Hacking for hire, a business model

3 July 2024

Illustrated by our virtual artist, the contrast between the origins and impacts of ransomware attacks.

In the ever-evolving world of cybersecurity, threats are becoming more sophisticated and accessible to a broader range of malicious actors. One such emerging threat is Ransomware-as-a-Service (RaaS). This business model allows cybercriminals to lease ransomware tools and infrastructure, making it easier for even less technically skilled individuals to launch devastating attacks. Understanding RaaS is crucial for businesses looking to bolster their defenses against these persistent threats.

Ransomware-as-a-Service is a model in which professional cybercriminals develop ransomware and then lease it out to affiliates. These affiliates pay a fee or share a percentage of the profits with the developers. This model lowers the technological barrier to entry, enabling a wider array of attackers to participate in ransomware activities.

In traditional ransomware attacks, the same group would handle the development, distribution, and extortion phases. RaaS, however, divides these responsibilities, making ransomware attacks more scalable and potentially lucrative business.

RaaS operates similarly to our usual Software-as-a-Service (SaaS) platforms :

  1. Development: Skilled developers create sophisticated ransomware and maintain the backend infrastructure.
  2. Distribution: Affiliates sign up and gain access to the ransomware, often through darknet marketplaces.
  3. Deployment: Affiliates use creative methods like phishing or exploit kits to distribute the ransomware to victims.
  4. Extortion: Once a victim’s data is encrypted, the affiliate handles the ransom demand and payment collection.
  5. Profit Sharing: The final step, the ransom payment is split between the affiliate and the developers.

Two well documented RaaS cases :

  • Sodinokibi (REvil) also known as REvil, emerged in 2019. It’s one of the most notorious RaaS platforms, responsible for numerous high-profile attacks. Like in 2021, REvil targeted Kaseya, a company providing IT management software. The attack affected around 1,500 businesses globally, demonstrating the far-reaching impact of RaaS attacks.
  • DarkSide : is another prominent RaaS platform, gained infamy with its sophisticated operations and ethical rhetoric, claiming to avoid hospitals and non-profits. The Colonial Pipeline attack in May 2021 highlighted the severe implications of ransomware on critical infrastructure. DarkSide’s ransomware led to fuel shortages across the Eastern United States.

We must understand that this RaaS model significantly broadens the scope and frequency of ransomware attacks. Here are several critical consequences to consider:

  • Increased frequency of attacks: With RaaS lowering the entry barrier, more criminals can launch ransomware attacks, leading to an overall increase in incidents.
  • Sophistication and efficiency: RaaS platforms continuously improve their software, making attacks more effective and harder to detect.
  • Wider target range: From small businesses to large enterprises, no organization is safe from RaaS attacks.

To protect against RaaS attacks, businesses should implement the following usual measures:

  • Strong password policies and MFA: Enforce robust password policies and use multi-factor authentication to reduce the risk of credential theft. You can see it as the first line of defense in fortifying your digital security.
  • Regular backups: Maintain regular, encrypted backups of critical data and ensure they are stored offline. However, offline storage can be costly, requiring significant investment in physical media, storage environments, and management resources.
  • Employee training: Conduct regular cybersecurity training to help employees recognize phishing attempts and other social engineering tactics. Determining the effectiveness of training programs and ensuring that they lead to measurable improvements in security practices can be challenging.
  • Patch management: Regularly update and patch all software and systems to close vulnerabilities.
  • Incident response plan: develop and test an incident response plan to ensure quick and effective action in the event of an attack. No matter how theoretically sound a plan may seem, its real-world effectiveness is only proven through rigorous testing and simulation.