Ramsomware is not new — it has been around since the early 1990s — but what is new is the increasing threat posed by the efficiencies of a cloud-based delivery system known as ransomware as a service.
Longtime readers of this column know that I am a huge fan of all things cloud — until now.
Ramsomware is a type of malware that encrypts a target’s software files, forcing them to pay a “ransom” for their decryption. It’s not new — it has been around since the early 1990s — but what is new is the increasing threat posed by the efficiencies of a cloud-based delivery system known as ransomware as a service. RaaS is a criminal variant of software as a service, or SaaS, whereby cybercriminals provide the platform and related ransomware services (everything from delivery to taking payment to tracking the progress of the extortion) for a fixed fee or percentage of the ransom payment. Basically, it has become very easy to just log in to the portal of a favorite RaaS dark web vendor, pay the fees to get started (sometimes as low as $US39!) and distribute malware to their victims without having to actually write their own malicious code. No real technical skills necessary.
There is no doubt that there has been a huge upturn in ransomware attacks over the past year, likely spurred on by RaaS. This year’s Lloyds Emerging Risks Report estimates that, in 2016, cyberattacks were estimated to cost businesses as much as $450 billion a year globally. According to the 2017 Verizon Data Breach Investigations Report, ransomware is the fifth most common form of malware and is expected to grow this year.
Unfortunately, RaaS vendors now run their businesses the same sophisticated way legitimate software companies do to market and sell their technology products and services, with videos explaining malware features and customization tips, user-friendly interfaces and free help guides. Customers of some RaaS providers can see an estimate of their earnings before they sign up. “Satan,” a popular RaaS malware, is made available via a user-friendly, intuitive GUI with a simple signup that allows for customizations (of the ransom amount, for example), contains tools for creating the malware and even translates the ransom note into 14 different languages. There is a helpful “metrics dashboard” that makes it simple to track the amount of ransomware that has successfully infected machines and how many entities have paid the ransom amount. The Satan RaaS platform claims that their clients/users can create their own ransomware “in less than a minute.” Easy peasy.
RaaS service providers typically advertise their products via banner ads and forum postings on the dark web, although Sophos has reported at least one RaaS provider, the Rainmakers Labs, had earlier this year marketed an introductory video for its “Philadelphia” ransomware on legitimate mainstream sites such as YouTube (which has since removed it).
While some RaaS vendors charge an initial usage fee, others prefer to enter into a profit-sharing model with their clients and take a cut of each ransom, which likely incentivizes a larger volume of attacks. So when the target pays the RaaS service provider (usually in Bitcoin) to unlock and retrieve its data, the “client” will obtain a (lucrative) percentage share (50–80 per cent). For example, the default setting on the Satan RaaS site allows 70 per cent of any ransom monies paid out by the targets to go to the client. By contrast, “Fatboy” ransomware, which appeared earlier this year, is smart enough to change the amount of money it charges so that recipients in areas with a higher cost of living will automatically be charged more to have their data decrypted. Other popular examples of ransomware available as RaaS include “Petya/Mischa”, “Shark/Atom” and “Cerber” viruses.
What can be done to prevent a RaaS attack? The following suggestions may be helpful.