The rise of Ransomware as a Service has multiplied the number of potential attackers that companies and public administrations face

Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)… The Cloud era has brought numerous services that companies can contract, without physical infrastructure, since they are hosted in the cloud. The AAS (as a service) model brings numerous advantages in economics, agility and flexibility, so much so that criminals have not been slow to join this dynamic. How? Employing Ransomware as a Service (RaaS).

A business model in which ransomware developers make their malicious products available to thousands of users, thus decentralising the execution of attacks against companies, administrations and citizens.

DarkSide, Revil, Lockbit, Emperor Dragonfly, Conti… These cybercriminal groups have become infamous for developing ransomware that attacks thousands of companies and institutions worldwide. Additionally, they all employ the Ransomware as a Service model, encouraging hundreds of people to employ their malware to commit malicious actions.

The emergence of these actors and the spread of the RaaS model have had a major impact on the increase in ransomware attacks in recent years. And that has caused millions of dollars in losses to companies worldwide.

Below, we will analyse the keys to Ransomware as a Service, focusing on the need for companies and public administrations to improve their resilience to ransomware attacks, including small and medium-sized enterprises.

1. Ransomware, the great threat of this era

Although by now we are more than used to hearing about ransomware, we should start by defining the concept. Ransomware is a type of malware that encrypts victims’ data and demands a ransom for returning access to the victims. It is, in essence, a kidnapping of information.

Using ransomware, attackers infect a system with malicious code and encrypt particularly sensitive data. For example, the Hospital Clínic in Barcelona suffered a ransomware attack in March that allowed attackers to hijack the medical data of thousands of patients. In the same month, Ferrari, one of the world’s most famous car companies, suffered the hijacking of its customers’ contact details (names, telephone numbers, emails…).

If the victims proceed to pay the requested ransom, the attackers should provide the key to decrypt the hijacked information. On the physical level, many kidnappers do not keep their word after the ransom has been paid. On the contrary, they carry out a second extortion, threatening their victims with leaking data. As a result, fewer and fewer companies are willing to make any payment to criminals.

This dangerous context highlights the need for companies to have cybersecurity services that enable them to prevent ransomware attacks and implement security controls to detect and respond to them effectively. Otherwise, companies may be paralysed and face severe financial, reputational and legal consequences.

2. What is Ransomware as a Service?

As its name suggests, Ransomware as a Service is a criminal business model in which developers of this type of malware market it as a service instead of using it exclusively.

RaaS is marketed on the notorious Dark Web. In clandestine forums, developers launch campaigns to attract affiliates and/or buyers interested in using the ransomware created by the criminal group to carry out autonomous attacks against companies and institutions.

Why is the RaaS model attractive to thousands of malicious actors? Because they do not need to develop the ransomware themselves. This greatly benefits criminals who lack the technical know-how to create effective ransomware to subvert corporate defences.

Furthermore, by acquiring ransomware immediately, attackers save development time and can launch attacks in a minimal amount of time.

From this brief explanation, we can glimpse the two major players involved in the Ransomware as a Service criminal model: developers and affiliates.

2.1. Developers

These are criminal groups with financial resources and technical expertise. They not only develop ransomware capable of infecting a network and hijacking sensitive data and documents but also set up a complex criminal structure.

The most sophisticated Ransomware as a Service includes the ransomware itself. It offers a permanent support service, a guide to launching attacks and continuous help in using the ransomware package and throughout the entire process until the ransom is paid. What’s more, many RaaS offer a control panel for affiliates to manage the different phases of the attack. They even make command and control servers available to affiliates.

So developers not only create ransomware that has a high success rate and is difficult to discover but also put in place an extensive infrastructure to make the whole process as easy as possible, including command and control servers.

In return, they save themselves from carrying out the attacks, with all the time and resources this entails, from target selection to ransom collection. What’s more, they are guaranteed a fixed income. Finally, regardless of the results, they get paid the affiliation fee. This is directly related to Software as a Service. A company that hires these services pays for them periodically, without the use it makes of them coming into play.

2.2. Affiliates

The other leg of the Ransomware as a Service criminal system is the attackers who use ransomware to carry out attacks against companies, public administrations and even ordinary citizens.

While it is easy to define the profile of the criminal groups behind Ransomware as a Service (well-prepared organisations with extensive technical knowledge and infrastructure…), the affiliates are more diffuse.

As we have been pointing out throughout the article, one of the keys to RaaS is that it democratises the possibility for people who cannot develop a ransomware variant to use this technique to hijack data.

