Until recently, ransomware attacks used to be carried out by highly skilled, well-motivated professional cyber attackers. The primary purpose was to obtain money in the form of ransom paid in bitcoins in untraceable transactions. But not anymore. Ransomware attacks became available to unskilled, malicious persons as well under the form of ransomware-as-a-service. Let’s have a look at how it happened, and what are the implications.
What is ransomware-as-a-service
To carry out a ransomware attack, a cyber-criminal develops an entire infrastructure:
- Engines to send SPAM and phishing emails, the main propagation vector for ransomware;
- Botnets that would send the SPAM and phishing emails, built over time using other types of malware;
- Anonymous servers to store ransomware packages – where the Phishing and SPAM emails point to;
- Technology to package the ransomware payloads in ways that make them difficult to detect;
- Various ransomware payloads configured to deliver a customized ransom notes.
With the infrastructure ready the attacker can launch attacks on various targets and wait to collect the ransom. As soon as the infrastructure is available, most of the high-profile technical work is done, and usage of the infrastructure does not require a lot of technical expertise. Hence, the attackers have the opportunity to create another effective revenue source, by renting their ransomware attack infrastructure to anyone who wants to carry out such an attack. Thus, they have a reliable and efficient source of income by getting a margin on the profits of the ransomware operators. Like that, anyone can be a ransomware operator, even without technical knowledge and without a significant initial investment.
The model is similar to the software distribution model where the vendors are replaced by the attackers, and the distribution channel is replaced by the ransomware service operators.
By significantly reducing the level of technical knowledge required to carry out an attack, this cybercrime model greatly increases the number of potential attackers. Consequently, with more actors, the number of attacks will increase significantly.
Examples of existing ransomware-as-a-service
Shark (Cost: 20% of the revenue)
This ransomware has been around for a while, but as of recently, in August 2016, its developers decided to make it available for anyone and built tools that allow creating and configuring Shark ransomware payloads. Any ransomware operator would pay 20% of the revenue made from ransomware attacks using these tools.
Alpha locker (Cost: 65$)
For 65$ you get a ransomware kit that consists of unique ransomware code, a master decryptor program, and an administration panel.
Janus (Cost: variable, depending on the amount of ransom)
This online platform allows the creation of custom variants of Petya and Micha (a couple of the most devastating) and enables the distribution process. The costs depend on the amount of ransom received and vary from 25% to 50% of the revenue made by ransomware operators.
The development of ransomware, the rather exclusive revenue generator into a fully-fledged software distribution model usable by anyone has significant implications. We are likely to see an increasing number of attacks and a broadening of the scope regarding victims. While before money making was the primary driver for running ransomware attacks, and the targets were usually high profile companies able to pay significant amounts in ransom (i.e. healthcare institutions), in the future attacks will occur for any reason and more and more individuals and businesses will fall as victims.
TEMASOFT develops advanced anti ransomware technology that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. This technology will soon be available.
For more information, follow us on social media and subscribe to our newsletter.