Intrusion Inc.

01/06/2021 | Press release | Distributed by Public on 02/06/2021 01:12

Ransomware-as-a-Service: Trending new money-making model

Earlier this month, a group of threat actors DarkSide made 4.4 million by striking a giant fuel company, Colonial Pipeline with a ransomware attack. The negotiation took place after the attack crippled the fuel supply to the East Coast, causing a temporary shutdown. Such deceitful groups have evolved in making money by illegally holding data for ransom. The presence of cryptocurrency has been the biggest motivation for these criminal minds.

Organizations pay ransom hoping to get their files decrypted. This only makes such groups richer and promotes them to repeat their actions. It is the same reason that makes ransomware attacks successful. Criminals making millions by introducing such malware has given rise to Ransomware-as-a-Service (RaaS) model.

Ransomware-as-a-Service

A major sect of cybercriminals lacks the ability to write tedious codes. Ransomware gangs have created a new business trend of renting or selling ransomware on dark web platforms. RaaS developers create user-friendly websites and are sell RaaS Kits to less proficient hackers to make money by creating a portal. Affiliate programs bring in a certain part for the developer from the ransom paid by companies.

RaaS affiliates make victims fall prey to phishing emails convincing the victims to click on malicious links which downloads the ransomware in the system. On compromising the organization's defense mechanism, it results in encryption of the system. Cybercriminals provide the decryption key to the victim once they pay the ransom in bitcoins. REvil, Dharma, Lockbit are among those RaaS kits available on the dark web.

Industries targeted by ransomware

Ransomware attacks are targeting Healthcare, Manufacturing, Insurance, Technology, and Banking sectors as well as other targeted industries. Ransomware thugs have been on their toes with the ongoing Covid-19 vaccination production. They have been eyeing the healthcare sector since the beginning of the pandemic. Patient records are at stake when hospitals are under attack. Threat actors hold crucial data at educational institutes against ransom.The attackers breached millions of credit card and customer records using ransomware from banks.

Attack trends differ globally depending on the industries of importance in the countries. The percentage of these attacks has only risen since the last year. The first Quarter of 2021 has shown a drastic increase in ransomware threats with Asia Pacific most hit. The size of the organizations has never been the attacker's concern. Risk of public exposure to data, despite having a backup, is making the organizations pay ransom. Various organizations have encountered sophisticated tactics of common ransomware operators in major attack scenarios.

Alarming Ransomware Attacks

Earlier the purpose of ransomware operators was to encrypt data and decrypt it on payment of ransom. Nowadays, the story has changed. Threat actors have been doing thorough research on the organizations financial assets before attacking them. They install the ransomware with the purpose of stealing data to blackmail victims into paying the ransom.

In the past year, ransom demanded in bitcoin has risen. The amount is above five to six figures, resulting in millions of dollars. The attackers started establishing payment deadlines. But if the victim fails to pay the extortion in time, the ransom doubles. Organizations have a reputation to protect, keeping that in mind, ransomware gangs threaten to leak their crucial data on the dark web.

  1. REvil, a file encryption virus infiltrates into victim systems and encrypts all the files. Ransomware compels the victim to pay the ransom in bitcoins to decrypt the files. Extortion becomes twice the sum if the victim cannot pay on time.
  2. Netwalker,
a new ransomware variant has been targeting government sectors, remote workers, health care industry, etc. They come with a ransom note and encrypt all the files in the windows system, crawling through the network.
  • Ryuk has targeted large organizations by restricting system's access until the payment of ransom. It uses high encryption methods to encrypt every file and infects the victim machine using other malware.
  • Maze has been a global threat to organization. We have known them for infiltrating sensitive information and publishing it on cyber-criminal forums. It's been one of the most destructive ransomware of recent times.
  • Sodinokibi is a variant of REvil and spreads by software installers, RDP servers and other backdoor vulnerabilities. It has the potential to remove blacklisted files and transfer victims' data to the attacker. GandCrab's usage had declined when Sodinokibi sped up.

Ransomware Prevention Strategies

  1. Organizations should tighten endpoint security on weekends and vacations.
  2. Multi-factor Authentication should be implemented.
  3. Organizations should exercise a comprehensive Social Engineering awareness and training
  4. Data backup should be taken on cloud and external storage devices.
  5. Update systems on release of security patches.
  6. Organizations should be prepared with a recovery plan.
  7. Invest in leading-edge security technology to prevent ransomware attacks.