Ransomware as a Service (RaaS) – A Contemporary Mal du siècle?
What is Ransomware as a Service?
This post is also available in: Danish
A wise man once said that a business without customers is just a hobby. True, for the most part, but when your business-to-be pastime is a crime or, in this case, cybercrime, it makes you wonder if you should be called a businessperson or a kingpin.
Ransomware is yesterday’s news. In fact, according to a report drafted by the FBI, since 2016, over 4,000 ransomware attacks occur each day.
One might be inclined to infer that ransomware has become more prevalent than the common cold – a sound analogy and quite accurate. In this ever-shifting landscape, where a person’s stock-and-store is fraud, the attempt to capitalize on the suffering of others is only natural.
Ransomware as a Service (RaaS) is what happens when a malicious actor stops thinking like a virtual highwayman and starts acting like a businessman. The term is used to describe a nascent industry, one that, by its very design, caters to the needs of cyber criminals.
RaaS – Another face of evil?
In all regards, RaaS is akin to SaaS (Software as a Service) and PaaS (Platform as a Service) concepts: we do the heavy-lifting, so you don’t have to. More than that, it makes perfect sense: why should one bother to learn how to create malware kits from scratch, when you can rent or purchase one from a RaaS provider?
Taking a step back, in the ‘traditional’ malware-dispersal model, the roles were well-defined: the malicious actor, who is also called a ‘ransomware’ operator, would disseminate malware content among his victims, using either an infectious agent of his own design or segments (i.e. spam, Botnet, Bulletproof hosting, etc.) acquisition from anonymous dealers called ‘peddlers.’
In contrast, the Ransomware as a Service ‘business’ model relies on an aggregator – a person or a group that sells or rents malware to interested parties, which are called ‘ransomware operators.’ This aggregator, the RaaS operator, either purchases malicious items from peddlers or has an ‘in-house incubator.’.
Although young compared to the rest of the ‘industry’, RaaS has begun to get traction, especially among the ‘hit-and-run’ community – people with limited technical knowledge but with the willingness to prey on vulnerable users.
In this article, we are going to place the Ransomware as a Software industry under the proverbial looking glass. My goal is to try and figure out whether or not RaaS is the worst blight that ever hit the digital world.
Soldiers-of-Fortune or Fortunate Soldiers?
Generally, hacking is regarded as a wanton, random, and lightning-fast incursions aimed at stealing various forms of data. In reality, there’s nothing random about hackings – the person or persons behind the attack know exactly where and when to strike. And, the culmination and epitome of cybercrime are when these groups band together in order to create a sophisticated form of online Mafia.
Furthermore, very much like the real-life organization, this entity has its rules, its credo, and even a drumhead court. In this case, the underworld is the dark web, where technical know-how is worth its weight in gold. Mum’s still the word, but spilling the beans would be a futile exercise given the dark web’s emphasis on anonymity.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Soldiers-of-fortune? Unlikely. Ransomware as a Service operators are businessmen, not guns for hire. Remember Lord of War featuring Nicolas Cage? That’s how RaaS operators are regarded.
In a nutshell, RaaS-type businesses sell or rent out compact, easy-to-deploy, and scalable malware kits to individuals or groups who want to stage cyberattacks.
And how does a business grow? By attracting new customers, seeking growth opportunities, and staying ahead of competition by developing better and more cost-effective products. It’s interesting though that RaaS-type businesses often feature affiliation programs that enable ‘partners’ to get a share of the revenue each time a purchase is made.
‘Businessnifying’ Unethical Digital Ops
How do you turn something as unethical as hacking into a full-time business? By providing your would-be customers with ease-of-access to your wares. And what better place to conduct business than the dark web? As you are probably aware, the dark web is a hub for illegal activities, from selling ‘hot’ items to human trafficking.
Ransomware as Service providers usually keeps up well-stocked malware portals, where anyone can drop by and look at the wares. Since the aim is businessnification, these portals come with all the bells and whistles – discounts, bundles, around-the-clock support, reviews page, forums, and everything in between.
It’s not too difficult to imagine why this type of business would exist in the first place – it takes less time to mount a full-scale attack than it would with a ‘home-brewed’ code. Since the transactions are all made through the dark web, they are virtually untraceable.
So, what happens after the purchase is made? Most of these ‘businesses’ have a share-the-spoils M.O.; depending on how much you spend on the malicious code, the owner could ask for a bigger or smaller percentage of the profit one would virtually gain after a successful attack.
For instance, Satan, one of the most popular ransomware resellers on the dark web, can supply the customer with an on-demand file-encryption sample which can be used to demonstrate the ‘full’ version’s potency.
If the user wants to upgrade to ‘full’, they can keep 70% of the profit. On the other hand, other RaaS operators such as RaaSberry, claim that all the ‘revenue’ earned through hacking go to the customer.
Remember that for tech-savvy people, RaaS is what we call a side-gig: a passive income usually derived from a hobby.
Known Ransomware as a Service Operators
For the purpose of this exercise, which is to raise awareness among users on a rising digital threat, I shall not include onion links to the RaaS operators I will be talking about; it’s not ethical and it also defeats the purpose of the article.
