Cybersecurity Talking Points: Rise of Ransomware as a Service (RaaS)

A few years ago we realized Hostile Cyber Actors* were setting up shop just like a Fortune 500 company. We are talking complete with HR, employee benefits like health insurance, policy and procedure, and positions with job descriptions. This was a key indicator and warning that cybercrime was no longer a dark alley tactic used by a lone wolf computer hacker looking to steal from targets of opportunity. Cybercrime was now going to be about profit margins and targeting vertical markets with the best opportunity for success.

Being a criminal is a life full of risk. Take for instance a criminal organization that is in the illegal drug trade. The production, transportation, and sale all require people handling and moving the illegal drugs. Organization risk goes up as the desire to make bigger profits goes up. More money means moving more product. Moving more product means more people involved. More people involved increases your risk of exposure to law enforcement or a rival that wants to take it all from you. The risk compounds with the size of the organization. Not good to the bottom line.

Cybercrime removes a lot of the associated risk of a life of crime. Criminal organizations are quick to see the payoff of a lower risk, instant payoff advantage of cybercrime. As a cybercriminal you don’t have to meet your buyer face to face. As long as there is a way to transfer payment in a way that protects both the seller and the buyer (and there is websites that provide criminals with escrow services), cybercriminals can meet on any dark corner of the Internet and trade their goods. The evidence is mounting that criminal organizations are transitioning or diversifying into cybercrime.

Cybercrime is a modern day bonanza of sorts. With minimal tools and technology skills anyone can get into the business of cyber extortion. With a bonanza there are essentially two types: those that try to get rich and those that do. A greater guarantee for profit can be found in selling the tools needed to do the cyber extortion. An example of this is during the California gold rush Levi Strauss sold rugged denim work wear to the miners. In doing so Mr. Strauss became both a rich man and a household name. Fast forward to 2017 and some entrepreneurial Hostile Cyber Actors are following the example of Levi Strauss.

Towards the end of February 2017, a variant of ransomware (the computer virus that locks you out of your data until you pay a ransom to unlock it) called Unlock26 was released into the wild about the same time as a Ransomware as a Service (RaaS) web portal came online. The information on the portal is direct and to the point: pay for the malware, here is how you configure it, and here is an example of how to use it. The good news is the code doesn’t look finished and has some errors in it. This suggests it was found in the development stage and the discovery may help reduce the impact this ransomware may have had.

Unfortunately, this is not the first RaaS service to show up on the Internet. In June of 2016 security researchers disclosed the existence of a RaaS using the affiliate business sales model. The goal of the sites was to provide the novice cybercriminal with little to no computer skills access to malicious code necessary to conduct cyber extortion. The dark corners of the Internet will always have places where a Hostile Cyber Actor can buy or sell malicious code that requires some advanced skills to use. The RaaS model is dangerously different.

This is a crossroads similar to when Internet companies made it easy to make and host your own website. The creation of easy to use technology removed barriers to entry and resulted in an explosive growth of the Internet. How will the removal of technology barriers change the game in cybercrime? In the case of the affiliate sales model discovered in June of 2016 the estimated profit was 13 times the amount of the average income for Russia where the affiliate cybercrime sales sites were hosted and targeting new users.

Where will this go from here? The problem is clear: as more people and devices are added to the Internet the size of the cybercriminal problem grows as well. New vulnerabilities are constantly emerging resulting in cybercriminals being able to always find new ways to steal. The best guidance is to beware of fancy buzzwords and not-ready-for-prime-time technology cut out of the pages of science fiction. Good cybersecurity is a product of hard work from dedicated and innovative thinking individuals working as part of a larger team that has experience dealing with complex and ever changing threats.

Protocol 46 is built on that principle. Our hand selected cyber team is made of over 80% U.S. Military Veterans. Our team of teams concept brings unmatched experience in cyber security, intelligence, criminal organizations, asymmetrical warfare, technology, and more to ensure the security of our clients.

*Protocol 46 uses the term Hostile Cyber Actor to describe a computer hacker that is using their skills and knowledge for illegal, illicit, or harmful actions. This is to draw attention to the bad and away from the good. The term Hacker was first created to describe an individual working on solving a technology problem in a different or creative way. The benign root meaning of the word was expanded to refer to individuals using or being destructive with technology. Contemporary culture has seen a rise in Hackathons, Hacker Spaces, and Hour of Hacking events which all embrace the origin of the term and serve to improve our quality of life.

Post by Remote Process