Jump to content

Ransomware as a service: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m Removed link as it was repeated
 
(23 intermediate revisions by 10 users not shown)
Line 1: Line 1:
{{Short description|Business model for cyber criminals}}
'''Ransomware as a Service''' is a [[cybercrime]] business model where ransomware operators write software and affiliates pay to launch attacks using said software.<ref name=crowdstrike-raas>{{Cite web |url=https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ |title=Ransomware as a Service (RaaS) Explained How It Works & Examples |date=2023-01-30 |access-date=2023-02-11 |website=[[Crowdstrike]] |last=Baker |first=Kurt}}</ref>
'''Ransomware as a service''' ('''RaaS''') is a [[cybercrime]] business model where [[ransomware]] operators write software and affiliates pay to launch attacks using said software.<ref name=crowdstrike-raas>{{Cite web |url=https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ |title=Ransomware as a Service (RaaS) Explained How It Works & Examples |date=2023-01-30 |access-date=2023-02-11 |website=[[Crowdstrike]] |last=Baker |first=Kurt}}</ref> Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.<ref name="zdnet-raas">{{Cite web |url=https://www.zdnet.com/article/ransomware-as-a-service-is-the-new-big-problem-for-business/ |title=Ransomware as a service is the new big problem for business |date=2021-03-04 |access-date=2023-02-11 |website=[[ZDnet]] |last=Palmer |first=Danny}}</ref>


Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.<ref name=zdnet-raas>{{Cite web |url=https://www.zdnet.com/article/ransomware-as-a-service-is-the-new-big-problem-for-business/ |title=Ransomware as a service is the new big problem for business |date=2021-03-04 |access-date=2023-02-11 |website=[[ZDnet]] |last=Palmer |first=Danny}}</ref>
The "ransomware as a service" model is a cybercriminal variation of the "[[software as a service]]" business model.<ref name=":0">{{Cite web |title=What is Ransomware as a Service (RaaS)? - CrowdStrike |url=https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ |access-date=2023-07-10 |website=crowdstrike.com |language=en}}</ref>


== Revenue models ==
[[Microsoft]] Threat Intelligence Centre(MSTIC) regards RaaS as different from previous forms of ransomware as it no longer has a tight link between tools, initial entry vector and payload choices.<ref name=mstic>{{Cite web |url=https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ |title=Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself |date=2022-05-09 |access-date=2023-02-11 |publisher=Microsoft Threat Intelligence Centre}}</ref> They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it.<ref name=mstic/>
Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing. The most advanced RaaS operators provide portals that allow their subscribers to track the status of infections, payments, and encrypted files. This level of support and functionality is similar to legitimate SaaS products.<ref>{{Cite web |title=What is Ransomware as a Service (RaaS)? - CrowdStrike |url=https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ |access-date=2023-07-10 |website=crowdstrike.com |language=en}}</ref>


The RaaS market is highly competitive, with operators running marketing campaigns and developing websites that mimic legitimate companies. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting the significant financial success of RaaS.<ref name=":0" />
Examples of RaaS kits include [[Locky]], Goliath, Shark, Stampado, Jokeroo and Encryptor.<ref name=crowdstrike-raas/>


[[Microsoft]] Threat Intelligence Centre (MSTIC) regards RaaS as different from previous forms of ransomware as it no longer has a tight link between tools, initial entry vector and payload choices.<ref name="mstic">{{Cite web |date=2022-05-09 |title=Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself |url=https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ |access-date=2023-02-11 |publisher=Microsoft Threat Intelligence Centre}}</ref> They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it.<ref name="mstic" />
==References==

== Extortion methods ==
Ransomware threat actors use different techniques to extort money from victims. Some of the main methods include:

=== Double extortion ===
In a [[double extortion]] ransomware attack, the threat actors first encrypt the victim's data. They then threaten to publicly release exfiltrated data if the ransom is not paid. This puts additional pressure on the victim to pay the ransom to avoid having sensitive data leaked.<ref name=":1">{{Cite web |author1=Ross Kelly |date=2023-06-29 |title=Encryption-less ransomware: Warning issued over emerging attack method for threat actors |url=https://www.itpro.com/security/ransomware/encryption-less-ransomware-warning-issued-over-emerging-attack-method-for-threat-actors |access-date=2023-07-31 |website=ITPro |language=en}}</ref>

According to analysis from cybersecurity firm [[Zscaler]], 19 ransomware families adopted double or multi-extortion approaches in 2021. By 2022, this number grew to 44 families using this technique. Groups like Babuk and SnapMC pioneered double extortion ransomware. Other actors like RansomHouse, [[BianLian]], and Karakurt later adopted it as well.<ref name=":1" />

=== Multiple extortion ===
Multiple extortion is a variant of double extortion. In addition to encrypting data and threatening to leak it, threat actors also launch DDoS attacks against the victim's website or infrastructure. This adds another element to pressure victims into paying.<ref name=":1" />

=== Pure extortion ===
In a "pure extortion" or "encryption-less ransomware" attack, the threat actors exfiltrate sensitive data but do not encrypt any files. They threaten to publish the stolen data online if the ransom is not paid. This approach allows threat actors to skip the complex technical work of developing encryptors.<ref name=":1" />

