RaaS: type of malware and business model of its distribution

[Father]

Ransomware-as-a – Service (RaaS, ransomware as a service) is a distribution model for specialized malware that includes all stages: from development to retail implementation via the Darknet and other sales channels.

Cryptographers that are used in RaaS can completely paralyze the company's work if an attacker was able to" reach " sensitive data and encode it. In the case of high-quality ransomware, the decryption process by the company is very difficult, and in order to unlock resources, you will most likely have to agree to the requirements of the attacker.

In this article, we will analyze both the business model of RaaS, its similarities and differences from legal systems, and the specifics of ransomware from the point of view of information security.

RaaS from an information security perspective​

A ransomware program is a complex software product. The more complex encryption methods are used in it – the more difficult it is to decrypt, and the higher the probability that:

• you'll have to pay the ransomware;
• or say goodbye to the encrypted data.

The possibility of almost unhindered distribution of such a class of malware "according to the patterns" of the legal market creates all the conditions for its distribution. It is enough for an attacker to find the required amount, log in to the Darknet and make a payment – no excess knowledge is needed for this.

You can distribute such software in the future either through exploiting vulnerabilities or using social engineering methods. This seriously reduces the qualification requirements for hackers. This is also evidenced by the increase in the number of attacks using cryptographers since March 2020.

Sergey Belov
CEO, AtreIdea company

Creating a ransomware program with basic functionality, without regard to possible additional functionality and optimization (for example, in the field of encryption speed, bypassing antivirus tools, etc.), will take no more than 1-2 weeks. Creating a high-quality product, by industry standards, can take up to a year. Additional time may be required to create a network infrastructure if the product is intended to be used as part of RaaS.

The development of high-quality integrated products in the cybercrime industry is often built according to the best canons of industrial development, including because the development of a single product can involve many people responsible for different parts of the product, and even include testers and project managers.

The possibility of decryption directly depends on the quality of the ransomware implementation in terms of the strength of the encryption algorithms used and the correctness of their application. A number of similar programs during the formation of the industry were written conditionally "on the knee", which led to the emergence of a number of poor-quality solutions. Some of these solutions used obviously weak approaches, for example, XOR the contents of the file using a static key, or even did not encrypt the contents, but replaced several characters at the beginning of the file, which led to the fact that it was no longer opened by the standard program intended for viewing it, but valuable content was not actually lost. Many large antivirus companies keep records of ransomware programs whose results can be decrypted, and publish ready-made tools for automatic decryption of affected files. Also, a search for antivirus manufacturers ' support forums can help with decryption, where they often help with identifying specific ransomware programs and share information about whether it is possible to decrypt encrypted files.

The growth of the RaaS audience in this area also leads to an increase in product adaptability. This is reflected in the adaptation of the interface, creating guides, technical support, and a host of other attributes of a developing, growing product.

At the same time, the most reliable way to protect against ransomware is to systematically create backups. Neglecting this procedure can lead to huge losses. For example, in the first half of 2021, the average revenue of ransomware was $ 5.3 million.

RaaS as a software distribution business model​

The first thing to mention is the difference in approaches to monetization. The most popular ones are:

1. One-time payment. It is more typical for simple tools. For example, this method is sold by Dharma.
2. Work by subscription. In the current situation with payment systems, paying for a ransomware program is a little more difficult than a Netflix subscription.
3. Affiliate program. Revenue from successful ransomware is distributed directly to the attacker, the software developer, and other affiliated parties in a certain percentage. Egregor is traded under this scheme.

There are also specific distribution technologies, such as Revil SaaS, which is delivered exclusively. To participate in the affiliate program, you need to prove your "professional aptitude" and have sufficient, proven hacking experience.

Anton Kuzmin
Head of the Cyberart Threat Prevention Center, Innostage Group of Companies

One of the most popular Raas sales models is when the ransomware developer takes a small percentage of the victim's ransom, and most of the funds go to the attacker, so the growth rate and growth trends of this market directly depend on many factors. First of all, from the use of the VPO itself, because the easier it is to use and the more difficult it is to detect, the more the developer gets a discount.

Therefore, like any service, RAAS is accompanied by classic vendor forums and chats that answer F. A. Q. questions, instructions, technical support, and updates.

The second aspect of ransomware in the business context is opportunities for advertising and placement. The possibilities here are much narrower than those of legal software products. It is important to note that even on the Darknet, not all sites are ready to advertise malware.

Results​

RaaS solves two main business problems:

1. Lowers the entry threshold and opens access to new clients.
2. It allows you to earn money for everyone: both developers and customers.

And the earnings of all involved in the distribution of ransomware programs are only growing. At least for the last two years. This means that in the future, the issue of protection against cryptographic programs will only become more relevant, as the number of attacks using this class of malware increases.

According to Gartner's forecast, negotiations between cryptographers and businesses will be standardized by the state by 2025. At the same time, updating employees social engineering data and creating data backups remain the leading security methods for most companies.