Ransomware has already proven to be a lucrative activity for cybercriminal actors. A 2017 study found that ransomware victims had paid more than $25 million in ransoms over the past two years – a significant amount of money that is likely to entice many other would-be criminals to want to get a piece of the earnings.
As ransomware continues to gain notoriety, cybercriminals are looking for more ways to get the most out of the malware that they develop. Similarly, other bad actors who may lack the necessary skills to develop malware themselves are looking for a way to get in on the action. This has led to an increase in ransomware-as-a-service (RaaS), a practice in which cybercriminals put their ransomware up for sale, where it is purchased and leveraged by other criminals who are technically unable to develop their own variants.
The cost associated with RaaS is varied. In 2016, criminals released ransomware variant Stampado on the Dark Web for a mere $39, one of the first widespread and cost-effective instances of RaaS. This price tag not only let would-be hackers purchase the ransomware at an exceedingly low cost, but it also provided a lifetime license, essentially enabling anyone with $39 to instantly become a lifelong hacker as they wished.
Other ransomwares charge no upfront fee, opting instead to take a percentage of whatever ransom the malware receives when it is put into action. A customer only has to provide their means of distribution to ensure the creator behind the ransomware gets their cut. This approach often has lucrative effects – as of late 2016, the notable RaaS operation Cerber was estimated to be earning $200,000 a month.
As this practice has grown widespread, criminals are taking a more aggressive approach in marketing their offerings. While previously you could only find RaaS on the Dark Web, attackers are now being more brazen with promoting their products out in the open. The same criminals behind Stampado, for example, recently used mainstream marketing tactics, including professionally produced video advertisements and a heavily designed website, to promote their latest RaaS offering. This aggressive marketing only further highlights how widespread this approach to ransomware is becoming.
So who is buying these RaaS offerings? Most often, the interested parties are customers of the spam industry – known for mostly distributing unwanted emails about products for sale – who lack the technical expertise to develop malware of their own. While these types of spam emails can be fairly lucrative, they do not carry the same level of sophistication or demand the same premium as more advanced, legitimate malware. RaaS puts these criminals in contact with the people capable of developing evasive and destructive malware, significantly heightening the potential impact – and payout – the criminals’ activity can result in.
As a result of this increase in RaaS, law enforcement has begun to crack down more significantly on perpetrators of the service. In December 2017, five people were arrested in Romania under accusations of spreading the Cerber and CTB-Locker ransomware variants to mostly U.S.-based victims. The five hackers rented the ransomware and kept 70% of the profits; the remaining 30% remained with the RaaS portal as payment for the rental.
Despite the potential risks, the RaaS scheme remains highly attractive to criminal gangs and lone wolves with limited skills alike. The more high-profile ransomware attacks that happen, the more likely we are to see would-be attackers with limited skills want to take advantage of the offerings, while malware authors continue to share their products for the most potential income. In the wake of the highly prominent WannaCry and NotPetya attacks in 2017, we can expect the RaaS trend to gain even more steam in 2018 as hackers look to get in on the action.