Ransomware-as-a-service: What CISOs need to know

The first ransomware in the world — Ransom32 — was unearthed in 2016, starting a series of what would become one of the most popular forms of malware ever. At their core, malware are just software, except that they’re used for nefarious purposes. And like software companies, malware makers also like the ‘as-a-service’ business model. Ransomware hold a business’ data hostage, asking for cryptocurrencies in return for access to their data. 

Fast forward to 2021, the ransomware-as-a-service (RaaS) has grown to epic proportions. According to the Emerging Risks Monitor Report report from Gartner’sthis month, the threat of “new ransomware models” is the topmost concern facing executives in the third quarter of 2021 

What is ransomware-as-a-service?

Ransomware makers have become more specialized and efficient. Gartner also noted that the RaaS model has evolved as have the viruses that infect backup systems too. The providers of RaaS usually rent out their offering on the dark web, and ask their affiliates to pay 20-30% of the profits that they receive.  

Infact, the threat has evolved to such an extent that some RaaS groups offer training on how to use the ransomware, along with customer support and refund periods. Some examples of ransomware families known to have a customer support wing include Cerber, Cryptomix, and Torrent Locker. According to details from Finnish security firm F-secure, these ransomware families are open to negotiation via their customer support, and will also reduce the ransom on request.

Additionally, according to a July report by cyber intelligence provider Kela, some RaaS gangs even advertised for the post of negotiators on the dark web, where the job description is to convince the victim to pay up the ransom, and ensure that the process goes by ‘smoothly’. 

How do the RaaS models work?

Further, an October 2021 study report by San Francisco-based email security company Abnormal Security showed that ransomware was now offered in bulk discounts, and in different packages and tiers, ranging from a trial package all the way to ‘premium’ and ‘elite’ 6 month and 12 month subscriptions respectively. The elite package offers 24 hours customer support, multiple payment options, customisable ransomware strains and even templates for ransomware notes.

Should Indian enterprises be concerned? 

India currently ranks sixth out of 140 countries in terms of ransomware attacks, according to an October report by Google’s Threat Research Group. The study showed that there are at least a 100 ransomware families (some of which are Reveton, Wannacry, Locky, Magniber, Rkor, Matsnu, Cerber and Congur) that are engaged in constant activities, and most of them are being offered in RaaS models in some form or the other. They operate with close to 30,000 groups of Malware that researchers have found to have similar structural patterns and working methodologies, these are referred to as clusters of malware.

Prominent RaaS providers 

REvil, also known as Sodinokibi, is infamous for hacking into Apple supplier’s Qanta’s systems in April this year and threatening to make details of upcoming Apple products public. As per a report by Dark Reading, they were responsible for 25% of ransomware attacks from January 2021 to July 2021. 

However, REvil was recently shut down allegedly by several countries joining hands to bring down their ‘Happy Blog’, a website on which the group uses to expose victims’ data and extort organisations. 

Another well-known name is DarkSide, believed to have originated in Eastern Europe. It made a grand entrance when by donating $10,000 in Bitcoins from money stolen from its victims to charity in August last year. They are known to target large organisations with high-revenues.

Back in 2019, a RaaS gang named Ryuk ran amok. An October 2020 study from security firm SonicWall’s Capture Labs, said they accounted for 33% of all attacks this year. Their main targets were healthcare groups. 

Other well-known names include Netwalker a.k.a Mailto, Egregor, DopplePaymer, Satan, Cerber, and Hostman, with the list growing on a daily basis.