While most common hackers worldwide are ordinary, creepy, nosy guys trying out malicious codes, the underworld can adopt a sophisticated business model. Ransomware developers sometimes lease out their malware products to lesser-skilled criminals, who will then carry out the campaign. That’s why ransomware as a service has become so rampant.
But what exactly is Ransomware-as-a-service? How does it work, and who sits at the apex of the hierarchy pyramid? Our article digs deep into the underworld and lights up the dark web for you to see what exactly the criminals are doing. And most importantly, we recommend a few security tactics to keep you safe!
How Ransomware-as-a-Service (RaaS) works: The RaaS business model
Most RaaS operators do not use the conventional business model or contractual businesses like legitimate businesses. The criminal schemes seldom outline their defined terms of service, but they work that around to fit their underworld business.
Studies on underworld businesses reveal that these criminal enterprises pick up common models with regular legitimate companies. For instance, a lower-skilled hacker who doesn’t have the technical know-how to write code can have enough phishing skills.
So, the deep web operator gives the top-tier ransomware program to the low-level hackers at a fee. Sometimes, it could even come with customer support and software updates. The hacker then uses the software for social engineering attacks.
Think of RaaS as a software company renting out its software for malicious purposes.
Examples of Ransomware-as-a-Service business models
So, how does ransomware developers relate with the RaaS subscribers? Here are a few business models that they use:
1. Affiliate RaaS programs
To create a large network of ransomware hackers, the criminal provides top-tier hacking technology to lesser criminals. The affiliate program lets users share the profits by referring the technology to other hackers.
The most popular versions of RaaS on the black market are affiliate programs. Specifically, the referrals are especially popular as they provide a sense of brand strength to the malware. For instance, many prominent versions of ransomware use affiliate referral models because it increases brand recognition and spells out the success rate and services offered.
However, a few criminal syndicates are keen to keep the ransomware code to themselves. They identify hackers they can team up with to breach a company’s network. They then instruct the hacker on injecting the malware into the systems.
2. Subscription-based RaaS
Some cyber criminals pay a monthly or annual subscription fee to access the ransomware. Sometimes, the service provider provides malware updates and technical support. This makes the ransomware operators professional, just like Netflix, Microsoft Office 365, or Spotify.
Sometimes, the ransomware criminals pay upfront for all the ransomware services. Some services cost the user about $50 a month, and the criminal can keep all the ransom payments. Other providers have pay-to-play programs that the users pay for every time they don’t use the ransomware.
3. Lifetime RaaS license
Some ransomware providers are just tech gurus with no interest in taking risks in criminal activity. So, they just sell the packages instead of releasing their software in subscriptions, affiliates, or pay-to-play schemes.
The programmer is not directly involved in the cyberattacks. Once the perpetrator pays the upfront fee, the software writer gives them lifetime access.
In most cases, RaaS lifetime licenses present an expensive option. The cyber crooks decide to have the one-off purchase and break the trail of being followed in case the original operator is caught.
4. RaaS partnerships
Some criminal establishments involve more than one party. So, ransomware cyber attackers assemble to play a distinctive role in criminal activity.
One developer writes the ransomware code, while the other plays the social engineer to breach the corporate network, and the other party is the ransom negotiator. Then, they split the ransom to each partner depending on the role played and position in the campaign.
Most feared RaaS groups
Regular individuals carry out ransomware cyber attacks to harass unsuspecting people. But, other campaigns are the thought-out activities of well-organized and sophisticated RaaS gangs.
Ransomware syndicates are the target of international law enforcement. So, they keep changing, vanishing, rebranding, and reappearing daily.
Some of these gangs are properly coordinated and run professionally. The highest percentage of cyber attacks on large corporate and government agencies have organized gangs to blame.
Interestingly, the majority of the high-profile cyber criminal organizations are from Eastern European countries, especially from the former Soviet Union. Also, these criminal gangs target countries that oppose Russia and the former USSR but are restrained from attacking East European countries.
Online security forensics experts have discovered that the code of some of these programs prevents the malware from attacking any computer that is the default language of Ukraine, Belarus, or Russia.
But who exactly is behind this criminal gang out to eat your business and corporate revenues for lunch? Which are the largest and most prolific ransomware criminal organizations in the world? Check them out below!