Groups like [[LAPSUS$]] and [[Clop (cyber gang)|Clop]] have used pure extortion techniques in high-profile attacks. Since victims' systems are not locked, this method tends to cause less disruption and draws less attention from authorities. However, the financial impact on targeted organizations can still be severe.<ref name=":1" />

== Main actors ==
Several well-known examples of RaaS kits include Hive, DarkSide, REvil (also known as Sodinokibi), Dharma, and [[LockBit]]. These operators continually evolve and create new iterations of ransomware to maximize their impact.<ref name="crowdstrike-raas2">{{Cite web |last=Baker |first=Kurt |date=2023-01-30 |title=Ransomware as a Service (RaaS) Explained How It Works & Examples |url=https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/ |access-date=2023-02-11 |website=[[Crowdstrike]]}}</ref>

Examples of RaaS kits include [[Locky]], Goliath, Shark, Stampado, Jokeroo and Encryptor.<ref name="crowdstrike-raas" />

Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The [[US Department of Justice]] seized two servers belonging to Hive, disrupting their operations.<ref name=":0" />

DarkSide primarily targeted [[Microsoft Windows|Windows]] machines but has expanded to [[Linux]] systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate.<ref name=":0" />

REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million.<ref name=":0" />

== See also ==
* [[as a service]]
* [[Initial access broker]]

== References ==
{{reflist}}
{{reflist}}


[[Category:As a service]]
[[Category:Ransomware]]
[[Category:Ransomware]]
[[Category:Cybercrime]]
[[Category:Cybercrime]]

Latest revision as of 19:14, 24 November 2024

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software.[1] Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.[2]

The "ransomware as a service" model is a cybercriminal variation of the "software as a service" business model.[3]

Revenue models

[edit]

Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing. The most advanced RaaS operators provide portals that allow their subscribers to track the status of infections, payments, and encrypted files. This level of support and functionality is similar to legitimate SaaS products.[4]

The RaaS market is highly competitive, with operators running marketing campaigns and developing websites that mimic legitimate companies. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting the significant financial success of RaaS.[3]

Microsoft Threat Intelligence Centre (MSTIC) regards RaaS as different from previous forms of ransomware as it no longer has a tight link between tools, initial entry vector and payload choices.[5] They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it.[5]

Extortion methods

[edit]

Ransomware threat actors use different techniques to extort money from victims. Some of the main methods include:

Double extortion

[edit]

In a double extortion ransomware attack, the threat actors first encrypt the victim's data. They then threaten to publicly release exfiltrated data if the ransom is not paid. This puts additional pressure on the victim to pay the ransom to avoid having sensitive data leaked.[6]

According to analysis from cybersecurity firm Zscaler, 19 ransomware families adopted double or multi-extortion approaches in 2021. By 2022, this number grew to 44 families using this technique. Groups like Babuk and SnapMC pioneered double extortion ransomware. Other actors like RansomHouse, BianLian, and Karakurt later adopted it as well.[6]

Multiple extortion

[edit]

Multiple extortion is a variant of double extortion. In addition to encrypting data and threatening to leak it, threat actors also launch DDoS attacks against the victim's website or infrastructure. This adds another element to pressure victims into paying.[6]

Pure extortion

[edit]

In a "pure extortion" or "encryption-less ransomware" attack, the threat actors exfiltrate sensitive data but do not encrypt any files. They threaten to publish the stolen data online if the ransom is not paid. This approach allows threat actors to skip the complex technical work of developing encryptors.[6]

Groups like LAPSUS$ and Clop have used pure extortion techniques in high-profile attacks. Since victims' systems are not locked, this method tends to cause less disruption and draws less attention from authorities. However, the financial impact on targeted organizations can still be severe.[6]

Main actors

[edit]

Several well-known examples of RaaS kits include Hive, DarkSide, REvil (also known as Sodinokibi), Dharma, and LockBit. These operators continually evolve and create new iterations of ransomware to maximize their impact.[7]

Examples of RaaS kits include Locky, Goliath, Shark, Stampado, Jokeroo and Encryptor.[1]

Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The US Department of Justice seized two servers belonging to Hive, disrupting their operations.[3]

DarkSide primarily targeted Windows machines but has expanded to Linux systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate.[3]

REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million.[3]

See also

[edit]

References

[edit]
  1. ^ a b Baker, Kurt (2023-01-30). "Ransomware as a Service (RaaS) Explained How It Works & Examples". Crowdstrike. Retrieved 2023-02-11.
  2. ^ Palmer, Danny (2021-03-04). "Ransomware as a service is the new big problem for business". ZDnet. Retrieved 2023-02-11.
  3. ^ a b c d e "What is Ransomware as a Service (RaaS)? - CrowdStrike". crowdstrike.com. Retrieved 2023-07-10.
  4. ^ "What is Ransomware as a Service (RaaS)? - CrowdStrike". crowdstrike.com. Retrieved 2023-07-10.
  5. ^ a b "Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself". Microsoft Threat Intelligence Centre. 2022-05-09. Retrieved 2023-02-11.
  6. ^ a b c d e Ross Kelly (2023-06-29). "Encryption-less ransomware: Warning issued over emerging attack method for threat actors". ITPro. Retrieved 2023-07-31.
  7. ^ Baker, Kurt (2023-01-30). "Ransomware as a Service (RaaS) Explained How It Works & Examples". Crowdstrike. Retrieved 2023-02-11.