Most of you have probably heard of the term SaaS which stands for Software as a Service. In return for a fee – usually monthly or yearly – the company providing the software agrees to allow the subscriber access to the latest updated software for the duration of the subscription. Ransomware as a Service (RaaS) follows a similar fee-based business model.
RaaS
There are “companies”, though nefarious at best, that provide a service much the same as SaaS. Dark Side is one such company in the news lately. But they are just one of many organizations that provide fee-based ransomware capabilities to criminals that do not have the skills or resources to develop the malware or carry out an attack on their own. According to the cybersecurity firm Group-IB, two-thirds of the ransomware attacks in 2020 were done using an RaaS model.
How It Works
In the RaaS model, a business-like relationship develops between two parties – the developer and the affiliate. The developer writes the malicious program designed to typically hijack the victim’s data by encrypting it or forcing the shutdown of the company’s computer network system – depending on the company targeted and the RaaS model used.
In a contract agreement, the developer licenses the malware to an affiliate for either a fixed monetary amount or a share of the successful ransom payment. The affiliate executes the attack using developer-provided assets, collects the ransom and pays the developer according to the agreed upon amount – all very business-like. In some cases, the developer is the affiliate, and they carry out their own attacks.
When an affiliate carries out an attack using the Dark Side RaaS model for example, the victim is first made aware they have been targeted when the “Welcome to Dark Side” ransom letter appears on their monitor … complete with payment instructions. Also included is the threat of what will happen if the ransom is not paid. The threat is usually keeping the hijacked data or the release of proprietary or sensitive data. The victim has the option to either pay the ransom or potentially lose their business or suffer the leak of important data.
Not all companies targeted are large. One recent attack targeted a small Midwestern publisher of school education material; the ransom demanded was $1.75 million. The threat in their case was to release customer identification information to pedophiles that would allow them to enter schools using fake IDs.
In the latest high-profile attack, the ransom of Colonial Pipeline’s was $5 million; sometimes the ransom amount can be negotiated down to a lower amount as was the case with Colonial Pipeline; they reportedly settled for $4.4 million. The DOJ has since recovered about $2.3 million of that ransom that was still in a digital wallet of the affiliate initiating the attack.
The mission of the RaaS model is to disrupt the business of a company by forcing them to shut down. Because companies cannot afford a lengthy shutdown, in most cases the pay the asked or negotiated amount to get their business back online. Ransoming businesses is becoming so common and preventing an attack so costly, that many companies just view it as another cost of doing business.
Ransomware as a Business
Just how big is the business of ransoming? It is a big business. In a recent report from the Ransomware Task Force, there were 2,400 known cases of ransomware in the U.S. alone in 2020 … most targeted were healthcare facilities, schools and U.S government agencies. The number of cases is probably higher as many low-profile attacks go unreported.
In 2020, paid ransoms totaled $350 million – a 311% increase over the prior year. The average payment from these ransoms was $312,493 and is usually paid in cryptocurrency.
Why Cryptocurrency?
Ransoms are usually paid in cryptocurrency, such as Bitcoin, to a digital wallet specified in the ransom instructions. Cryptocurrency is the payment of choice because it is more difficult to trace.
Once in a digital wallet, the funds are commonly “chain hopped” into different forms of cryptocurrency and then run through a “mixing service” where the ransom and legitimate monetary traffic are combined – the digital equivalent of money laundering. Once the mixing is complete, ransomware criminals can then draw the funds in hard cash, keep it in crypto form or a combination of both.
Location Immunity
Fifteen ransomware groups, including five of the biggest, are believed to be based in Russia or elsewhere in the former Soviet Union. The Russian government is benevolent to the ransomware organizations as long as they do not target Russia or former Soviet Union-based businesses. Because Russian authorities have made it clear they rarely prosecute those responsible for cybercrimes outside Russia, it has become a location of choice for ransomware operations. In a 2018 interview, Russian President Putin made it clear when he said, “If they did not break Russian law, there is nothing to prosecute them for in Russia. You must finally realize that people in Russia live by Russian laws, not by American ones.”