Ransomware gangs have been raiding computer networks for nearly a decade. The plague took root with the emergence of the CryptoLocker nasty back in 2012, and these extortion snafus have since evolved into a plague with a distinct enterprise flavor. Businesses, universities, hospitals, and local governments are now in the crosshairs of extortionists, with the ransoms reaching hundreds of thousands or even millions of dollars per infected organization.
The focus on attacking large networks made perpetrators rethink their tactics and look for ways to engage extra “workforce” to cope with the increasing amount of evil work. To bridge the gap, malicious actors masterminded a clever scheme known as Ransomware-as-a-Service (RaaS) in 2015. This move turned the extortion epidemic into a whole new ballgame.
The logic behind this phenomenon is to split the roles between ransomware authors and distributors. By outsourcing the propagation job to affiliates, the developers can concentrate on improving their malicious code while getting a 20-30% cut of every ransom paid.
The average RaaS is much like your garden-variety affiliate platform, except that it pursues nefarious objectives. It comes with a user-friendly dashboard showing live infection stats and the generated revenue. It additionally provides co-conspirators with turnkey solutions that help extend their reach, including exploit kits, hacking tools, and post-exploitation mechanisms. One more perk is the option to build a custom ransomware variant in a few clicks of a mouse.
Some lesser-known RaaS networks keep their doors open for all wannabe extortionists. Some, though, are private affiliate programs that only recruit high-profile distributors and require interested parties to submit resumes describing and proving their track record. The proprietors of these platforms reserve the right to reject such cooperation proposals if the applicants don’t match their rigid criteria.
Layers of the RaaS ecosystem
At the time of this publication, more than 25 active gangs stick with the Ransomware-as-a-Service principle. Analysts at the threat intelligence firm Intel 471 have recently dissected this area of cybercrime and singled out the following RaaS categories:
- Most Wanted (Tier 1). These are large-scale operations that have generated ransoms totaling hundreds of millions of dollars over the past years. Most of them use special sites to leak data stolen from companies that refuse to pay up.
- Rising Powers (Tier 2). This cluster comprises ambitious groups that have orchestrated a number of confirmed attacks and are currently ramping up their efforts to become major players in the extortion arena.
- Emerging RaaS Crews (Tier 3). This category is formed by ransomware gangs that surfaced in 2020. Although they are actively advertised on hacking forums, there is hardly any data regarding assaults attributed to them so far.
With new ransomware campaigns exploding with successful incursions against big prey, the structure of these tiers could change dynamically down the line. In the meantime, though, this environment is dominated by ten groups.
Today’s most impactful RaaS platforms
The following paragraphs will shed light upon the top ransomware syndicates operating on a RaaS basis. These are gangs that represent Tier 1 and, in part, Tier 2 in the above hierarchy.
This is a long-running ransomware campaign that zeroes in on large computer networks. Its affiliates mainly use malware loaders called Trickbot and Emotet to drop the ransom Trojan as a second-stage payload. Ryuk gained extra notoriety for attacking healthcare facilities during the COVID-19 crisis. According to some security researchers, this strain accounted for every third ransomware onslaught in 2020.
In late 2019, the Maze crew broke new ground by stealing victims’ data before unleashing malicious encryption. This technique is used to pressure companies into paying ransoms. If the original demands are rejected, ransomware operators leak the files via a “public shaming” site. The crooks behind Maze have recently announced they were closing up shop. According to some reports, this extortion campaign will continue under the umbrella of another ransomware operation called Egregor.
This strain has been in rotation since 2019. It has a good deal of code overlapping with a ransomware lineage known as BitPaymer, which has allowed analysts to attribute the two campaigns to the same gang. The malefactors in charge of DoppelPaymer use a site called Dopple Leaks to name and shame non-paying organizations. The affiliates of this RaaS have made quite a few high-profile victims, including the Mexican petroleum company Pemex and the Dusseldorf University Clinic.
Also known as Sodinokibi, REvil was one of the first RaaS groups to take the route of haunting large networks. It is mainly deployed via remote desktop protocol (RDP) hacks and vulnerabilities in software running on web servers. REvil is responsible for a series of newsmaking incidents, including well-coordinated attacks against 22 municipalities in Texas, the U.K. financial services company Travelex, the U.S. staffing company Artech Information Systems. Earlier this year, the criminals set up a leak site called “Happy Blog” where they dump data extracted from non-cooperative companies.
Having splashed onto the scene in September 2019, this RaaS erupted in the wake of this year’s pandemic by piggybacking on coronavirus-themed phishing attacks. Some of its affiliates leverage file-less contamination mechanisms to run the ransomware in memory and thereby thwart detection by antivirus tools. In 2020 alone, Netwalker perpetrated more than two dozen successful incursions, including the attack against Michigan State University that hit the headlines in June.
First spotted in late December 2019, the Conti RaaS operation had been mostly idle until around June 2020. Based on code similarities with the above-mentioned Ryuk ransomware, it is believed to hail from the same source. After infiltrating an enterprise network, its operators conduct reconnaissance in an attempt to download valuable files to their server. This activity fuels Conti’s double extortion stratagems. In November 2020, this gang breached the systems of IoT chip manufacturer Advantech, demanding a whopping $14 million worth of Bitcoin for data decryption.
Clop, one more enterprise-targeting predator on the list, made its debut in February 2019. A year later, the proprietors of the underlying RaaS added a data leak strategy to their repertoire to coerce stubborn victims into cooperating. The latest incident involving Clop is an attack against the South Korean retailer E-Land. This raid made the company shut down its 23 stores across the country in November. The Clop crew claims to have pilfered 2 million credit card records from the victim and is threatening to leak this information unless the original ransom is paid.
First spotted in October 2019, the SunCrypt RaaS hadn’t been too active until September 2020 when its affiliates attacked the University Hospital New Jersey and the Haywood County School District. This group stands out from the crowd as it launches DDoS attacks to bring down victims’ websites if the ransom negotiations fail.
- Ragnar Locker
The distributors of this lineage use a hugely effective method to gain a foothold in networks. First, they try to hack the systems of a specific Managed Service Provider (MSP). If this compromise flows through, Ragnar Locker affiliates access the IT infrastructures of companies the MSP cooperates with, thereby widening the attack surface considerably. In November 2020, the FBI issued a flash alert giving organizations a heads up about a dramatic increase in Ragnar Locker distribution.
The Nemty RaaS emerged in January 2019. Its affiliates deploy the ransomware through a combo of RDP hacks, exploit kits, social engineering, and different malware loaders. In March 2020, Nemty launched a site for leaking data stolen from stubborn victims. Shortly afterward, the gang switched to a private RaaS that only works with select affiliates who have a reputation in the cybercrime underground.
Ransomware protection tips
With ransomware attacks growing in power and sophistication, the defenses should be both proactive and multi-pronged. The following recommendations will help you avoid the worst-case scenario:
- Keep your important files backed up.
- Follow safe RDP practices.
- Configure your email service to filter out spam and phishing messages.
- Enable a firewall to prevent ransomware from communicating with its Command & Control servers.
- Don’t turn on Office macros if an email attachment instructs you to.
- Use trusted antivirus software.
- Keep your operating system and third-party applications up to date to ascertain that the latest security patches are installed.
- Use a DDoS mitigation service and a web application firewall (WAF).
- If you are a business owner, set up a security awareness program so that your teams can identify the telltale signs of a ransomware attack. Also, enforce the use of two-factor authentication (2FA) to sign into corporate accounts.
Ransomware is here to stay, and so is RaaS as one of the building blocks of this monstrous cybercrime economy. Under the circumstances, the best response to this ever-evolving plague is to be a moving target. Unfortunately, data backups are no longer the silver bullet when it comes to ransomware mitigation. Extortionists are increasingly stealing files as part of their attacks and threatening to spill them if not paid. As a result, being able to restore data from a backup could be cold comfort.
So, focus on prevention and keep in mind that security is a continuous process rather than a product you can install. The tips above should help you stay in the clear.