Light Dark
December 19, 2022 By Jonathan Reed 4 min read
Risk Management
Security Services

In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.

We now see RaaS outfits with organizational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But has RaaS grown too big? The factors that led to the niche’s growth may also lead to its demise.

Let’s look at the rise — and potential fall — of Ransomware-as-a-Service. After Reveton, things have never been the same.

RaaS takes root in Reveton

Reveton burst on the scene by sending fake police agency messages to infected computers. Intruders impersonated the FBI or other law enforcement agencies and coerced victims into paying fines. Actors threatened victims with arrest for supposedly downloading child pornography and pirated content.

Reportedly, Reveton actors raked in about $400,000 from victims every month. At the time, Reveton was unique as it was customized to location. It appeared as if it came from a local law enforcement agency.

Reveton malware packages loaded malicious software into phony and hijacked web pages. If a visitor clicked an infected link, the malware would scan the user’s device for exploitable plugins via the CVE-2012-1723 exploit.

The malware also included info stealers, which penetrated password management platforms to steal credentials. Phishing campaigns also delivered malicious links. Eventually, Reveton even evolved to target smartphones through fake app downloads.

Ransomware-as-a-Service is born

Reveton’s distribution methods were highly sophisticated. The malware’s operation command used reverse proxies at dozens of servers scattered across the globe. Periodically, Reveton released new features and new customizations for ransom messages. It was also one of the first ransomware attacks to demand payment in bitcoin.

The most unique aspect of Reveton was that it offered its malware packages to third parties as a service. Since the appearance of Reveton, other RaaS gangs have surfaced. This places the tools to launch a ransom attack in the hands of many more actors. Undoubtedly, RaaS has contributed to the continued rise in ransomware incidents. In 2021 alone, there were over 623 million ransomware events worldwide.

Read the Ransomware Guide  

Just like SaaS brands

Ransomware-as-a-Service is the product of the larger ransomware phenomena, and the economics behind it are startling. In 2021, average ransom payments reached $812,000 compared with $170,000 the prior year. In 2021, the overall damage worldwide from ransomware was $20 billion.

RaaS also helped spearhead a larger Malware-as-a-Service (MaaS) trend. Just like their SaaS counterparts, MaaS brands can have slick websites and monthly newsletters that announce new features, customizations and upgrades. Some MaaS brands have their own marketing campaigns, video tutorials, white papers and Twitter accounts.

Clients of RaaS can choose different subscription tiers, such as Basic, Professional and Enterprise. Or they might pay a percentage of each successful attack. Traditionally, to sign up for Malware-as-a-Service, users needed a referral or access to encrypted messaging or dark web forums. However, newer providers only require an email to set up an account accessed from a normal web URL.

Too much of a bad thing?

The problem with success is that it attracts attention. This means more successful Malware-as-a-Service brands are more likely to attract notice from law enforcement. And if attacks are especially high profile, or involve critical infrastructure, federal and international agencies get involved. One example of this was the takedown and dismantling of the high-profile REvil ransomware gang.

As a RaaS operation grows, so does its infrastructure. Ironically, this also becomes a liability since the attacker’s own attack surface grows. This means easier detection and disruption by legal authority takedown. As a result, RaaS groups are forced to invest more in infrastructure obfuscation and redundancy. This, in turn, cuts into profit margins and resources used for innovation and expansion.

New fluid, brandless approach

In response to these challenges, some ransomware agents are adopting more dynamic, low-profile tactics. For example, the Russian-language ransomware gang Vice Society wields a constantly changing array of tools, including ransomware variants. “Vice Society actors do not use a ransomware variant of unique origin,” according to a joint alert from the FBI and CISA.

Due to the increased scrutiny of law enforcement, the demand for RaaS may be slowing. Vice Society appears to have bought off-the-shelf malware rather than signing up for a RaaS subscription. Ransomware affiliates are becoming very fluid in their sampling of different RaaS kits. They may even develop their own tools based on leaked ransomware source code, such as Hello Kitty’s source code or even Conti’s leaked source code.

Are smaller targets safer?

The flip side of this move away from high-profile RaaS brands is targeting smaller victims. Rather than attacking large corporations or infrastructure like the Colonial Pipeline, most attackers prefer smaller targets. For example, Vice Society favors attacks on schools and colleges, a far cry from massive pipeline-sized targets. While ransomware remains a threat to businesses of all sizes, companies with less than 1,000 employees are most at risk.

In a rare interview, a REvil-associated threat actor said, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies.”

Effective ransomware prevention

The CISA Ransomware Guide provides extensive advice to mitigate threats. Some of its high-level advice includes:

  • Maintain offline backups of data
  • Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure
  • Review the security posture of third-party vendors
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy
  • Document and monitor external remote connections
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location (i.e., hard drive, storage device or cloud).

CISA also recommends the implementation of identity access management (IAM). This can include automated, cloud-based and on-premises capabilities for administering identity governance. IAM can manage workforce and consumer identity/access and provide privileged accounts control.

Reveton opened the door to a wider range of threats, and ransomware isn’t going away soon. The best strategy is to be well prepared against attack.

 |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature