by Anastasios Arampatzis
Palo Alto defines ransomware as “a criminal business model that uses malicious software to hold valuable files, data or information for ransom. Victims of a ransomware attack may have their operations severely degraded or shut down entirely.”
Ransomware attacks increase as the digital evolution of businesses continues. Its efficacy to generate serious revenue for the attackers makes this cyberattack method famous amongst cybercriminals and a “must-have” in their toolboxes. Today it is considered the largest threat organizations are facing and a financial burden for all businesses, as this is highlighted in the 2022 Cyber Claims Report.
Unfortunately, the future looks mischievous. Nowadays ransomware attacks are offered as a service by cybercriminals, named Ransomware-as-a-Service (RaaS), or human-operated ransomware , since they are driven all the way down by human intelligence and end up in intentional business disruption and extortion. These criminals offer their services to others, establishing actual ransomware agreements in exchange for an agreed fee.
There is no need for someone to be a cybercriminal expert or a dark web guru; literally, anyone can subscribe to a RaaS and unleash a ransomware attack on an organization or even an individual. It is no wonder that security professionals admit that “today no penetration effort is needed to perform a cyber-attack, just enter the correct log-in credentials you have purchased”.
RaaS is a subscription-based service, an arrangement between two parties: the operator and the affiliate. It is very popular since it allows any nonskilled wannabe cybercriminal to perform ransomware attacks with a high probability of success.
The operator develops all the necessary tools for the attack, the payment portals to communicate with their victims, and sells ransom payload access to the affiliate. The affiliate performs the intrusion, executes the attack, and collects the agreed ransoms, which are then split among the parties. RaaS developers may also sell their payload for profit, and run their business with other ransomware payloads, making their tracking by law enforcement agencies even more difficult.
Furthermore, security researchers discovered the presence of a third party involved in the RaaS business model: the “service provider”. The “service provider” assists the affiliate, mostly in the pre-attack phases of victim selection, exploits provision, and negotiations.
The distribution of the RaaS roles makes that business model resilient and insensitive to law enforcement successes. A recent joint advisory on ransomware highlighted that RaaS is a well-established and professionalized business model, which complicates attribution, since its components, developers/operators, affiliates, and freelancers create a complex network that shares victims’ information and diversifies the threat to their targets.
Figure 1. How RaaS model enables ransomware attacks (www.microsoft.com)
In many cases RaaS programs may provide as an extra service an extortion support offerings suite, including leak site hosting and integration into ransom notes, payment pressure, and cryptocurrency transaction services.
Microsoft mentions that RaaS business model is similar to the traditional economy: “In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves”.