laptop with padlock on top of it

RaaS - Randomware as a service

So today Dark web criminal intelligence company DarkTracer (not to be confused with DarkTrace) released a warning that the Ransomware gang LockBit has struck again, this time attacking Bangkokair. 

Bangkokair has already publicly acknowledged that they were attacked on Monday  Aug 23rd.  So far the personal data stolen has been identified as :

  • Passenger name
  • Family name
  • Nationality
  • Gender
  • Phone number
  • Email address
  • Other contact information
  • Passport information
  • Historical travel information
  • Partial credit-card information
  • Special meal information

So who are LockBit? The short answer is they are a criminal gang who exploit people. That's it. Ok, go get a cup of tea, we're done here. 

Or you could keep reading, there is a more in depth explanation coming. The answer is a lot more complicated I'm afraid, they are a gang and they are not. According to ThreatCards LockBit is malware, yet it's also a gang? The answer is it's a gang of criminals using a new emerging bit of tech called Raas (in this instance called LockBit). RaaS is Ransomware As A Service. Like Software As A Service (SaaS) but without the nice fluffiness. Here is where the problem is, the gang behind LockBit could be changing, evolving etc, the people running the RaaS called the Authors are hired by criminals wishing to attack specific targets these clients (refereed to as affiliates) choose who the victims are and the authors go to it! In this post I thought we would look at RaaS and see how it works. I'm skipping over the basics of how Ransomware works this will be covered in a later discussion. 

Lets start at the beginning 

So before we start lets look at the business models used by RaaS and there authors. The basic model is the same throughout but the payment and management methods differ slightly, the affiliates do not own nor control the ransomware/malware and have had no part in creating it.

Here are the basic payment and management models: 

  • Percentage based Fee: These offer the creator of the malware being deployed to victims machines a percentage of any payout that is received back. The downside being if no one bites, the author gets nothing back. 
  • Fixed Fee : The affiliate pays the author a fixed amount regardless of payout. The downside being if they hit a large company and the company pays millions the author doesn't see any benefit of this. 
  • Fully managed : The author sets up the deployment of the payload (malware) to the target network, handles the anonymous communications between victim  and affiliate and handles the payment, the advantage of this to the affiliate is that they require very little technical knowledge to undertake an attack safety, the advantage to the author is that they can charge extra for this service, or in the case of a percentage fee they have full visibility of the random being paid. 
  • Partial managed : The author is responsible for writing the code for the malware and running the initial deployment then hand over operational responsibility to the affiliate, the affiliate handles communicates and payment. This is usually the best suited model for Fixed fee

Understanding ransomware itself and a break down in how it works is another post like I mentioned , (perhaps my next one!) the basic stages are however below;

  1. Development of malware
  2. Target Selection
  3. Research (including pen-testing, social engineering etc) 
  4. Deployment of Ransomware
  5. Declaration including setting up communications channel
  6. Communication between victim and attacker 
  7. Payment of funds. 

That is basically it. Where RaaS sits in all this is it takes care of steps 1 through to 4 or even 1 through to 6 !.

Easy Money

As a criminal out to make money with little or no technical skills ( alot of cyber criminals can't program, and are not Bash gods!) RaaS offer up a fantastic opportunity, for those willing to take the risk on using someone else's platform, often not knowing anything about who is behind the ransomware or there technical abilities. This is similar in a way to how the early hackers started out, instead of learning how to hack, by understanding and learning about systems structures, coding and social engineering, instead they would just user a simple script someone else had taken the time and skill to write, test and perfect to there advantage, we called (and still do to my knowledge) script kiddies. So are Randomware gangs who use RaaS just script kiddies? 

Not quite, there is a massive financial driving force behind criminal Ganges who decide to use RaaS, where script kiddies are usually only doing it to find a vulnerability specific to a target. Another reason why these are simply not just a new form of 'cloud' script kiddies is to do with resources.

Like with SaaS, RaaS has other advantage; resources. A company who uses SaaS, does not need to employ a software engineer to write code, nor a sys admin to maintain servers, nor do they need to buy, maintain and run those servers, they just need to pay a subscription, this is why people use SaaS. While in classical ransomware sense a attacker would either hire or know already how to develop malware, there would also be a need to have some kind of infrastructure. These could range from servers to remote botnets which would need to be maintained and a instruction server created, tor sites used, and bitcoin wallets managed, all of which needed to be done carefully so not to expose yourself digitally to the authorities. You can now see why the budding cyber criminal would choice to use RaaS instead of writing there own, not only does it negate skill but it also negates risk. 

So that is RaaS in a nut shell. We can expect to see a growth in the use of RaaS over the coming years as more and more development in detection and prevention comes along, and authorites crack down harder on gangs.