Thus, affiliates can be criminals without a high level of technical expertise. But also groups of cybercriminals who can successfully attack a network or system (e.g. through phishing campaigns) but need more time, expertise or resources to develop their ransomware. The options are manifold.

All possible affiliate profiles share a common goal: to get to the data, encrypt it and demand payment in exchange for decryption. As well as the means they choose to achieve it: Ransomware as a Service.

Given the above, it is worth noting that the affiliates are responsible for:

• Establishing the targets against which they will attack.
• Execute the attacks to persist as long as possible and hijack data.
• Contacting the victims to demand the ransom. For example, leaving a text file with the ransom note.
• Send the keys to decrypt the encrypted files and data… In case they keep their word.

2.3. Ransomware as a Service Models

Beyond the issues directly linked to cybersecurity, it is essential to consider how this criminal method works economically when we talk about Ransomware as a Service. There are three main types:

• Subscription. Just as a Netflix subscriber pays a monthly subscription to access the streaming platform and enjoy its content, Ransomware as a Service affiliate can pay a fixed amount to use the malicious code and all the tools offered by the developers. This amount is fixed, regardless of how much money the attacker can illicitly steal through data hijacking.
• License purchase. This is the least common type. The buyer acquires the right to use the ransomware by making a one-time payment.
• Commission. In exchange for being able to use the Ransomware as a Service infrastructure, the attacker has to pay the criminal group part of the profits from the hijacking. For example, 50% of the profits.
• Affiliate program. This is the most common typology and combines the subscription and profit-sharing models. Affiliates pay a fixed fee every month and, in addition, have to give the Ransomware as a Service group a percentage of the fraudulent revenue they generate. Criminal groups find this option very attractive because they are guaranteed a fixed income without giving up the possibility that the success of their affiliates will translate into more illicit money.

It should also be noted that ransom payments are usually demanded via cryptocurrencies, making it difficult for authorities to trace payments back to Ransomware as a Service affiliates and groups.

3. Hive, a paradigmatic example of Ransomware as a Service, was dismantled

One of the keys to RaaS is its ability to impact more companies than a normal ransomware campaign. For example, here’s a button. For two years, the Hive group marketed Ransomware as a Service, allowing its affiliates to attack more than 1,500 companies worldwide from 2021 to the end of 2022.

This January, the FBI and Interpol conducted a joint operation to dismantle the infrastructure of this criminal organisation, which over the past two years was able to obtain more than $100 million through extortion. Previously, the authorities had hacked into the organisation, providing victims with the keys to decrypt their data, thus draining their ability to obtain income through extortion.

What types of companies were targeted with the Hive ransomware? US and EU companies of all industries and sizes. From hospitals to technology companies, electricity utilities and even Spain’s largest nursing home company, DomusVi.

What lessons can we learn from this example?

1. The level of danger and exponential spread of Ransomware as a Service.
2. The economic impact of cyber-attacks.
3. The enormous diversity of companies that are potential victim of Ransomware as a Service. Not only large companies in strategic sectors such as finance are susceptible to attack.
4. The growing importance that states are giving to the fight against criminal groups that use this method.
5. Resignation in the face of attacks is a misguided strategy, and the payment of ransoms finances criminal infrastructures and strengthens them.

4. The human factor

One of the keys to RaaS is combining cutting-edge technological development with the human factor.

Criminal groups use their vast knowledge to package ransomware and offer it to dozens of malicious actors for active operation. In other words, to launch targeted, human-driven attacks instead of commodity ransomware attacks, which are spread indiscriminately through phishing. To borrow a sailor’s slang, mere trolling.

Whereas ransomware attacks operated by Ransomware as a Service group affiliates have specific targets and pursue specific objectives. For example, hijacking a company’s customer contact data. Or to get hold of a company’s strategic documents, which, if they fall into the hands of a competitor, would cause great damage.

When we talk about Software as a Service, we often point out that this model facilitates the access of companies and professionals to software that helps them work more efficiently and increase their business profits. Well, RaaS works similarly, but from a criminal perspective. These are advanced developments that are made available to attackers, who do not need to be able to develop their ransomware variant to accomplish their goals. In this case, accessing and hijacking company data.

In turn, the development of malicious code is complemented by the attackers’ techniques, tactics and procedures. The chances of success are greater in targeted attacks than in indiscriminate attacks. Knowing what you are looking for and having information about your victim and their security measures is not the same as attacking organisations or citizens about whom nothing is known.