1. Darkside RaaS affiliates gang
Do you remember the summer ransomware attack on the Colonial Pipeline? The DarkSide ransomware gang shut down an oil pipeline to the East Coast and caused gas shortages. The sophisticated and well-established criminal organization and its affiliates have blackmailed many schools, hospitals, and non-profit organizations in English-speaking countries.
Darkside may be new in the underworld history but has gained a big name for targeting Fortune organizations. The company and its affiliates have a strong code of conduct and an innovative business structure.
Recently, Darkside RaaS operators launched a distributed storage system for storing data. The distribution not only makes it easier for cybercriminals to steal information from their victims but also very hard for authorities to take down websites that sell stolen data.
2. REvil RaaS gang (Sodinokibi)
According to the Black Fog security company, REvil was responsible for more than 13% of all ransomware attacks in 2021. The group was behind the cyber extortion of Acer, the electronics giant, and JBS Foods, among others.
Also known as Sodinokibi, the ransomware group also targeted patients and staff members of the Las Vegas-based University Medical Center. They stole scans of credit cards, passports, driver’s licenses, and social security cards from innocent people.
3. Netwalker RaaS gang (Mailto)
Netwalker or MailTo is another malware group behind ransomware attacks on hospitals, universities, and law enforcement agencies. In 2021, the group attacked the University of California and forced them to cough out $1.14 million in ransom. They have also targeted Equinix, Michigan State University, and Australian company Toll Group.
4. Ryuk RaaS group (Conti)
As one of the most prolific ransomware gangs of 2019 and 2020, Ryuk accounted for about an eighth of all ransomware attacks. The malware targeted hospitals in New York, Oregon, and California, as well as UK and Germany.
Conti caused a lot of trouble for patients who needed to access their medical records, putting the lives of those in critical care units at greater risk. The gang was also responsible for their Sopra Steria cyber-attack in Europe, the Seyfarth Shaw law firm, and Universal Health Systems.
5. Clop RaaS mafia (Fancycat)
In June of 2021, Ukrainian police busted members or affiliates of the Clop or Fancycat criminal enterprise. Law enforcement seized supercomputers, luxury cars, and lots of cash from criminals.
The Clop Fancycat ransomware organization mainly targeted universities in America, Belgium, and the Netherlands, such as the University of Colorado and the University of Antwerp.
Other worst ransomware threats
- Encryptor
- Satan
- Cerber
- Hostman
- MacRansom
- FLUX
- Fakben
- Tox
- ORX Locker
- Atom
- Alpha Locker
- WannaCry
- Hidden Tear
- Janus
- Egregor
- Ransom3
How to prevent ransomware gangs from attacking you
While most cybercriminals target big corporations, the onset of RaaS means that even small hackers can launch tough ransomware. It is, therefore, not a problem for the rich anymore because your small business could be the next target of a crashing ransomware attack.
Some common risk factors that make you vulnerable to ransomware attacks:
- You do not back up your files.
- You run outdated software and old devices.
- Cybersecurity is never a priority; therefore, you have no strategy to respond to a cyber attack.
- Your operating systems and browsers need to be updated, not patched.
- Too many staff members can access your company’s servers and data.
So, when implementing ransomware mitigation strategies, you have to use a combination of staff education, change the company’s ethics and software security systems, and constantly monitor your ecosystem.
Here are a few ways that you can prevent ransomware gangs from attacking you:
- Update your software regularly: Most software companies provide the latest security updates and patches that fix vulnerabilities, so update your operating system and other software regularly.
- Keep off unsafe links: Most cyber attacks happen when you click malicious links and unknowingly download ransomware.
- Protect your personal data: Never give out your personal data to anyone. Most hackers send social engineers to phish your login details and passwords. They pretend to be tech support and obtain your personal information through text calls and emails.
- Don’t tap on suspicious attachments: Most hackers don’t have direct access to your physical infrastructure. So, they send emails with the ransomware attached. If you open any of these attachments from suspicious sources, the malware in the attachments downloads and installs, taking over the control of your computer.
- Avoid unknown USB drives: Don’t insert random USB sticks into your device. Hackers know that people are curious and love free stuff. So, they often leave USB sticks containing ransomware in public places, hoping a potential victim will put it into their computers.
