrastructure across the UK. Earlier this year, a significant breach compromised sensitive NHS patient data and disrupted operations for weeks, underlining the serious threat that ransomware attacks pose.

 

A key factor behind the rise in these attacks has been the emergence of RaaS, a business model that first appeared in 2015. RaaS enables cyber-criminals skilled in the development and maintenance of malicious software to sell or rent out their ransomware platforms to other criminals, known as affiliates, who have the freedom to execute attacks of their own.

 

Once payment is made, affiliates are granted personalised access to sophisticated platforms and can distribute the ransomware at will. 

 

Fuelled in part by the ability to use cryptocurrency to avoid detection, this business model has proven to be a profitable endeavour for both RaaS operators and their affiliates. While ransomware developers take a cut of the profits, affiliates can see returns on investment as high as 1400% according to AXA XL, making it a lucrative venture for all parties involved.

 

Remarkably, many RaaS offerings include technical support services, enabling individuals with little to no technical expertise to carry out sophisticated ransomware attacks. In theory, anyone with internet access can conduct a ransomware attack using RaaS.

 

For RaaS operators and affiliates alike, the appeal is clear. The accessibility and scalability of the RaaS business model provides a profitable, easy-to-use scheme for would-be attackers.

 

A significant threat

RaaS platforms mean sophisticated ransomware tools are available to virtually anyone, expanding the pool of cyber-criminals by lowering the barriers of entry. With RaaS allowing more ransomware attacks to be launched, the frequency of these incidents has risen sharply. Between 2018 and 2023, the number of ransomware attacks increased by 13%, and analysts predict that by 2031, a ransomware attack could occur every two seconds. 

 

RaaS platforms aren’t just an outlet for individuals lacking the technical skills – they are also attracting experienced cyber-criminals. High-profile threat actors are continuously shifting between the most active RaaS operations. 

 

RansomHub, for example, has attracted well-known affiliates, including cyber-criminals who previously operated under the BlackCat (also known as ALPHV) brand, rapidly establishing itself as a big-time RaaS operation.

 

The rapid rise of RansomHub is backed by a lucrative financial offering – unlike most RaaS operations where administrators take 20-30% of ransom fees, RansomHub awards an eye-watering 90% commission. The financial rewards promised by RaaS lures more cyber-criminals into the ecosystem, increasing the frequency and sophistication of ransomware attacks.

 

RansomHub’s acquisition of source code from Knight ransomware operators demonstrates how RaaS groups can leverage existing tools to scale quickly and obscure their activities. Acquiring existing code significantly reduces the time and cost associated with bringing a new RaaS to market, enables the acquisition of the unique functionalities of an existing codebase, and allows aspiring operators to leverage and build-upon ransomware with a proven efficacy. 

 

Additionally, the fluid movement of affiliates between groups, exemplified by Velvet Tempest’s shift from BlackCat to RansomHub, shows that cyber-criminals are more than capable of regrouping and finding new avenues to pursue ransomware attacks, even when a major RaaS provider is terminated.

 

Combatting RaaS and the threat actors involved

Combatting RaaS isn’t necessarily a simple task. RaaS takedowns and dissolutions frequently result in the emergence or rise of another group. For example, RansomHub rose after BlackCat’s takedown, Egregor after Maze’s dissolution, and DarkSide affiliates moved first to BlackMatter, and then to BlackCat, and LockBit when the group deteriorated in late 2021. This persistence complicates efforts to dismantle these operations.

 

That said, tracking threat actors like Velvet Tempest while they move between groups may lead to the identification of traceable actions and heap pressure on individuals involved by reminding them that they are under surveillance. Threat actors thrive on anonymity, and exposing their activities can undermine confidence in a group’s operational effectiveness.

 

Inflicting long term disruption on ransomware groups, especially those operating in jurisdictions beyond the reach of international law enforcement, is a stretch. 

 

A more effective strategy is to understand how these cyber-criminal communities operate and find ways to break the critical trust that enables them to function effectively.

 

Additionally, tracking RaaS threat actors enhances how cyber-security teams respond to incidents. Understanding the inner workings of these groups, the connections between them, and the affiliates that utilize various RaaS offerings increases the efficacy of forensic analysis and threat actor negotiation efforts, ultimately empowering faster recovery for impacted organisations.

 

RaaS isn’t a new development, but as ransomware attacks surge, there’s reason to suspect that RaaS is fuelling the fire. Some of the most high-profile attacks have been traced to RaaS groups like RansomHub, so hitting them where it hurts needs to be a top priority. 

 

By closing in on the key players and their movements, cyber-security professionals can disrupt operations and begin reducing these attacks – both now and in the future.

 

---

 

Melissa DeOrio is Global Threat Intelligence Lead at S-RM

 

Main image courtesy of iStockPhoto.com and izusek