Understanding Ransomware-as-a-Service (RaaS) - A Guide

Executive Summary

From 2021 to 2022, ransomware attacks appeared to take a backseat to data extortion attacks as law enforcement began to crack down on ransomware operations. In previous years, holding ransomware operators responsible for their actions was challenging due to differing laws across countries. This allowed threat actors to carry out significant ransomware attacks to critical systems in various nations, including the U.S.

In 2021, hard to catch ransomware operations like Clop, were disrupted by law enforcement and members were arrested. After the arrests, some of Clop’s infrastructure shutdown, however, that did not keep the ransomware gang from becoming active again. In 2023, the group claimed attacks on 130 organizations by exploiting CVE-2023-0669 – a GoAnywhere zero-day vulnerability. They have continued to attack organizations in 2023 and have made headlines by exploiting the MOVEit zero-day vulnerabilities – successfully breaching the New York City Department of Education, Zellis, Johns Hopkins University, and others.

Clop is widely acknowledged as a ransomware group that exploits zero-day vulnerabilities to infiltrate organizations. However, Clop doesn't limit itself to solely functioning as a ransomware gang; it has adopted the "ransomware-as-a-service" (RaaS) model, partnering with criminal associates to spread malware. This kind of decentralized strategy makes it difficult to track and capture the individuals responsible for attacks. Let’s dive into RaaS and how organizations can harden their defenses against the threat actors who leverage this model.

what is ransomware-as-a-service (raas)?

Before we get into how organizations can harden their defenses, it’s important to understand what RaaS is and how it works. RaaS is not much different from the Software as a Service (SaaS) business model. In SaaS, cloud providers offer their technology through a subscription arrangement, while RaaS changes out 'cloud providers' with 'ransomware gangs' and 'technology' with ransomware (along with its accompanying crimes).

In RaaS, threat actors act as service providers, renting out their ransomware capabilities to aspiring threat actors. These aspiring threat actors, often lacking technical skills, can then deploy ransomware attacks without creating the malicious software themselves. This model lowers the entry barrier for cybercriminals, broadening the scope of attacks and contributing to the increasing frequency of ransomware incidents.

how does raas work?

The pricing structure for RaaS varies significantly, with some affiliates subscribing for as little as $100 per month, while others invest over $1,000. Regardless of the subscription fee, affiliates gain a portion of the proceeds from every successful ransom payment resulting from an attack.

The RaaS model is easily accessible and empowers individuals with minimal expertise or background in cybercrime to partake in malicious activities that yield substantial rewards. Even those without prior knowledge or experience in the field can effortlessly engage in these attacks, thanks to the ready-made tools and infrastructure provided by RaaS operators. This contributes to the widespread and persistent threat posed by ransomware attacks across various industries and sectors.

INCLUDED SERVICES

The RaaS model is largely used to spread crypto-malware, which are software programs designed to encrypt files on a targeted device and demand a ransom for decryption or recovery. Since 2019, numerous ransomware developers have expanded their services to include data theft as well. This addition involves threatening victims with the public release of stolen data unless the victim pays the demanded ransom.

Within the framework of RaaS, cybercriminals can also distribute lockers, which are programs that restrict access to a device until negotiations are made and a ransom is paid. RaaS services include a range of offerings, including but not limited to:

• Compiled ransomware or access to its source
• Tools for customizing ransomware, such as tailoring it for a specific target’s operating system or crafting personalized ransom notes.
• Supplementary malicious tools, including programs that extract data prior to
• Infrastructure for managing the ransomware operations, which can include a control panel, technical support, private forums for exchanging information, and detailed

Some RaaS operations extend their services to facilitate ransom negotiation.

Once again, these services within the RaaS model allow individuals without technical expertise to enter the realm of ransomware attacks with ease, making it necessary for organizations to bolster their defenses.

threat actors that use the raas model

In addition to Clop, there are many other ransomware groups known to distribute ransomware through the RaaS model. Conti and LockBit both use this model and have profited substantially from it.