- Say goodbye to torrenting websites: RaaS operators could be hiding in a website, such as a popular movie site, ready to offload their malicious programs onto your device. While we have a few good torrenting websites, malicious cyber criminals could easily disguise ransomware embedded in popular movies or software uploaded online. Never forget the internet always has a catch on free things!
- Install a VPN: The importance of a virtual private network cannot be understated. You must create a secure connection every time you use public Wi-Fi or send files and ensure you’re so anonymous that your data cannot be traced back. ExpressVPN is the best online privacy tool to protect you from hackers and other snoops.
- Use robust antivirus software: Ordinary antivirus programs will neither detect nor delete ransomware. So, ensure you always have the strongest, most reliable services on your devices. We recommend you use Norton or any other good antivirus of your choice for your computers.
Other anti-ransomware protection strategies:
- Incorporate the Principles of Least Privilege — only allow access to information to people who need it.
- Educate your staff on social engineering prevention.
- Enforce software restriction policies (SRP).
- Back up your data regularly.
- Monitor vendors and third parties.
- Store your data on external hard drives and the cloud as well.
- Monitor and address all the risks and vulnerabilities that may expose your business to cyberattacks.
RaaS for mobile phone attacks
People criminals are not just looking to attack giant corporations. They also unleash mobile ransomware that targets your smartphones and blocks your access to the device until you pay the attacker.
Once they infect the device with the malware, a pesky message demands payment before you unlock your phone. And once you pay, they send a code that suddenly decrypts data on the device.
Usually, attackers hide the mobile ransomware in legitimate third-party application repositories. The hackers will pick popular applications to imitate your favorite social media or gaming platform. Then, when an unsuspecting user downloads it, it will unleash the malware.
Often, the ransomware infects most mobile phones of users who visit websites or click suspicious links in text messages or emails.
So, how do you keep yourself safe from mobile malware attacks? Here are tips to help you avoid becoming the next victim of smartphone RaaS:
- Stick to Google Play store or Apple App Store: Avoid downloading applications from third-party app stores unless you are an online security guru.
- Avoid clicking on any links in your spam emails or suspicious text messages from unknown people.
- Limit the permissions and privileges you give to your apps. Unless you trust the application absolutely, do not grant it administrator permissions or privileges.
- Update your system advice regularly.
- Back up your data.
RaaS at home IoT devices: Internet of Things (IoT) ransomware
The Internet of Things forms a network that connects several devices and appliances with software and the cloud. With IoT, you can switch off your light, command Google Home, Siri, or Alexa to turn off the fridge or increase the volume of your music.
The Internet of Things has become a tech trend, especially in powering wearable devices, smart homes, Healthcare, agriculture, retail shops, self-driven cars, and the manufacturing and service industries.
But while you’d see technology making your life easier and better, hackers look at the opportunities of maliciously draining your accounts. IoT ransomware attackers are gaining momentum, so security experts always look for potential malware attacks on the Internet of Things.
Ransomware campaigns perpetrated against the Internet of Things could increase the impact of attacks, especially on critical infrastructure and ordinary homes. The US Cybersecurity and Infrastructure Security Agency (CISA) has a fact sheet required to warn you about the threats of such an attack.
Ransomware attacks on IoT systems can render infrastructure and organizations to the knees. Attackers who unleash their terror on IoT systems can stop ICS software processes. One ransomware group disrupted the processes of the Internet of Things and shut down the Colonial pipeline.
The problem with most homeowners and organization spaces is that they never check the routers after installation unless something goes wrong. Hackers often target the routers, which then distribute the malware to other devices on the network.
Researchers tested the impact of ransomware attacks on coffee machines and thermostats, and the results were scary. Criminals can shut down your smart home at the click of a button!
The application of the Internet of Things came to speak during the Coronavirus pandemic. Many industries enjoyed the benefits of IoT when social distancing and remote work were the order of the day. But as ransomware technologies evolve, people and organizations must beef up their defenses against malware attacks.
Hit by RaaS: Should you pay the ransom?
