RaaS: What Is It and Why Is It Making Ransomware More Prevalent?
Ransomware-as-a-Service (RaaS) is a type of scheme where malware authors franchise their ransomware out to affiliates. Forbes explains that an RaaS arrangement involves the franchisers providing franchisees with everything they need to encrypt a victim’s data. In exchange, affiliates agree to hand over a percentage of whatever profits they make to the developers.
Let’s look at REvil’s RaaS operation as an example. Per Bleeping Computer, developers make their crypto-malware available to affiliates, and they take upwards of 30% of ransoms collected by the affiliates. This arrangement rewards affiliates for selecting a target and developing an attack chain, leaving the developers to designate a ransom amount, communicate with the victims, and split the money.
How RaaS Operations Benefit Digital Criminals
RaaS schemes help individuals without much technical expertise to gain access to proven ransomware strains. Those “script kiddies” can then launch their own ransomware campaigns, attacks which add on to whatever campaigns the ransomware authors themselves are conducting on their own. RaaS operations thereby increase the volume of ransomware attacks and elevate the profitability of individual ransomware strains. As a result of their RaaS operation, for instance, the REvil attackers made $100 million in profit over the span of a year.
It’s experiences such as these that explain why RaaS arrangements are on the rise. Indeed, McAfee found that small ransomware campaigns decreased in the first quarter of the year while RaaS operations ramped up to focus on fewer, more lucrative targets. Group-IB observed something similar in 2020, a year when 64% of the ransomware attacks it analyzed traced back to operators of a RaaS model. The security firm went on to note that it witnessed the emergence of no less than 15 new public ransomware affiliate programs over the course of that year.
All Kinds of Unwanted Attention
Though they might be helping to drive up ransomware profits, RaaS operations are attracting some unwanted attention from government entities and law enforcement. They don’t always survive that attention, either.
Take what happened to DarkSide. As you will recall, DarkSide was the ransomware strain responsible for infecting the Colonial Pipeline Company in May. The infection caused panic buying up and down the East Coast, elevating DarkSide’s profile among the FBI and CISA. DarkSide tried to walk back the attack by claiming that an affiliate had perpetrated it and vowing to review their affiliates’ targets going forward. But that didn’t prevent DarkSide from closing its doors after someone seized the operation’s data leaks site, payment server, and DOS servers before withdrawing all available funds.
There’s also the example of REvil. In the beginning of July, security researchers analyzed the forensic patterns, ransom notes, and Tor URL associated with the Kaseya supply chain attack. They determined that a REvil affiliate was responsible for the attack. At first, the threat actor began by individually extorting victims of the supply chain attack, but they eventually moved on to demanding $50 million for a universal decryptor. It wasn’t long after that when the REvil operation’s websites shut down and when an admin for a Russian digital crime forum banned a REvil representative, wrote Bleeping Computer.
Defending Against RaaS Operations
Group-IB had some troubling words to share on the future of RaaS operations:
From what used to be a rare practice and an end-user concern, ransomware has evolved last year into an organized multi-billion industry with competition within, market leaders, strategic alliances, and various business models. This successful venture is only going to get bigger from here. Due to their profitability, the number of RaaS programs will keep growing, more cybercriminals will focus on gaining access to networks for resale purposes.
It's therefore imperative that organizations defend themselves against REvil, DarkSide, and other RaaS programs. One of the ways they can do that is by augmenting the security of their email, one of the most common delivery vectors for ransomware. They can do this by investing in an email security solution that’s capable of scanning incoming messages for campaign patterns, IP addresses, and other threat indicators while allowing legitimate correspondence to reach their intended business destination.