What is Ransomware as a Service? Learn About the New Business Model in Cybercrime



Ransomware as a service operations have seen tremendous growth in the short time since their emergence. Learn about these attacks and how to protect against them in Data Protection 101, our series on the fundamentals of information security.

What is Ransomware as a Service?

Ransomware is a type of malware that encrypts a victim's files, holding them hostage unless the victim pays a ransom for their decryption. Ransomware is usually spread using phishing emails and infected websites. Ransomware attacks have extorted billions from victims over the past fifteen years or so, but a newer development in the ransomware delivery model has taken this threat to a whole new level: ransomware as a service (RaaS). This new trend has seen cybercriminals offering their ransomware operations – from delivery all the way through to taking ransom payments – for hire as a service or via web platforms, typically for a cut of the ransom gains or a fixed fee.

How Prevalent is Ransomware?

In a span of 11 years, there have been close to 7,700 ransomware cases reported to the Internet Crime Compliance Center, ranging from attacks on individuals to infections of entire corporate networks. This number is more than the data breach cases reported within the same period. A report from January 2017 put the total earnings from ransomware attacks at over $1 billion in 2016 alone.

The Potential for Profit with Ransomware as a Service

Despite being a relatively new development, ransomware as a service campaigns have already proven lucrative for their operators and customers alike. In the FBI’s takedown of the Kelihos botnet last week, there was evidence discovered that Peter Yuryevich Levashov, the man arrested for allegedly operating the botnet used to carry out ransomware attacks, offered to send a million ransomware messages for a mere $500. Check Point research suggests that only .3% of ransomware victims actually pay their ransoms, while Trend Micro research put the average ransom demand at $722 as of September 2016. Even if just .1% of those emails succeeded in infecting their recipients, $500 paid to such a scheme could result in 1,000 ransomware infections and 3 successful ransom payments totaling $2166 – a profit margin of over 333% for the customer.

Notable Ransomware as a Service Campaigns

An example of a ransomware as a service operation that has gained notoriety of recent is the Satan RaaS Platform, which is available over the dark web and enables customers to launch customizable ransomware attacks at wide scale. Interested cyber attackers with minimal to no technical skill are able to subscribe to the Satan platform and launch their own attacks on their targets, all for a 30% cut of their gains paid to its creators.

Other strains of ransomware notable for being offered as a service include Petya and Cerber, the latter of which netted its creators $78,000 (at their standard 40% commission rate) in July 2016 on a total of $195,000 paid in ransoms – that’s a cool $117,000 for the attackers, who had to do little more than log in to Cerber’s platform and deploy the attacks. The authors of Cerber go as far as to advertise their RaaS offerings to prospective customers via banner ads and forum postings on the dark web, an indication of the organizational scale at which many of these campaigns are operating.

Last month the Fortinet Blog wrote about another ransomware as a service scheme dubbed Dot, which boasts sophisticated operations including a professional website, customer portal, and a commission rate of 50% for its authors.

Protecting Against Ransomware as a Service

While RaaS is expected to fuel an explosion in ransomware attacks, the defenses against RaaS are no different from the defenses against typical ransomware attacks. In a previous post on this blog, Juliana de Groot offers 8 tips for ransomware protection:

  • Back up your files regularly and frequently: having diligent data backup processes in place can limit the damage caused by a ransomware attack significantly, as encrypted data can be restored without paying a ransom.
  • Complete operating system and any software updates as soon as possible: software updates typically contain patches for security vulnerabilities and should be installed as soon as they’re made available. Enable automatic updates whenever possible to streamline this process.
  • Do not click on email attachments or links from unconfirmed sources: email is a popular medium for phishing attacks that distribute ransomware or other malware via infected attachments or links to malicious websites.
  • Disable Autorun for all mounted devices: disabling autorun will prevent malware from being able to spread autonomously, an important step in containing malware should an infection occur.
  • Disable macro content in Microsoft Office applications: in many cases ransomware is spread via infected Microsoft Office documents that contain malicious macros that will download and execute the malware once run. Disabling macros by default can help to prevent compromises even if an infected file is opened by a user.
  • Disable remote desktop connections when possible: disabling this feature will prevent attackers or malware from being able to access users’ devices and files remotely.
  • Only log in as an administrator for as long as necessary: limit administrator privileges and the use of admin accounts whenever possible to ensure that a user that has been compromised isn’t inadvertently granting administrative privileges to an attacker who has gained access to their account.
  • Deploy security software to bolster ransomware protection: there are a variety of solutions that can help prevent ransomware infections. At the bare minimum, antivirus solutions and firewalls can help to block known, common malware strains. For additional protection, companies should consider advanced threat protection solutions to improve ransomware detection and blocking capabilities.
Nate Lord

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)