Ransomware-as-a-Service: Illegal Businesses Operating in the Open

Globally, ransomware damages hit a staggering $11.5 billion in 2019. MSPs in particular felt the wrath of ransomware, with attacks hitting high-profile MSP clients in government, healthcare, and other critical services. According to Datto, in the first half of 2019, 59 percent of MSPs reported ransomware attacks on clients. The average ransom request increased 37 percent, and the cost of downtime ($5,900) is 23x more than the average ransomware demand from 2018.

If these numbers aren’t alarming enough, ransomware-as-a-service (RaaS) is booming. For around $50, any would-be hacker can get a RaaS subscription, and with it a monthly license to unleash attacks on businesses.

What is RaaS?

RaaS is a SaaS-like offering that includes everything a hacker needs to launch a ransomware attack. A typical RaaS subscription goes for around $50 and includes the ransomware code and decryption key, although kits range from sparse to robust. Sophisticated RaaS offerings include customer support and dashboards where hackers can track their victims, including the status of infections and ransom payments.

Developed by cybercrime organizations, RaaS simplifies the development and execution of ransomware, virtually removing the barrier to entry for low-skilled hackers. While some RaaS organizations charge a monthly license fee to use their product, others take a commission—up to 70 percent—on the ransom payouts to affiliates.

Like SaaS companies, RaaS developers frequently push out new releases to their customers and affiliates, and they run their websites on the dark web with the sophistication and efficiency of an e-commerce business. Like SaaS subscriptions, many RaaS subscription models are offered in tiers—bronze, silver, and gold—with each subsequent level offering better features and support.

RaaS organizations

RaaS developers identified on the dark web include RainMaker labs, GandCrab, Sodinokibi, and, more recently, Jokeroo. RainMaker is behind the Philadelphia ransomware that made headlines in 2017. Although Philadelphia RaaS was regarded by some in the tech community to be crude compared to the competition, the offering was sleek and even advertised with a high-quality video.

The group behind GandCrab ransomware claims to have extorted $2 billion from victims around the world. In a rare act of mercy in 2019, a GandCrab developer released a decryption key to Syrian ransomware victims who went public with trauma of losing access to photos of their deceased children. A GandCrab decryptor was quickly created by security researchers, and shortly after, GandCrab went silent.

GandCrab boasted 392 affiliates at the height of its RaaS business, according to Bleeping Computer. Although the group disappeared in October 2019, it’s likely that they reorganized into Sodinokibi, the ransomware behind the some of the biggest attacks of 2019. Researchers have noted striking similarities in GandCrab and Sodinokibi code but also differences in the personalities of its developers, suggesting that there is new management at the helm.

With dozens of affiliates and a RaaS model that outshines GandCrab in both organization and technical prowess, Sodinokibi is customized and distributed to affiliates based on their unique needs. In a 2019 article by Bank Info Security, a representative at Connecticut-based security firm Coveware said that some affiliates have specialized experience attacking MSPs and other IT service providers. Sodinokibi hit a number of MSPs in 2019, including Synoptec, PercSoft, CyrusOne, and LogicalNet.

Jokeroo was first spotted in March 2019 when it announced its presence on Twitter. Jokeroo offers several membership levels, along with a venerable UI that includes a running list of Jokeroo victims and ransomware payments and a customizable ransom-note builder.

Deploying RaaS packages

RaaS operators understand that in order to attract more customers, their product must be easy to use. While Sodinokibi might be a sophisticated strain, like most forms of malware, it can be distributed with a simple email.

Phishing remains the most popular delivery method for all types of ransomware, with 67 percent of all attacks distributed via phishing. Recent ransomware attacks attributed to phishing emails include the cities of New Orleans, LA, and Durham, N.C., both of which were knocked offline as a result, including 911 call centers and fire departments.

Phishing emails are easy to create and send, and the methods of bypassing filters are becoming more sophisticated. Additionally, novice phishers can enlist the help of criminal phishing organizations that run their own SaaS businesses.

Phishing-as-a-service (PhaaS), like RaaS, is an all-in-one hacking solution. A typical phishing kit includes phishing emails, phishing webpages, email lists, and even evasion tools. Together, RaaS and PhaaS offer everything a hacker needs to launch an attack.

Preventing ransomware

The availability of RaaS and PhaaS has created unlimited opportunities for hackers with little to no hacking experience. And by attacking MSPs, they can hit multiple targets in one sweep. Protect your business by putting these measures in place:

  • Backups: Perform regular backups and store them on a separate device to ensure that hackers can’t access your files.
  • Updates: Update and patch all software on a regular basis to protect from known and unknown system vulnerabilities.
  • Phishing and ransomware protection: Invest in advanced phishing protection that can detect and block phishing emails at the time of delivery and time of click.
  • User training: Offer phishing awareness training to teach your users to spot the signs of phishing, and offer contextual training to reinforce training when your users click on or respond to a phishing email.

Banner White PaperSignature signitic