Named after Pennsylvania’s largest city or the controversial US Navy experiment, Philadelphia is regarded as one of the most sophisticated Ransomware as a Service kit available to date. Concocted by Rainmakers Labs, this on-demand kit contains everything a malicious actor needs to stage a full-scale attack.
Even more interesting is the fact that you can also get in touch with the owner if you’re in need of a more…personal approach. Obviously, the kit can only be found on the dark web. Interestingly enough, it’s outrageously cheap – the complete kit cost $389! All transactions are in Bitcoins.
This price will fetch your various malware features such as unlimited builds & campaigns, no monthly fees and rates (you don’t need to split the profits with the RaaS operator), updates (ability to download and use the latest malware build), US English support and tooltips, and others.
The product’s so well marketed that it has its own video presentation. As to its notoriety, an Austrian police action that resulted in the arrest of a teenager proved just how convenient this type of software can be.
The records reveal that with Rainmakers Labs’ kit, the teen who had limited technical knowledge, managed to circumvent a company’s perimeter defenses and to encrypt all the files. In return, he asked for a meager $400.
Regarded as the cheaper version of Philadelphia, the Stampado RaaS kit is sold for only $39. Its lack of features is most certainly compensated by its deployment speed. A popup ad for Stampedo, reveals that the first campaign can be set up in 30 seconds or less. Stampedo is actually the very first version of Philadelphia.
The sales campaign began in or around the summer of 2016. Apparently, this easy-to-deploy malware kit was in so high demand, that the makers decided to make a ‘deluxe’ version.
RaaSberry really manages to stage a grand performance when it comes to playing the role of the Good Samaritan – while other RaaS providers ask for a share, RaaSberry allows the customer to keep all revenue.
It sounds like a hacker’s dream come true, doesn’t it? Not exactly. Compared to the competition, RaaSberry boasts several price tiers. A quick glance at their website shows that the cheapest packs are
So, for the price of $60, which is equal to a one-month Command & Control subscription, you will receive a 250 kb “unique EXE” (packs both encrypter and decryptor), free support, multi-OS compatibility, and other features such as Task Manager Disabler, Mutex, and Delayed Start.
Going up the price tier ladder, we have the Platinum, three-year C&C subscription, which costs $650. Not many differences between the packages, apart from the membership duration.
A newcomer on the market, compared to the other two, but not completely featureless. Instead of fixed price tiers or ready-to-deploy kits, Satan offers free-to-use ransomware samples. Basically, anyone’s free to use them, on one condition – that 30% of the spoils go to the RaaS provider.
The platform also allows the user to create custom pay schemes: the user can specify the ransom amount, multiplier by days, personalized note to be sent to the victim for failure to comply, and payment methods other than Bitcoin.
5. Frozr Locker
A lightweight tool that has the ability to encrypt approximately 250 types of extensions. The cost of acquisition is around $1,262, which makes it the most expensive RaaS solution on this list.
However, once the builder is acquired, it can be used indefinitely, without the need to update your subscription. After you purchase the builder, you will be able to customize the ransomware: payment details, decryptor, UAC bypass, and personalized messages.
How to protect yourself from Ransomware as a Service
RaaS is certainly sophisticated, but not infallible. Below, you will find a list of tips to protect your digital assets against Ransomware as a Service.
1. Backup your endpoints and servers
The best possible defense against ransomware and every kind of threat for that matter is to have a backup system in place. You should consider having a local as well as a cloud backup. Companies operating on larger networks can opt for an off-site backup location. In case of a ransomware attack, crucial data can be restored without having to the ransom.
2. Don’t open suspicious attachments
Heimdal™ Email Fraud Prevention
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters to protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise;
If there really was a golden digital rule, this would be it – don’t open an email containing attachments. They might be infected with malware. Even an email coming from someone familiar should be treated with a modicum of suspicious.
For instance, in Business\Vendor Email Compromise attacks, hackers are able to steal credentials and money by posing as someone from the upper-management.
3. Frequent patching solves seals most of your breaches
Hackers are always looking to take advantage of breaches in your security grid and an outdated app provides them with the best opportunity. Make sure that all your apps are up to date. EDR Software’s Heimdal™ Patch & Asset Management module can easily search and deploy the latest versions of your favorite app.
HEIMDAL™ ENDPOINT PREVENTION - DETECTION AND CONTROL
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Moreover, the Infinity Management module can provide you with a birds-eye view of your machine and, most importantly, the software currently installed. From there, your sysadmin can choose what patches to deploy and when the patching process should occur.
4. Ensure Macros are disabled in Microsoft Word
Although Microsoft disabled macro auto-execution a long time ago, some older Office builds might still have this feature switched on. To disable macros in Word, click on the MS Office button and then on Word Options. Click on Disable all Macros without notification and hit the Apply button to commit changes.
Ransomware as a Service is on the rise and the reasons are more than obvious: cheap, easy to deploy, powerful, and requires little to no technical expertise. The best defenses against this type of threat are frequent patching, a strong AV/AM solution, and vigilance.