There have been whispers on the dark web about “Ransomware-as-a-Service (RaaS)” as far back as 2015, but Kivu had its first known RaaS case in March 2017. In this case, the client’s terminal server was infected with Satan ransomware. The Satan ransomware strain is a known RaaS variant that encrypts the victim’s files with the “.stn” extension.
On the victim side, there is not a significant difference between how traditional ransomware and RaaS ransomware infects the environment. The difference lies on the attacker side.
- Traditional ransomware: an attacker pays a malware developer a one-time flat fee for the ransomware virus. The attacker receives 100% of the ransom proceeds from the attacks that he launches. However, the attacker is solely responsibly not only for carrying out the attacks/infecting the victim, but also collecting payment, and upgrading their virus as defenses are developed.
- Ransomware-as-a-Service: an attacker creates an account with a RaaS distributor, and is given free, unlimited access to the ransomware. The attacker is still responsible for launching the infectioning attack. However, with Raas distributor takes care of collecting the ransom (deducting a % of every ransom payment before forwarding it to the attacker’s account. . We have seen percentages range from 10% to 30% of the ransom. The distributor is generally responsible for upgrading the ransomware variant as defenses are developed, thus maintaining its “street value”.
At the time of writing, we are aware of a handful of strains that are associated with RaaS, including Satan, Cerber, and Sage. There is no question that this distribution method is more attractive to malware developers. With RaaS, the developers receive steady fixed payments from all ransoms that originate from the malware that they provide. Whether RaaS is the on rise as the ‘preferred’ method for attackers is still up for debate.
On one hand, RaaS provides attackers with a user-friendly portal through which they can customize their attacks and easily monitor the progress of their ransom payments. RaaS can be used by virtually anyone who knows where to find it, and doesn’t require the attacker to have expert knowledge in traditional attack vectors. In addition, if the particular ransomware variant fails to perform, there is an incentive on the distributor to quickly remediate any faults. Unlike an attacker who purchases an “off the shelf” ransomware which turns out to be a dud (like the “starter pack” Karmen, the Edsel of ransomware), the RaaS distribution model generally insures that the malware variant will perform effectively, for a time at least.
However, there are drawbacks for the erstwhile attacker using RaaS. First, the attacker must give up a portion of his ransom to another party. Second, the attacker has less control over the infection process. This is not an issue if the ransomware runs perfectly, but as with all malware there is no guarantee the ransomware will work as intended. Because the attacker has limited visibility into the actual infection process, there is no way for him to manually access the target machine to find out why the malware did not execute (i.e. quarantined by AV, victim machine lost a network connection, etc.).
It will be interesting to see over the next few months whether RaaS gains traction in the attacker community. If developers can streamline their infection process and prove a high success rate, I anticipate we will see an increase in attackers using RaaS strains over older ransomware families.
A snapshot of the– taken from bleepingcomputer.com