The latest high profile ransomware attack on food supply giant JBS in the US soon after the Colonial Pipeline attack indicates that such attacks are increasing both in scale and frequency. Ransomware as a Service (RaaS) is a subscription-based model where prospective cyber criminals can use already developed software to execute ransomware attacks. Payment takes the form of a flat fee or a percentage of the ransom. Cyber criminals who want to extort but lack the expertise or time can quickly and easily perform ransomware attacks using this model.
Research shows that two out of three ransomware attacks are now executed using this kind of service. The average ransomware attack in the US in the third quarter of 2020 was $233,817, 31% up from the second quarter. The much-publicised 2021 attacks saw Colonial Pipeline paying a $4.4 million ransom to a Russia-based group; about half of this has been recovered by the US government. JBS paid a staggering $11 million ransom.
Many of the ransomware groups are based in Russia or Eastern Europe. These governments turn a blind eye to this criminal activity as long as the victims are outside their borders. The ransom is paid in cryptocurrency making it untraceable.
The most notorious platform is Satan RaaS which users can access through the dark web on a hidden website when browsing with the TOR browser. The attacker can distribute their malware through phishing emails with attached malicious files. Victims pay in Bitcoin which is credited to the RaaS users account. The platform takes 30% of the ransom as payment for their services.
A cybercrime group called Circus Spider, which is believed to be of Russian origin, created NetWalker ransomware. It not only encrypts data but also threatens to publicly release sensitive information. In March 2020 Netwalker became a RaaS tool and the Circus Spider group started looking for members who could speak Russian and had experience of Red Team skills. (Red teams are offensive security professionals who are experts in attacking systems and breaking into defenses). Attackers propagate the malware and receive a percentage of the ransom. COVID-19-themed phishing emails have been used extensively.
Eastern Europe-based cyber crime gang Darkside operates as a RaaS platform and is believed to be behind the Colonial Pipeline cyber attack. Since their launch in August 2020, the creators and their members have been on a global crime spree. Profit is shared between the creators and members who provide access to companies and deploy the ransomware. They claim to be “apolitical” and not to participate in geopolitics.
The RaaS model is booming and expected to continue growing as long as companies continue to pay ransoms.The phenomenon has led to the emergence of ransomware negotiators, with Western nations putting pressure on the countries who condone such criminal activity.
Employees working from home increase a company’s exposure to such attacks. This is a major risk to businesses which would be advised to bolster their cyber security against this corporate warfare.
By Faeeza Khan
What security measures does your organisation have in place to protect against attacks?