CONTI

Up until May 2022, the Russian ransomware group Conti was known for utilizing RaaS to execute disruptive ransomware attacks that targeted critical infrastructure, including hospitals and government organizations. They specialized in double extortion, involving both simultaneous data encryption and data exfiltration for financial gain. In cases where the ransom was not paid, Conti would blackmail their victims by threatening to release the stolen files.

Conti was responsible for over 400 cyber attacks within the U.S., with ransom demands as high as $25 million. The group utilized known vulnerabilities such as PrintNightmare, exploited unpatched Microsoft Exchange servers with ProxyShell, and infected victims with TrickBot malware. Although Conti went dark after their source code was leaked in 2022, many researchers believe that the gang is still operational and associated with smaller, lesser-known groups.

LOCKBIT

Since 2019, LockBit, also referred to as LockBit Black, has been operating as a ransomware-as-a- service (RaaS) group, making threats to disclose sensitive data on their leak site as leverage to force targets into paying ransom demands. Historically, LockBit has refrained from targeting systems located within Russia or countries affiliated with the Commonwealth Independent States, likely in a strategic effort to evade law enforcement.

LockBit’s attack on Accenture, one of the world's top technology consulting firms, stands out as one of the group’s notable cyber attacks. This incident occurred in August 2021, during which the group managed to steal 6 TB of data and demanded a ransom of $50 million. The group meticulously researches organizations prior to launching their attacks - Accenture's revenue for 2020 amounted to $44.33 billion.

LockBit’s RaaS model has gained a lot of attention by affiliates through campaigns in underground online communities. The operators behind LockBit stated that their encryption software was the fastest among all active ransomware strains as of June 2021. According to LockBit, this speed enhanced their ability to disrupt the ransomware landscape.

Recently, LockBit has been called out for falsely claiming to have published the stolen data of certain organizations that did not pay their demanded ransom. This impacts the group greatly since they use data extortion as leverage in their attacks. As a result, some of LockBit’s top affiliates have left for other ransomware groups. Despite this recent development, LockBit has been quite active in 2023. The group has successfully attacked and leaked the data of healthcare technology giant Siemens Healthineers, the Indonesian bank Bank Syariah Indonesia, and UK’s largest postal service provider, Royal Mail.

defense

If organizations want to protect themselves from ransomware gangs that utilize RaaS, they need to have a multi-layered approach that will address both prevention and response. Here are some key strategies to consider:

• Email Security - Once a Ransomware as a Service (RaaS) affiliate obtains the personalized ransomware code; they can pinpoint a way (such as a malicious email) to enter a system and send the malicious code to the victim's device. That’s why it’s important for organizations to utilize advanced email filtering solutions to detect and block phishing attempts and malicious attachments.
• Employee Awareness – Educate employes about malicious attachments, phishing emails, and social engineering tactics that ransomware gangs commonly use to gain initial access. Staff should be trained to recognize suspicious activity and report potential security threats immediately.
• Network Segmentation – Segment your network to limit lateral movement for attackers. This way, if ransomware infects one part of the network, it won’t easily spread to other segments.
• Endpoint Protection – Organizations should use reputable anti-virus software to detect and prevent ransomware infections. Also, implementing endpoint detection and response (EDR) solutions can provide real-time threat monitoring and response.
• Backup and Recovery - Regularly back up critical data and systems offline or to cloud storage, ensuring they're not directly accessible from the network. Additionally, don’t just back up the data but test those backups periodically to ensure they work.
• Incident Response Plan – You can’t always prevent a ransomware attack, but you should always be prepared to respond to Develop a comprehensive incident response plan that outlines steps to take in case of a ransomware attack. Test and update the plan regularly to ensure its effective.
• Study the Enemy – Stay up to date about the latest ransomware campaigns and threat groups through intelligence Avertium has an entire library of Threat Intelligence Reports that organizations can utilize to stay educated. The intelligence Avertium gathers can help organizations proactively update security measures and tailor defenses to evolving threats.

How Avertium is Protecting Our Customers

• Avertium offers VMaaS to provide a deeper understanding and control over organizational information security If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
  
  
• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
  
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:

• • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well- organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

Supporting Documentation

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.