The first thing that comes to mind when ransomware cybercriminals attack you is panic. You still have the device in your hands but cannot use it. So, you fear that the criminal could go ahead and execute their threats. The possibility of running for several weeks of waiting to recover the data comes with the thought of loss margins- and this puts you in an adrenaline rush.
But while you may feel like you want to pay the ransom as quickly as possible, law enforcement agencies advise you not to. The problem is you cannot make the hackers commit to not perpetrating more ransomware attacks after you pay the ransom. Also, you cannot be sure they will decrypt your data once you pay.
Reports show that while 66% of companies swear they’d never pay the ransom, a stellar 46% of victims pay when faced with the actual decision! The hacker knows that the victim has more urgency to return to normalcy.
So, the criminal set a ransom cheaper than hiring special security firms to try and decrypt the data. So, most companies just end up paying the ransom because it is cheaper and quicker for the attackers to restore the data!
Why you should not pay the RaaS ransom demand
While it is understandable for organizations to pay the ransom from a purely financial point of view, it’s not a good idea, and here’s why:
- Beware of scareware: At least call the experts to analyze the attack. The ransom message could be just a random threat without access to your data.
- Communication breakdown: After you pay the ransom, the criminal syndicate may not follow up to guide you on decrypting your data. The decryption key may not work, and the criminals may just tell you they delivered what they promised.
- Negotiating with cyber-terrorists: Do not forget that you are still dealing with the same heartless, malicious cybercriminals who would do anything to steal your money. There is no guarantee that they will be moral enough to keep their word and decrypt the data after you pay the ransom. Reports show that 20% of organizations (and 92% of victims as a whole) that pay the money demanded never get their first back.
- Gateway to future attacks: If you pay the ransom, you just show the cybercriminals that you’re an easy target with a good history of paying the ransom.
So, what should you do to get your files back if you don’t pay the ransom to the hackers? We have a way out for you– scan, identify, and remove the malware to recover your files.
How to remove and recover from ransomware attacks
The attackers cannot guarantee to restore encrypted data. Remember, these are malicious and immoral people out to get money from you. So, you cannot trust that someone with no ethical background could honor the word even after you paid the ransom. You must find ways to remove the ransomware from the systems by yourself.
If you are a victim of ransomware attacks, you should plan to reboot your system in safe mode and then install an antimalware program. Then, scan the files for any malware and delete them. Or, If you can’t find the specific malware, restore your systems and servers to a previous non-infected state and date.
Also, you can format the entire disk and delete the files on the cloud. Then, you can restore your system with the help of backup files from a separate drive.
If running your systems on Windows, you can use the “System Restore” feature to restore to a marked point in time. Of course, you must have enabled the System Restore functionality long before the date you want to restore your files.
In general, follow this process to identify and remove RaaS ransomware from your systems:
- Always create a system backup of all your essential files. If you’re tucked in, you will use this backup to restore your files.
- After you are attacked, install antivirus software to identify and clean up the infection.
- Use the antimalware program to quarantine the ransomware. Make sure to check all loopholes through which the cybercriminals could create backdoors that would access the system at a later date.
- Now, analyze the ransomware so you can know the best decryption method. Check the type and encryption method that the attackers used in their programs so you can find ransomware decryptors and recovery tools.
- Ransomware recovery tools such as McAfee Ransomware Recover (Mr2) will identify and even decrypt the infected files. However, ransomware technologies are increasing every day, so you may not have a guarantee that any tool will work for every RaaS malware out there.
Ransomware evolution: The history and future of RaaS
The AIDS Trojan horse virus was the first ever documented patch of ransomware. Harvard biologist Joseph Popp distributed about 20,000 floppy disks named AIDS information introductory diskette in 1989.
He targeted HIV and AIDS research at the World Health Organisation’s international conference. The attendees who ran the diskette encountered the ransomware that locked in the files on the computer drives. Afterward, computers became unusable until they would have to be unlocked by sending $189 to a Post Office box.
Fortunately for them, the program was improperly made, and victims could bypass the virus and decrypt the files with solvable symmetric cryptography.
Joseph Pope was soon arrested, imprisoned, and charged. But his idea gained traction, and by the time he died in 2007, organizations were already suffering ransomware attacks. By the mid-2000s, cybercriminals invented sophisticated encryption programs that they used to extort and blackmail corporations and agencies.
The Archievus ransomware was the first major malware attack to use RSA asymmetric encryption. Then, in 2012, Reveton took over systems and accused victims of participating in illegal activity. The virus mimicked the victims’ webcam and blackmailed them into paying a $200 ransom.
While Joseph was alone, ransomware attacks today are the work of organized gangs and sometimes acts of cyber wars by governments. Although law enforcement was able to track Joseph through the postal address, it’s difficult to trace ransomware criminals today because they use cryptocurrencies.
Cryptocurrencies rely on anonymous transactions on the blockchain that are untraceable. So, no one can follow the money trail to understand with whom exactly the buck stops.
Ransomware has evolved from a small floppy disk requiring $189 ransom to a sophisticated ransomware-as-a-service trillion-dollar industry extorting billions annually! Today, money-demanding malware attacks all systems, including the Internet of Things mobile phones, personal computers, and state infrastructure.
In most cases, the malware has evolved from Joseph Pop’s simple symmetric cryptography program to today’s complex RSA and AES encryption. And criminal organizations make it available as RaaS on the dark web.
In the last five years, more than 50% of all cyber attacks were in the form of RaaS. The fact that the malware is easy to use for people with no technical experience makes it appealing. The future of Ransomware as a Service looks promising for the underworld and scary for businesses and organizations.
The uptick in ransomware attacks, especially on critical infrastructure such as energy, healthcare, transportation, and universities, calls for corporate and government interventions. But most importantly, you must invest heavily in staff training and proactive threat detection!
Why the popularity of RaaS is increasing
Reports claim that 4,000 ransomware attacks have happened daily on average since 2016.
According to media reports, the amount of money paid in ransom to cyber criminals rose by about 500% during the pandemic. The company reports that organizations paid $400 million dollars in 2020, a stunning $765.6 million in 2021, and $456.8 million in 2022!
This report exposes a scary trend of increased campaign activity of online extortionists. The trend has motivated cybersecurity insurance providers to soar their premiums to the roof for SMEs!
While the financial constraints of the pandemic era are partly to blame for the increase in ransomware attacks, RaaS business models are at the core!
The popularity of RaaS among amateur hackers means they can target more organizations and execute more campaigns. Here are reasons why RaaS’ popularity continues to increase:
1. RaaS is less risky
Malware developers can now sit down and perfect their craft without taking the unnecessary risk of executing campaigns. In the past, as the hacker, I had to write the card, identify a corporate network infected with ransomware, and still negotiate the extortion ransom.
Today, developers can do what they do best sitting behind computers! The campaigns and negotiations are the work of social engineers and lesser-skilled hackers. The developers can, therefore, sit back and cut a pound of the fresh from the ransom and let the franchisees do the dirty work.
2. Increased profits for original ransomware programmers
Ransomware as a Service is popular, especially due to the large profit that criminals make. The new business model allows programmers to establish a sophisticated criminal syndicate that runs professionally like a Fortune 500 company.
So, they have independent staff members at every level of the company hierarchy. Some RaaS operators offer blackhat affiliate programs that leave low-skilled workers drooling over the multimillion-dollar Bitcoin payout!
Many criminal organizations prefer this model instead of traditional malware attack campaigns.
3. Increase in the number of amateur hackers needing high-level ransomware
Cybercriminals who opted for the RaaS business model have reached way more companies and ordinary people than conventional ransomware hackers. Even low-skilled workers can now perpetrate high-level attacks on corporations and organizations.
Low-skilled workers no longer need to blow their minds with sophisticated programming languages. Instead, they just need to buy the ready-made program from the darknet and run the campaign.
FAQs
Whether you are a financial or professional service provider or work in the manufacturing industry, you are a target of ransomware attacks. RaaS syndicates are leaving no one behind; nobody is safe, including energy, healthcare retail, and government agencies. As long as you deal with sensitive data, personal identification, or financial information, you are the ideal target of these hackers.
According to IBM, the average ransom payment is pegged at $4.5 million. The average ransom payment by small businesses is about $812,360.
Locky, Goliath, Shark, Encryptor, Jokeroo, and Stampado are examples of well-known SaaS kits. However, many other RaaS providers regularly disappear and reappear (after reorganizing) with newer and better ransomware variants.