Ransomware as a Service (RaaS)
an illegal activity
In 2019, ransomware cost businesses around the world a staggering $11.5 billion. MSPs were particularly hard hit, with attacks targeting their most important customers, including government agencies, healthcare providers, and other critical service providers.
According to Datto, 59% of MSPs reported ransomware attacks targeting their customers in the first half of 2019. The average ransom demanded increased by 37% and the cost of downtime ($5,900) is 23 times higher than the average ransom demanded in 2018.
As if these bad figures weren’t enough, Ransomware as a Service (RaaS) is enjoying tremendous success. And for good reason: for around $50, any aspiring hacker can subscribe to RaaS, allowing them to attack any business they choose.
Table of Contents
What is Ransomware as a Service?
RaaS is a subscription service that includes everything a hacker needs to launch a ransomware attack. A typical RaaS subscription costs around $50 and includes ransomware code and a decryption key. However, the kits offered vary in terms of what they include. The most sophisticated offerings include customer support and dashboards that allow hackers to track their victims, including the status of infections and ransom payments.
Designed by cybercriminal organizations, RaaS simplifies the development and execution of ransomware. It even allows less experienced hackers to try their hand at it. Some organizations allow users to use their product for a monthly subscription fee, while others opt for a commission of up to 70% of the ransom paid.
Like companies specializing in SaaS, RaaS developers regularly release new versions of their software for their customers and affiliates. Their websites, hosted on the dark web, are just as sophisticated and effective as e-commerce sites. Like SaaS subscriptions, many RaaS subscription models offer multiple tiers (bronze, silver, and gold), with the highest tiers providing access to more attractive features and support.
RaaS organizations
Among the Ransomware as a Service (RaaS) developers identified on the dark web are RainMaker labs, GandCrab, Sodinokibi, and more recently, Jokeroo. RainMaker is behind the Philadelphia ransomware, which made headlines in 2017. Although the Philadelphia RaaS offering was considered by some members of the IT community to be far less sophisticated than its competitors, it was well presented and accompanied by a high-quality video.
The group that created the GandCrab ransomware claims to have extorted $2 billion from victims around the world. In a rare moment of compassion, one of its developers published an encryption key in 2019 for Syrian victims who had publicly spoken about the trauma of losing access to photos of their deceased children. A decryption tool was quickly created by security researchers. Since then, GandCrab has not been heard from again.
According to Bleeping Computer, the organization had 392 affiliates at the height of its activity. Although the group disappeared in October 2019, it is likely that it reformed to create Sodinokibi, the ransomware behind some of the biggest attacks of 2019. Researchers have noted striking similarities between GandCrab and Sodinokibi. However, differences in the personalities of the developers of the two ransomware programs suggest a change in the group’s leadership.
Sodinokibi has a Ransomware as a Service model that is far superior to GandCrab in terms of organization and technical sophistication. It is distributed and customized according to the specific needs of each of its dozens of affiliates. In a 2019 article in Bank Info Security, a representative of Connecticut-based security firm Coveware claimed that some of the affiliates were particularly experienced in attacking MSPs and other IT service providers. Sodinokibi did indeed target numerous MSPs in 2019, including Synoptec, PercSoft, CyrusOne, and LogicalNet.
The Jokeroo organization was first spotted in March 2019, when it announced its presence on Twitter. Jokeroo offers several subscription levels, as well as an efficient interface featuring a list of victims and ransom demands, and a tool for creating customized ransom demands.
Deployment of RaaS packages
RaaS operators know that to attract more customers, they need to offer a product that is easy to use. Sodinokibi is certainly a highly sophisticated piece of malware, but like most of its counterparts, it can be distributed via a simple email.
Phishing remains the most widely used delivery method for all types of ransomware, accounting for 67% of attacks. Recent ransomware attacks attributed to phishing emails have notably affected New Orleans, Louisiana, and Durham, North Carolina. Both cities saw all of their operations shut down, including emergency call centers and fire stations.
Creating and sending phishing emails does not require any special skills, and the methods used to circumvent email filters are constantly evolving. In addition, beginners can rely on the support of criminal phishing organizations that offer their own SaaS services.
Phishing-as-a-Service (PhaaS) is, like Ransomware as a Service (RaaS), an all-in-one hacking solution. A typical phishing kit includes phishing emails, phishing web pages, email lists, and even tools to avoid detection. Together, RaaS and PhaaS provide hackers with all the tools they need to launch an attack.
Protect yourself from ransomware
The availability of RaaS and PhaaS opens up unlimited opportunities for hackers with little or no experience. What’s more, by attacking MSPs, they can multiply their targets in a single operation. To protect your business, implement the following measures:
- Backups: Perform regular backups and store them on a separate device to ensure that hackers cannot access your files.
- Updates: Regularly update all software and install patches to protect against known and unknown system vulnerabilities.
- Protection against phishing and ransomware: Invest in a leading phishing protection solution that can detect and block phishing emails at the point of delivery and click.
- User training: Provide phishing awareness training to teach your users how to spot the signs of phishing, as well as contextual training to reinforce that knowledge when they click or respond to a phishing email.
Learn about HORNETSECURITY’S SERVICES
Interested in Related Topics?
Did you like our contribution to RaaS? Then other articles in our knowledge base might interest you as well! We help you learn more about cybersecurity related topics such as Emotet, Trojans, IT Security, Cryptolocker Ransomware, Phishing, GoBD, Cyber Kill Chain and Computer Worms.