Jump to content

Ransomware as a service

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Bibamad (talk | contribs) at 15:36, 10 July 2023. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Ransomware as a service is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software.[1] Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.[2]

The "Ransomware as a service" is a cybercriminal variation of the "software as a service" business model.[3]

Revenue models

Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing. The most advanced RaaS operators provide portals that allow their subscribers to track the status of infections, payments, and encrypted files. This level of support and functionality is similar to legitimate SaaS products.[4]

The RaaS market is highly competitive, with operators running marketing campaigns and developing websites that mimic legitimate companies. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting the significant financial success of RaaS[3].

Microsoft Threat Intelligence Centre (MSTIC) regards RaaS as different from previous forms of ransomware as it no longer has a tight link between tools, initial entry vector and payload choices.[5] They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it.[5]

Main actors

Several well-known examples of RaaS kits include Hive, DarkSide, REvil (also known as Sodinokibi), Dharma, and LockBit. These operators continually evolve and create new iterations of ransomware to maximize their impact[6].

Examples of RaaS kits include Locky, Goliath, Shark, Stampado, Jokeroo and Encryptor.[1]

Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The US Department of Justice seized two servers belonging to Hive, disrupting their operations.[3]

DarkSide primarily targeted Windows machines but has expanded to Linux systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate.[3]

REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million.[3]

References

  1. ^ a b Baker, Kurt (2023-01-30). "Ransomware as a Service (RaaS) Explained How It Works & Examples". Crowdstrike. Retrieved 2023-02-11.
  2. ^ Palmer, Danny (2021-03-04). "Ransomware as a service is the new big problem for business". ZDnet. Retrieved 2023-02-11.
  3. ^ a b c d e "What is Ransomware as a Service (RaaS)? - CrowdStrike". crowdstrike.com. Retrieved 2023-07-10.
  4. ^ "What is Ransomware as a Service (RaaS)? - CrowdStrike". crowdstrike.com. Retrieved 2023-07-10.
  5. ^ a b "Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself". Microsoft Threat Intelligence Centre. 2022-05-09. Retrieved 2023-02-11.
  6. ^ Baker, Kurt (2023-01-30). "Ransomware as a Service (RaaS) Explained How It Works & Examples". Crowdstrike. Retrieved 2023-02-11.