In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.
We now see RaaS outfits with organizational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But has RaaS grown too big? The factors that led to the niche’s growth may also lead to its demise.
Let’s look at the rise — and potential fall — of Ransomware-as-a-Service. After Reveton, things have never been the same.
RaaS takes root in Reveton
Reveton burst on the scene by sending fake police agency messages to infected computers. Intruders impersonated the FBI or other law enforcement agencies and coerced victims into paying fines. Actors threatened victims with arrest for supposedly downloading child pornography and pirated content.
Reportedly, Reveton actors raked in about $400,000 from victims every month. At the time, Reveton was unique as it was customized to location. It appeared as if it came from a local law enforcement agency.
Reveton malware packages loaded malicious software into phony and hijacked web pages. If a visitor clicked an infected link, the malware would scan the user’s device for exploitable plugins via the CVE-2012-1723 exploit.
The malware also included info stealers, which penetrated password management platforms to steal credentials. Phishing campaigns also delivered malicious links. Eventually, Reveton even evolved to target smartphones through fake app downloads.
Ransomware-as-a-Service is born
Reveton’s distribution methods were highly sophisticated. The malware’s operation command used reverse proxies at dozens of servers scattered across the globe. Periodically, Reveton released new features and new customizations for ransom messages. It was also one of the first ransomware attacks to demand payment in bitcoin.
The most unique aspect of Reveton was that it offered its malware packages to third parties as a service. Since the appearance of Reveton, other RaaS gangs have surfaced. This places the tools to launch a ransom attack in the hands of many more actors. Undoubtedly, RaaS has contributed to the continued rise in ransomware incidents. In 2021 alone, there were over 623 million ransomware events worldwide.
Read the Ransomware Guide
Just like SaaS brands
Ransomware-as-a-Service is the product of the larger ransomware phenomena, and the economics behind it are startling. In 2021, average ransom payments reached $812,000 compared with $170,000 the prior year. In 2021, the overall damage worldwide from ransomware was $20 billion.
RaaS also helped spearhead a larger Malware-as-a-Service (MaaS) trend. Just like their SaaS counterparts, MaaS brands can have slick websites and monthly newsletters that announce new features, customizations and upgrades. Some MaaS brands have their own marketing campaigns, video tutorials, white papers and Twitter accounts.
Clients of RaaS can choose different subscription tiers, such as Basic, Professional and Enterprise. Or they might pay a percentage of each successful attack. Traditionally, to sign up for Malware-as-a-Service, users needed a referral or access to encrypted messaging or dark web forums. However, newer providers only require an email to set up an account accessed from a normal web URL.
Too much of a bad thing?
The problem with success is that it attracts attention. This means more successful Malware-as-a-Service brands are more likely to attract notice from law enforcement. And if attacks are especially high profile, or involve critical infrastructure, federal and international agencies get involved. One example of this was the takedown and dismantling of the high-profile REvil ransomware gang.
As a RaaS operation grows, so does its infrastructure. Ironically, this also becomes a liability since the attacker’s own attack surface grows. This means easier detection and disruption by legal authority takedown. As a result, RaaS groups are forced to invest more in infrastructure obfuscation and redundancy. This, in turn, cuts into profit margins and resources used for innovation and expansion.
New fluid, brandless approach
In response to these challenges, some ransomware agents are adopting more dynamic, low-profile tactics. For example, the Russian-language ransomware gang Vice Society wields a constantly changing array of tools, including ransomware variants. “Vice Society actors do not use a ransomware variant of unique origin,” according to a joint alert from the FBI and CISA.
Due to the increased scrutiny of law enforcement, the demand for RaaS may be slowing. Vice Society appears to have bought off-the-shelf malware rather than signing up for a RaaS subscription. Ransomware affiliates are becoming very fluid in their sampling of different RaaS kits. They may even develop their own tools based on leaked ransomware source code, such as Hello Kitty’s source code or even Conti’s leaked source code.
Are smaller targets safer?
The flip side of this move away from high-profile RaaS brands is targeting smaller victims. Rather than attacking large corporations or infrastructure like the Colonial Pipeline, most attackers prefer smaller targets. For example, Vice Society favors attacks on schools and colleges, a far cry from massive pipeline-sized targets. While ransomware remains a threat to businesses of all sizes, companies with less than 1,000 employees are most at risk.
In a rare interview, a REvil-associated threat actor said, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies.”
Effective ransomware prevention
The CISA Ransomware Guide provides extensive advice to mitigate threats. Some of its high-level advice includes:
- Maintain offline backups of data
- Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure
- Review the security posture of third-party vendors
- Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy
- Document and monitor external remote connections
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location (i.e., hard drive, storage device or cloud).
CISA also recommends the implementation of identity access management (IAM). This can include automated, cloud-based and on-premises capabilities for administering identity governance. IAM can manage workforce and consumer identity/access and provide privileged accounts control.
Reveton opened the door to a wider range of threats, and ransomware isn’t going away soon. The best strategy is to be well prepared against attack.