What Is RaaS?
Ransomware as a Service (RaaS) is a business model that can be thought of as Software as a Service (SaaS) for cybercrimes, in which ransomware operators develop ransomware tools, and affiliates pay to use these tools to launch ransomware attacks. As with all ransomware attacks, an attacker gains access to the victim's computing device and encrypts the data, asking for payment in return for regaining control of the data. RaaS has lowered the entry-level barrier for conducting ransomware attacks, as attackers do not even need to be able to develop their own ransomware.
Impact of RaaS
RaaS can be purchased by any individual or group that wants to launch a cyberattack. This leads to an increase in the number of ransomware attacks and makes it increasingly difficult for law enforcement agencies to combat ransomware attackers. Even if the malware developers get caught, RaaS affiliates can still carry on with their criminal activities. The impact of ransomware attacks has grown even more in recent years as more RaaS ecosystems have adopted the double extortion tactic. Attackers not only encrypt data on compromised devices, but also threaten to post it publicly to pressure the targets into paying the ransom. According to a report, ransomware attacks in 2020 alone cost the global economy approximately US$20 billion. Nearly two-thirds of criminal organizations use the RaaS model to launch attacks. It is estimated that by 2031, the loss caused by global ransomware will reach about US$265 billion.
How Does RaaS Work?
RaaS Operation Principle
RaaS is a subscription-based business model for launching ransomware attacks. Ransomware developers develop ransomware loads and payment portals for communicating with victims. RaaS carriers recruit affiliates by carrying out marketing activities on forums or darknets. Affiliates create accounts and pay fees (usually in Bitcoin) to obtain RaaS kits customized for specific targets. A RaaS kit may include ransomware technical support, bundled offers, function updates, private forum information exchange, and other features identical to those offered by legitimate SaaS providers. After making the payment, affiliates start to launch attacks using the ransomware. A common attack method for ransomware is email phishing. Once the ransomware gains access, the victim's device cannot be used and the data will be encrypted. The victim is then sent a message demanding payment in exchange for the decryption key needed to access the locked files. The table below outlines the roles operators and affiliates play in the RaaS model:
RaaS Operator |
RaaS Affiliates |
|---|---|
Recruits affiliates on forums or darknets. |
Creates an account and pays to use the ransomware. |
|
|
Sets up a victim payment portal |
|
|
Communicates with the victim via chat portals or other communication channels |
Manages a dedicated leak site |
Manages decryption keys. |
RaaS Revenue Model
Common RaaS revenue models include:
- Affiliate program: A percentage of the ransom (typically 20% to 30%) goes to the ransomware developer after affiliates pay subscription fees.
- Monthly subscription: Affiliates pay a flat fee on a monthly basis and without sharing profits with RaaS carriers.
- One-off license fee: After purchasing RaaS as a one-off payment, affiliates can use the service indefinitely and without sharing profits with operators.
- Pure profit sharing: Profits are shared among affiliates and operators after a license is purchased.
Typical Cases of RaaS
- REvil
REvil was first discovered in 2019. REvil attackers can access the entire network within about three minutes. The REvil group spreads attacks mainly through unpatched VPNs, exploit kits, Remote Desktop Protocol (RDP), and spam emails. REvil operators are very selective regarding affiliates, demanding that affiliates have a certain amount of hacking experience. Affiliates are responsible for gaining access to target networks, downloading valuable files, and deploying the actual ransomware, while operators are responsible for negotiating with victims and extorting ransom. In April 2021, REvil was reported to attack a supplier of Apple, stealing confidential schematics of their upcoming product.
- LockBit
First discovered in September 2019, LockBit is a notorious cybercrime group known for its professional operations and strong affiliate program. LockBit 2.0 was launched in June 2021, employing a double extortion tactic. Victims are coerced into paying to regain access to their encrypted files, and then paying again to prevent their stolen data from being posted publicly. In June 2022, LockBit revealed version 3.0 of its ransomware. Attacks are spread through third-party access credentials, vulnerability exploitation, and other malware. At the end of the third quarter of 2022, one-third of reported ransomware attacks against industrial enterprises and infrastructure were related to LockBit.
- DarkSide
A large hacker group identified as DarkSide was first discovered in August 2020. DarkSide affiliates are given access to an administration panel for specific victims. As commission, DarkSide operators will receive a certain percentage of ransom (25% for ransoms below US$500,000 and 10% for ransoms over US$5 million). On May 7, 2021, Colonial Pipeline, a country's oil pipeline system, was reported to suffered DarkSide ransomware attacks, impacting computer devices managing the pipeline. The ransomware blackmail payment was as high as US$4.4 million just within several hours.
- Hive
First appeared in 2021, the Hive ransomware has been used to extort more than 1300 businesses, receiving over millions of ransom payments. The Hive attacks spread through third-party access credentials, vulnerability exploitation (Microsoft Exchange Server vulnerabilities), and RDP brute force cracking. It is reported that in January 2023, two back-end servers of the Hive group were seized by relevant law enforcement agencies, interrupting Hive operations.
How Does Huawei Help You Defend Against RaaS?
In recent years, RaaS has become one of the major cyber security threats faced by global enterprises. Once attacked, enterprise operations will be severely affected. Huawei products can help you minimize the harm caused by ransomware.
- MRP: Multilayer Ransomware Protection
Huawei has innovatively developed the MRP technology that is built on network-storage collaboration, creating a dual protection for your data. The network, as the first defense line, detects the ransomware accurately and prevents it from proliferating horizontally. Storage, as the second and the last defense line, ensures service recovery. Additionally, the network-storage collaboration delivers three capabilities: accurate identification, comprehensive protection, fast recovery, effectively protecting data security.
- USG6000F Series AI Firewall
USG6000F series AI firewalls provide content security functions, such as application identification, IPS, antivirus, URL filtering, and mail filtering to protect intranet servers and users against threats.
- HiSec Insight Security Situational Awareness System
HiSec Insight can detect emails containing malicious attachments based on Internet access traffic, and quickly block and contain detected attacks by interworking with devices.
- Author: Zheng Kaili
- Updated on: 2023-08-09
- Views: 960
- Average rating:
