It was in 2012 that Reveton ransomware came to light. It's considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since it was launched, RaaS has enabled gangs who have basic technical knowledge to unleash attacks on a mass scale. Today, almost everyone can make extremely successful malware campaigns.
We now see RaaS outfits with organisational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But has RaaS become too large? The factors that triggered the rise of the niche may cause its decline.
Let's look at the rise -- and potential fall -- of Ransomware-as-a-Service. Following Reveton the world has never been the same. best cyber security service provider
RaaS Takes Root in Reveton
Reveton appeared on the scene with fake police agency messages to the computers that were infected. The intruders posed as police officers from the FBI and other police agencies, and made victims pay fees. They intimidated victims by threatening them with jail time for downloading pirated and child pornographic content.
According to reports, Reveton actors raked in around $400,000 from victims each month. The time was when Reveton was different because it was adapted to the specific locations. It seemed as if Reveton was from an agency of local law enforcement.
Reveton malware packs installed malicious software on fake and hijacked websites. If a user clicked on a malicious URL, Reveton malware will check the device for exploitable plugins through CVE-2012-1723. CVE-2012-1723 exploit.
The malware also contained info stealers that hacked into password management systems to steal credentials. Phishing campaigns also provided harmful URLs. In the end, Reveton even evolved to specifically target mobile devices through fake downloads of apps.
Ransomware-as-a-Service is Born
Reveton's distribution techniques were extremely sophisticated. Operation commands of the malware employed reverse proxy servers across a myriad of servers all over the world. Each time, Reveton released new features and new modifications for ransom demands. It was also among the first malware attacks that request the payment of bitcoin.
The most interesting feature of Reveton was that it made available its malware-related packages to third party users as an option. Since the launch of Reveton the other RaaS organizations have come to light. This puts the tools needed to launch a ransomware attack at the disposal of more actors. In all likelihood, RaaS is a major factor in the continuing rise in ransomware-related incidents. In the year 2021 there were more than 623 million ransomware attacks across the globe.
Just Like SaaS Brands
Ransomware-as-a-Service is the product of the larger ransomware phenomena, and the economics behind it are startling. The year 2021 saw an average ransom payment of $812,000, compared to $170,000 in the previous year. In 2021, the total amount of damage caused by ransomware in the world totaled 20 billion dollars.
RaaS has also been instrumental in launching a bigger Malware-as-a-Service (MaaS) trend. Similar to SaaS competitors, MaaS businesses can also have attractive websites and periodic newsletters that feature the latest features, updates, and updates. Certain MaaS brands run their own marketing strategies including video tutorials as well as white papers along with Twitter and Facebook accounts.
Users of RaaS can select from a variety of subscription levels, including Professional, Basic and Enterprise. In addition, they can be charged a percentage of every successful attack. Traditionally, to sign up for Malware-as-a-Service, users needed a referral or access to encrypted messaging or dark web forums. In contrast, newer providers just require an email address to establish an account that can be accessed via an ordinary web address.
Too Much of a Bad Thing?
The challenge with the success of a brand is that it draws attention. So, more popular Malware-as-a-Service brands tend to draw attention from law enforcement. In the event that attacks are prominent or involve critical infrastructure such as critical infrastructure, the federal and international authorities become involved. An example of this is the removal and takedown of the infamous REvil ransomware group.
As an RaaS operation expands and expands, it also expands its infrastructure. This is, in turn, an issue as the attacker's attack surface expands. This leads to a greater likelihood of detection, and less disruption through legal authorities taking down. In the end, RaaS companies have to spend more on redundancy and infrastructure. This reduces profits and the amount of resources for development and innovation.
New Fluid, Brandless Approach
In response to these issues certain ransomware actors are adopting more agile and low-profile strategies. For instance, the Russian-speaking ransomware group Vice Society utilizes an evolving array of tools, including variants of ransomware. "Vice Society actors do not use a ransomware variant of unique origin," according to a joint warning by both the FBI in conjunction with CISA.
In light of the increased police scrutiny and the increased scrutiny of law enforcement, demand for RaaS is slowing. Vice Society appears to have purchased malware off the shelf instead of enrolling to an RaaS subscription. Ransomware affiliates are becoming fluid in their use of RaaS kits. They could even create their own applications that are based on leaked source code, like the source code of Hello Kitty or Conti's source code that was leaked.
Are Smaller Targets Safer?
The other aspect of this shift away from the most prominent RaaS brands is the targeting of smaller targets. Instead of targeting big corporations or infrastructure such as that of Colonial Pipeline, the majority of attackers are targeting smaller targets. For instance, Vice Society favors attacks on colleges and schools which is a far cry from large pipeline-sized targets. Although ransomware is a risk for businesses of all sizes, companies with less than 1,000 employees are more susceptible.
In an unusual interview an REvil-related threat actor stated, "You can hit the jackpot once, but if you provoke the geopolitical tension to such an extent that you'll be found quickly. It is best to receive small, steady amounts from companies of a mid-sized size."
Effective Ransomware Prevention
CISA Ransomware Guide CISA Ransomware Guide offers extensive guidance to reduce the threat. Some of the high-level recommendations include:
Create offline backups of your the dataMake sure all backups are secure, immutable, and covers your entire data infrastructureCheck the security policies of vendors from third partiesCreate listing policies for programs or remote accessibility that permit systems to run known and authorized programs in accordance with an existing security planDocument and monitor remote connectionsDevelop a recovery strategy to keep and maintain multiple copies of proprietary or sensitive servers and files in a physically separated secured, segmented and secure place (i.e. storage device, hard drive and cloud).CISA also suggests the use also of the management of identity (IAM). This could include cloud-based, automated and on-premises tools for managing identity governance. IAM is able to manage employee as well as consumer identities and access and offer the control of privileged accounts.
Reveton gave way to a wide range of security threats and ransomware won't disappear in the near future. The best method is to be prepared for any threat.
0
Sign in to leave a comment.