Ransomware-As-A-Service is a business model in which malware is developed by criminals for use by criminals. It is very similar to traditional software-as-a-service models. The big difference is that, in this case, the product/service being sold is a tool used for criminal activities and for unleashing ransomware attacks.
First let’s begin by answering the very basic question - What is Ransomware? It is a type of malware that encrypts the victim’s files and folders. The safe return of the encrypted data is promised upon payment of a ransom but in many cases this promise isn’t made good upon. We are seeing a massive surge in ransomware attacks across the world and many of these are fuelled by the rise of RaaS.
According to the most conservative estimates, the total amount of losses from ransomware from mid-2019 to mid-2020 was more than $1 billion. The average ransom payout in 2020 was allegedly $170,404. Successful ransomware attacks can generate enormous profits for attackers. And using RaaS can be inexpensive and relatively easy.
While it is easy for a criminal to execute ransomware, developing the malware requires technical savvy and skill. Ransomware-as-a-Service is the answer to this problem. It is a type of software available online, usually found on the darkweb. Developers create ransomware and sell it for widespread use.
Criminals looking at RaaS options can get special offers and choose from different subscription models which is what makes this service so dangerous. RaaS offers in the darkweb look very similar to traditional marketing offers for software services.
These services are offered in a variety of forms such as:
Some models may include a combination of payment types. For example, profit sharing can be combined with a royalty or monthly fee.
Ransomware is highly customizable, and buyers are often provided with elegant interfaces where they can customise their malware. Many RaaS providers will allow even a novice criminal to access their toolkit while many others are very selective about the affiliates they work with.
Developers create malware, but their profits often depend on the ability of affiliates to distribute it. This is perhaps why some creators implement rigorous selection processes to ensure they only work with partners that will bring them good returns.
Many different types of RaaS exist on the darkweb. Operators are constantly developing new and better software. Examples of infamous ransomware spread through the RaaS model are the following:
Egregor: Egregor allegedly runs on an affiliate system, with developers receiving a 20-30% ransom, with the rest going to affiliates.
Launched in September 2020, Egregor is believed to have been a replacement for Maze RaaS, which went out of business around the same time. Several French organisations such as Ouest France, Ubisoft, and Gefco have been victims of Egregor over the past year. There have been several recent arrests in France concerning the extortion of Egregor.
REvil: REvil RaaS developers are reportedly very selective about who they allow in as affiliates. Applicants for the programme must prove their hacking experience before they are accepted. REvil has reportedly earned its developers $100 million in a year. This ransomware appears to be heavily targeted at legal, insurance, and agricultural companies.
REvil uses a slightly different way of making money from traditional extortion schemes. In addition to demanding a ransom, the group also threatens to leak data and further extort victims.
The REvil Group is responsible for the most significant buyout demand to date. In March 2021, it asked for $50 million in ransom from electronics manufacturer Acer.
Dharma: Dharma is far from new in the RaaS scene and has been around since 2017. It replaces files with the dharma extension. Dharma's ransom requirements tend to be lower than other RaaS, averaging about $9,000. Some researchers say that this may be because the RaaS provider allows even inexperienced hackers to join as affiliates.
Just like in case of other Ransomware attacks, there are some steps you can take to protect your organisation from RaaS attacks. Prevention is always better than cure when it comes to cybersecurity.
Hence we recommend taking the following steps to bolster your ransomware preparedness: