Ransomware-as-a-Service (RaaS): the Underground Business | Antivirus Software

The global damage caused by ransomware in 2019 was a staggering $ 11.5 billion. MSPs in particular have suffered the nasty effects of ransomware, and the attacks have hit senior MSP customers in government, healthcare, and other critical services. Protect with antivirus software.

According to Datto, 59 percent of MSPs reported ransomware attacks on customers in the first half of 2019. The average ransomware claim increased 37 percent and the cost of downtime ($ 5,900) was 23 times the average ransomware claim in 2018.

These numbers alone are alarming, but ransomware-as-a-service (RaaS) is also booming. For around $ 50, every would-be hacker can get a RaaS subscription and thus a monthly license to carry out attacks on companies.

What is RaaS?

RaaS is a SaaS-like offering that includes everything a hacker needs to launch a ransomware attack. A typical RaaS subscription costs around $ 50 and includes the ransomware code and decryption key, and there are large and small RaaS kits available. Refined RaaS offerings include customer service and dashboards that hackers can use to track their victims, including the status of infections and ransomware payments.

Developed by cybercrime organizations, RaaS simplifies the development and implementation of ransomware, effectively removing the barrier to entry for low-skilled hackers. While some RaaS organizations charge a monthly license fee for using their products, others charge a commission - up to 70 percent - on ransom payments to partners.

Like SaaS companies, RaaS developers often release new versions to their customers and partners, and they run their websites on the dark web with the sophistication and efficiency of an e-commerce company. Like SaaS subscriptions, many RaaS subscription models are offered in the bronze, silver, and gold levels, with each subsequent level including better functionalities and support.

RaaS Organizations

RaaS developers identified on the dark web include RainMaker Labs, GandCrab, Sodinokibi, and, more recently, Jokeroo. RainMaker is behind the Philadelphia ransomware that hit the headlines in 2017. Although the Philadelphia RaaS was considered clumsy by some in the tech community compared to the competition, the offering was appealing and was even advertised with a high-quality video.

The group behind the GandCrab ransomware claims that it extorted $ 2 billion from victims around the world. Out of compassion, a GandCrab developer released a decryption key in 2019 for Syrian victims of ransomware who went public with the trauma of losing access to photos of their deceased children. Security researchers quickly developed a GandCrab decryptor, and shortly afterward GandCrab fell silent.

GandCrab had 392 partners at the height of its RaaS business, according to Bleeping Computer. Although the group disappeared in October 2019, they likely reorganized into Sodinokibi, the ransomware behind some of the biggest attacks in 2019. Researchers have found striking similarities in GandCrab and Sodinokibi's code, but also differences in terms of the identity of the Developers, suggesting that there is new management here.

With dozens of partners and a RaaS model that dwarfs GandCrab both organizationally and technically, Sodinokibi is tailored to and distributed to partners' individual needs. In a 2019 article by Bank Info Security, a representative from Connecticut-based security firm Coveware stated that some partners have specific experience with attacks on MSPs and other IT service providers. Sodinokibi attacked several MSPs in 2019, including Synoptic, PercSoft, CyrusOne, and LogicalNet.

Jokeroo was first discovered in March 2019 when it announced its existence on Twitter. Jokeroo offers multiple membership levels as well as an attractive user interface that includes an up-to-date list of Jokeroo victims and ransomware payments, as well as a customizable wizard for creating ransom notes.

Provision of RaaS Packages

RaaS operators know that their product has to be easy to use to attract more customers. While Sodinokibi, like most forms of malware, can be sophisticated, it can be spread with a simple email.

Phishing remains the most popular method of delivering all types of ransomware: 67 percent of all attacks are spread via phishing. The most recent ransomware victims attributed to phishing emails include the cities of New Orleans, Louisiana, and Durham, North Carolina, both of which went offline, including emergency call centers and fire departments.

Phishing emails are easy to create and send, and the methods of bypassing the filters are becoming more sophisticated. Also, those new to phishing can seek help from criminal phishing organizations that run their own SaaS businesses.

Phishing-as-a-Service (PhaaS), like RaaS, is an all-in-one hacking solution. A typical phishing kit includes phishing emails, phishing websites, email lists, and even detection prevention tools. Together, RaaS and PhaaS provide everything a hacker needs to launch an attack.

Prevent Ransomware Claims

The availability of RaaS and PhaaS has created unlimited opportunities for hackers with little to no hacking experience. And by attacking MSPs, they can hit multiple targets in one fell swoop. Protect your business by taking the following measures:

• Backups: Perform regular backups and store them on a separate device to ensure that hackers cannot access your files.
• Updates: Update and patch all software regularly to protect yourself against known and unknown system vulnerabilities.
• Protection against phishing and ransomware: Invest in advanced phishing protection like antivirus software that can detect and block phishing emails at the time they are delivered and at the time they are clicked.
• User Education: Offer phishing awareness training to show your users how to recognize the signs of phishing and provide contextual training to increase the learning impact when your users click or they click a phishing email answer.