Understanding the RaaS Model: How Ransomware is Evolving in Cybersecurity

19-Sep-2024

Ransomware has become highly pervasive and evolved. This cyberthreat which has metamorphosed into a complex attack model existed since the late 1980s as a major threat within the cybercrime landscape.  A couple of decades back, a ransomware attack named Achiveus trojan surfaced with the potential of encrypting all files in a PC's "My Documents" folder. There has been no turning back since then. Today Ransomware attacks have evolved into an advanced business model -RaaS (Ransomware-as-a-Service). In this blog, let us delve into a thorough understanding of the RaaS model by explaining its working mechanism and exploring a few prominent examples of a Raas model. 

What is Raas ( Ransomware-as-a-service)?

Ransomware-as-a-Service may simply be understood as a business model similar to Software as a Service with a focus on ransomware and cybercrime in place of software. It is a business model involving ransomware developers and hackers, where the developers sell ransomware codes or malware to hackers, who go by the name 'affiliates'. The affiliates buy and exploit the code to initiate and launch ransomware attacks on their targets. 

RaaS is a readymade tool for affiliates (hackers) or would-be hackers who are technically deficient at developing their ransomware to launch their attacks affordably and easily. Raas have proliferated and are easily available on the dark web, where they are sold and advertised in the same manner as normal goods are sold and promoted on the legitimate web. This massive proliferation is projected to pose a severe problem to the cyber security landscape, with organizations fearing inundated attacks and challenges. 

What is the cost of the Raas Kit and what does it include?

The cost for a RaaS kit typically ranges from USD 40 monthly to several thousand. The kit can be obtained from the dark web through various payment models:

• One-time ransomware procurement
• Monthly Subscription 
• Commission/Profit sharing

A RaaS kit typically comes with bundled offers including the following :

• Compiled ransomware: list of malicious software or source code, templates and scripts to launch ransomware attacks
•  Customization tools: Tools used for selecting the operating system of the target and writing a custom ransom note
• Other tools like Programs for extracting data before encryption
• System for ransomware management
• User reviews  and Forums
• 24/7 technical support
• Control panel
• Manuals and instructions

Working Mechanism of Ransomware-as-a-Service: How does RaaS work?

The RaaS functions in a collaborative environment between developers and affiliates (hackers). The developers are responsible for updating the tools, and the C&C dashboard (command and control), setting up the payment portals for victims, creating leak sites and managing counterintelligence operations to escape security measures. This comprehensive product is then marketed on the Dark web where affiliates can procure them.

These affiliates then launch their attack on their targets by accessing their systems through various methods like phishing or access brokers, communicating the conditions and ransom demand, deploying the ransomware, negotiating with the victim and managing decryption keys. 

Roles of RaaS Operators/Developers:

• Recruiting/Amassing affiliates (buyers-hackers) on forums/dark web
• Providing access to affiliates to ransomware package panel 
• Developing and Updating the C& C dashboard for tracking RaaS packages 
• Setting up a victim payment portal
• Helps in affiliates negotiating with victims
• Managing a dedicated leak site 

Roles of Raas Affiliates (Hackers-Buyers):

• Buying ransomware from developers 
• Targeting victims
• Setting ransom demands
• Setting up post-compromise user communications
• Compromising targets/victim's assets
• Optimizing infection by employing techniques like "living off the land"
• Executing ransomware
• Communicating with the victims through the chat portal and other channels
• Managing decryption keys

The RaaS business model works on four typical revenue models. The affiliates buy the RaaS kits by using one of these methods:

1. Monthly Subscription: This method involves affiliates paying a recurring monthly fee to access the ransomware kit developed by the Operators. The fee can range from a minimum of USD 40 per month to a thousand dollars. 
2. One-off Payment: This method entails affiliates paying a one-time payment with no other remaining balance or payment obligation, commission or profit sharing. 
3. Affiliate Programs: This method involves affiliates paying a per cent of the profit to the RaaS operator typically between 20% to 30%
4. Profit Sharing: It entails affiliates paying a significant cut of every ransom profit to the operators often amounting to 30% to 40%. 

Prominent examples of Ransomware-as-a-Service

Many RaaS operators have surfaced, disappeared and re-emerged with newer and advanced ransomware variants. While there are numerous operators and it is difficult to identify, some prominent RaaS operators have been identified over the years by cybersecurity professionals, including: 

Hive: This RaaS operator became notorious in 2022 when they launched their attack on a substantial number of targets who use Microsoft Exchange Server by deploying the pass-the-hack technique. Many huge organizations were victims of Hive, including Healthcare organizations, non-profit organizations and financial firms.

LockBit: Another highly pervasive RaaS variant launched by spreading phishing emails specifically marketed to Russian speakers. An affiliate of the LockBit Raas is reported to have posted a threat in May 2022 threatening to leak data on a popular Russian-language criminal forum. 

Darkside: This RaaS variant was initially deployed in August 2020 launching a global ransomware attack in over 15 countries and targeting multiple industries including retail, technology, legal, professional and financial services, and manufacturing, etc. This group is also reported to be responsible for the May 2021 ransomware attack on the Colonial Pipeline company. The DarkSide group primarily targeted Windows Machine and now it has expanded to Linux. 

REvil: Also called Sodinokibi notorious for launching one of the largest ransomware attacks with a record demand of USD10 million. It is also one of the most prevalent ransomware variants.

Some other notable  RaaS variants include:

• Eldorado
• CLOP
• Black Basta
• Ryuk 
• Tox
• Dharma

Ransomware continues to be a severe threat in today's time.  Hackers and threat actors deploying ransomware are poised to become even more sophisticated as they engage in updating their strategies and tactics. One good example is the use of Triple extortion to induce victims to pay the ransom demands. The global geopolitical issue also optimizes their opportunity to expand their attack mechanism.

Amid more advanced, sophisticated, and targeted ransomware issues, gearing up with robust security programs and measures is critical. For those interested in building a career in this challenging field, pursuing a cybersecurity course can accelerate their career building and prepare them to tackle the ever-evolving security challenges. 

Understanding the RaaS Model How Ransomware is Evolving in Cybersecurity What is Raas? Ransomware is Evolving in Cybersecurity