Complex Made Simple

‘Ransomware as a Service’ now in vogue

You, me, anybody really can play the profitable Ransomware as a Service (RaaS), that is if you’re rogue enough

Ransomware extracts millions of dollars from victims, costs millions more in disrupted services and lost revenues DNS traffic has traditionally been unencrypted and widely trusted by the systems that make networks work The exponential growth of the international cloud structure has facilitated RaaS attacks

You, me, anybody really can play the profitable Ransomware as a Service (RaaS), that is if you’re rogue enough.

Wissam Saadeddine, Senior Manager, MENA at Infoblox believes Ransomware has taken on absurd forms recently.

At the beginning of this year, much of the east coast in the United States faced gas shortages because Colonial Pipeline was shut down. In July, hundreds of managed service providers had REvil ransomware dropped on their systems through Kaseya desktop management software. In Ireland, the HSE (the Health Service Executive, responsible for health care in the country) was in a digital hostage situation. And those are just a few of the most striking examples.

Ransomware extracts millions of dollars from victims, not to mention the millions more in disrupted services and lost revenues. Are the recent attacks the work of rogue professionals? Hardly. “They all seem to be the work of amateurs, and not of professional hacking groups,” opined Wissam in a recent commentary.

 RaaS in vogue

Researchers at cybersecurity company Group-IB have reported that nearly two-thirds of all ransomware attacks in 2020 came from RaaS platforms which are tailor-made for amateurs to carry out devastating attacks.

RaaS means that you can simply purchase a service on the Dark Web, and you can then take whoever you want hostage at will. It’s a get-rich-quick scheme and all you need is a way to pay for the service, and mischief for morals.

And unlike other types of advanced cyber threats, RaaS services are very easy to recognize. Their IP addresses are known. Any decent secure Domain Name System (DNS) should automatically block RaaS.

Yet, according to Wissam, this is not happening.

“That’s symptomatic of how far too many small and large companies still manage their security. Patches are not installed. Updates are not run. Passwords are not changed. Settings are not checked. And freely accessible information about all kinds of large and small threats is systematically ignored,” he opined.

Importance of DNS

DNS is an essential part of any network. The server translates domain names into IP addresses and in this way ensures that network traffic ends up in the right place.

Because it is such a critical part of network functionality, DNS traffic has traditionally been unencrypted and widely trusted by the systems that make networks work. Unfortunately, this also makes it an ideal method for hackers seeking to transfer data into a network (for example when uploading malware) or out of one (like when stealing sensitive data).

By the same token, DNS’s central location at the foundation of the network also makes it possible to use as a powerful security tool. DNS can give network administrators visibility across the entire network, allowing them to identify and isolate compromised machines before they can cause significant damage. DNS can also be used to monitor traffic and can be leveraged to automatically block traffic to known malicious servers.

DNS can also use Threat Intelligence to disrupt RaaS attacks before they cause damage. It is the responsibility of the companies themselves to take at least the most basic measures to prevent amateurs armed with inexpensive programs from causing enormous damage with means that have been known for a long time and can easily be parried.

RaaS gives relatively cheap and easy access to these types of malicious programs for a much smaller fee than the cost of creating it on your own. RaaS providers generally take a 20% – 30% cut of the ransom profit generated. 

Ransomware gangs to fear

The ransomware gangs which will continue to dominate the headlines in 2021 Include: 

  • DopplePaymer – provided ransomware for attacks on Pemex in Mexico, Bretagne Télécom in France, and both Newcastle and Düsseldorf University
  • Egregor – provided ransomware for attacks on Crytek in Germany, Ubisoft in France, and Barnes & Noble in the US
  • Netwalker/Mailto – provided ransomware for attacks on Toll Group in Australia as well as Equinix, UCSF, and Michigan State University in the US
  • REvil/Sodinokibi – provided ransomware for attacks on Britain’s Travelex, as well as airports and local governments in the US
  • Ryuk – the biggest RaaS gang was responsible for almost 33% of all attacks in 2019, including Sopra Steria in Europe and Seyfarth Shaw Law Firm, Universal Health Systems, and several other individual hospitals in the US

Relevant RaaS stats

  • The exponential growth of the international cloud structure has facilitated RaaS attacks
  • The average cost of any ransomware attack scenario is 10 times the amount of ransom paid
  • 2021 has witnessed a huge surge in Ransomware attacks and the attackers are targeting meat producers, healthcare, technology companies, food, energy, and transport
  • Ransomware is projected to dominate the cybercrime landscape, as reports from Unit 42, a digital forensics firm suggests
  • In 2020, the average ransom payment by organizations increased by 171%, to nearly $300,000