5. How to gain access to victims? Initial Access Broker and Phishing

Attackers who join a RaaS program or acquire this malicious code can use it to propagate it through a system and accomplish their goals, but how do they gain access to the system?

1. Initial Access Broker. Just as there are cybercriminals specialising in developing ransomware, there are also criminals who provide access credentials to a company’s systems. These malicious actors employ various techniques, from brute force to crack passwords to launching social engineering attacks. Once they get the credentials, they sell them to other criminals, such as ransomware attackers.
2. Phishing and other social engineering techniques. Beyond contracting Initial Access Broker’s fraudulent services, affiliates can launch phishing campaigns themselves. For example, a professional of the target company receives an email in his corporate email that appears to be legitimate. However, the email contains a downloadable file or link. If the employee clicks on the link or downloads the file, he will have unknowingly downloaded the ransomware.

The more advanced RaaS groups may offer Initial Access Broker services or advise their affiliates on setting up phishing or other social engineering campaigns.

In addition, affiliate attackers specialised in accessing corporate networks opt for RaaS because they lack the means or knowledge to develop malicious code or prefer to focus on executing attacks.

Similarly, some attackers specialise in operating ransomware campaigns but may need more technical expertise to execute a successful attack beyond possible phishing attacks. In this regard, some criminals offer advanced technical expertise to execute potential intrusions into corporate infrastructures.

6. The multiplication of attackers

Ransomware bundling means that experienced cybercriminals can carry out attacks using this type of malware, and the range of potential attackers is expanding dramatically. This leads to an increase in the number of attackers and security incidents, as well as to the occurrence of specific attacks such as:

• Competitor attacks. A company can resort to a Ransomware as a Service provider to infiltrate a rival’s corporate network and gain access to information about its business strategy or paralyse its activity to undermine its business model and reputation.
• From vendors. Service providers often have access to an organisation’s corporate network. This situation means a possible ransomware compromise or infection affecting a provider can be transferred to its client’s internal corporate network.
• Given, also, the bilateral relationships that exist between customers and suppliers, the situation could be the opposite. A supplier could be compromised by a campaign affecting one of its customers.
• Supply chain attacks. As we have noted on other occasions, supply chain attacks are another trend to be considered in the cybersecurity world. An attacker may not be able to directly access a company’s systems with an advanced security strategy, but they can pre-infect a company’s supplier to get inside.

In essence, Ransomware as a Service group is arming potential attackers who, until the emergence of this criminal model, lacked the means or knowledge to use this kind of malicious code to commit fraud against companies, public administrations and citizens.

7. You too, Brutus? Insider attacks against companies

When we think of cyber-attacks, we imagine criminals with extensive knowledge taking advantage of a vulnerability detected in a system or the carelessness of a professional to attack a company. This leads us to forget a type of attack that has been around as long as the world has existed: insider attacks.

Just as Senator Brutus betrayed his friend and mentor Julius Caesar, an organisation’s professionals can use their access to the company’s systems, networks and equipment to hijack and/or exfiltrate data and documents.

This scenario is very attractive to Ransomware as a Service group since there is no need to find a way to access the system; the attacker already has legitimate access to the system.

Many companies focus on protecting their organisations’ IT perimeter but neglect internal control measures and access permission policies. As a result, if a ransomware attack is launched from the inside, the capacity for propagation and persistence is extremely high, and the possibility of detection is minimal.

For this reason, some criminal groups encourage the incorporation of workers with access to corporate networks in their promotional campaigns. This target group ranges from disgruntled professionals to workers willing to commit a crime in exchange for significant money. As the series Breaking Bad taught us: excessive ambition can corrupt people.

In this last sense, implementing segmentation policies in corporate networks, both at the network level and at the level of access control to information or resources, is essential. Minimising the exposure surface both externally and internally is an essential task in the context of an organisation.

8. Attackers’ tactics to achieve their goals

So far, we have discussed how criminals gain access to corporate networks and systems and how they get ransomware to execute. But what tactics do attackers use to achieve their goals? To systematise them, we can resort to the ATT&CK MITRE framework:

• Persistence. This tactic is implemented through techniques to maintain access to the network, even if the organisation performs actions such as changing credentials.
• Privilege escalation. This tactic is used to gain higher-level security permissions to accomplish fraudulent objectives by exploiting weaknesses, configuration problems and vulnerabilities.
• Evasion of defences. The attacker must avoid the organisation’s detection controls to stay as long as possible. This involves using techniques such as uninstalling security software.
• Lateral movement. Using this tactic, attackers seek to move around the corporate environment to achieve their objectives.
• Collecting and exfiltrating data, encrypting it to demand a ransom in exchange for providing the unlock keys. Or, as we will see below, proceeding to steal the data to threaten to leak it publicly or to use it in other fraudulent operations.

Through these tactics, the attacker seeks to remain on the compromised system for a long time, increasing his chances of achieving the stipulated fraudulent objectives and generating greater damage to the organisation.

9. The dangerous spiral of extortion

The hijacking of confidential data can lead to the paralysis of the normal activities of a company or public administration. As happened in the case of Hospital Clínic, but also in other notorious security incidents, such as the Fancy Bear cyberattack against Spain’s leading research centre, the CSIC.

The consequences of a successful ransomware attack, already worrying in themselves, are aggravated if the criminals opt for double extortion. In other words, they do not simply hijack the data and demand a ransom to decrypt it but also threaten their victims by demanding a higher payment to not leak the information on a public site.

Some Ransomware as a Service groups have their own sites.

For example, at the end of March, the Ransomware as a Service group Lockbit 3.0 posted on its leaks page that it had successfully attacked the restaurant company Telepizza. The criminals demanded a ransom for not publishing the obtained and hijacked data.

The double extortion is not only evidence of the risks faced by companies and institutions that fall victim to this kind of attack but also demonstrates that organisations cannot rely on criminals to keep their word and provide them with the keys to decrypt their data.

Moreover, there have already been cases where criminals have added further layers of extortion. For example, by also threatening the company’s customers whose data has been stolen so that they individually pay another ransom. Or by launching DDoS attacks to paralyse the organisation and force it to pay up. Or classic methods such as informing the media, customers and suppliers.

10. Red Team: Improving resilience to the proliferation of Ransomware as a Service

Beyond the actions taken by law enforcement to dismantle Ransomware as a Service groups, companies can and should take steps to protect themselves against this dangerous trend in cybersecurity. What actions are we talking about? Basic actions such as:

• Securing critical business assets, remediating weaknesses found and patching vulnerabilities.
• Implementing measures for early detection of attacks that consider not only the vectors but also the routes that attackers can follow within corporate systems.
• Segment corporate networks to make it more difficult for ransomware to spread and attackers to move laterally.
• Perform regular and well-protected backups to recover hijacked data and ensure business continuity.
• Focus on training and awareness-raising for all company professionals.

The consequences of a ransomware attack can be extremely serious, affecting business continuity and the organisation’s reputation. Moreover, if this issue is addressed strategically, recovery from a ransomware attack can be slow and costly because 100% system cleanup is not easy.

This is why companies with an advanced cybersecurity strategy, subject to more demanding legislation, with a higher level of cyber exposure and higher risks, can turn to more sophisticated services such as Red Team. Why?

Red Team services enhance an organisation’s detection and response systems, optimising them to detect intrusions at earlier stages of the Cyber Kill Chain and thus prevent the theft of strategic information or undermining business continuity.

10.1. Red Team scenario based on ransomware simulation

The Red Team simulates acting like a malicious actor to achieve a specific goal, such as gaining access to confidential data about the company’s customers.

To do this, a Red Team scenario needs to be designed in which the following are established:

• Type of malicious actor to be simulated (competitor, internal attacker, remote attacker…).
• Intrusion vector to be used (e.g. phishing or theft of user credentials).
• The objectives: elevation of privileges, sabotage of products or equipment, fraudulent payments… or deployment of ransomware.

Therefore, Red Team’s services can carry out ransomware simulations and test reliably how security controls, equipment, and IT infrastructure respond to this type of attack.

During a ransomware simulation, two phases are carried out:

1. Red Team scenario. All activities are carried out as if an affiliate of a Ransomware as a Service group was behind it, and its objective was to deploy ransomware to hijack sensitive data.
2. Gap-Analysis: The response of the defensive layers is evaluated, both at the level of attack detection, containment and asset recovery.

What is the ultimate goal of Red Team’s services? To improve the organisation’s resilience to ransomware attacks.

In short, Ransomware as a Service has led to the proliferation of potential attackers in enterprises, breaking down barriers such as the need for expertise to develop effective malicious code against the defensive layers of companies. As a result, organisations must face this complex landscape with advanced cybersecurity services such as Red Team.

Remember that anyone can attack your company.