Ransomware-as-a-service: The Business CaseNovember 22, 2016
It can be tempting to dismiss cybercriminal activity as merely the workings of opportunistic actors looking to make a fast buck. While sometimes true, we should remember that cybercriminal operations can be highly sophisticated endeavors often backed by sound business logic and based upon established practices implemented by legitimate businesses. The rise of malware-as-a-service offerings is testament to this, with cybercriminals realizing that there are great profits to be made from providing their services to actors with less technical capabilities.
One particular business model – ransomware-as-a-service (RaaS) – has been on the rise over the past 12 months. These services allow ransomware operators to rent out their variants to customers, who will spread the malware in return for a percentage of the profits. In July the cybercriminal group Janus announced that the Petya and Mischa ransomware variants were available for rent, while in August the Shark Ransomware Project was launched, allegedly allowing customers to create their own customizable malware with the operators accruing 20 percent of the profits. Recent reports have suggested that the Cerber RaaS offering had takings of over $200 million USD per month, which serves to underscore the immense profitability of this model.
At Digital Shadows we try to take an attacker’s-perspective in order to identify the most pertinent threats facing our clients. By the same token, we can use this approach to better understand the rise of RaaS.
So what’s the business case? What is immediately obvious is that RaaS allows the ransomware operator to dramatically increase the number of infections and scale of targeting in ways that could not be achieved if they operated the ransomware themselves. Traditional ransomware variants rely on a distribution network of only a handful of campaigns; Cerber, on the other hand, reportedly currently runs over 160 active campaigns, infecting nearly 150,000 victims with a profit of $195,000 in July 2016 alone. Sounds good, but what are the hidden costs and weaknesses of this model, and what threats and opportunities can we forecast? By using a SWOT analysis we can go some way to understanding some of the considerations that cybercriminals have to take into account:
Figure 1: SWOT analysis of RaaS business model
What becomes clear is that successful RaaS offerings rely on their owners treating their operations like a legitimate business. This means building up a strong reputation, marketing your service effectively across underground forums, providing a level of customer service for your users, and dealing with issues of liability. Another interesting consequence of the need to legitimize these businesses is that cybercriminals have begun to move away from the relative obscurity of the dark web in order to market their services. The Shark Ransomware Project (Figure 2) was hosted on the deep web (i.e. not indexed by traditional search engines) rather than on the dark web, while the Janus group use Twitter as a means of advertising and engaging with customers of their Petya and Mischa offerings (see Figure 3).
Figure 2: Shark Ransomware Project homepage
Figure 3: “Your call is very important to us. Please stay on the line.”
These business models are by no means unique or coincidental to ransomware. Many other groups offer tools such as malware customizers and simple point-and-click distributed denial-of-service (DDoS) solutions that offer botnets for hire. This transition also mirrors developments in the software industry in the late 2000s when software-as-a-service (SaaS) and platform-as-a-service (PaaS) products became ubiquitous.
This parallel can also help us forecast the ways in which these newer cybercriminal marketplaces will develop. The shift to SaaS and PaaS generally resulted in an increase in the quality of products as competition intensified. Likewise, it is likely that as more RaaS offerings come onto the market operators will not only have to improve the quality of their ransomware variants, but will also have to focus on refining the user-experience and customer service elements of their businesses. As competition increases, the less effective RaaS products will likely disappear, while those with the best reputation will consolidate their place in the market. The Shark Ransomware Project, for example, was forced to undergo a complete re-branding exercise after reports that the service’s creator was keeping all the profits severely damaged its reputation. Re-launched as the Atom Ransomware Affiliate Program (AKA AtomProject), the operators sought to drive home the improved usability features of the service, which included a new GUI interface for easier customization, unlike the older Shark predecessor which used a command line interface (see Figure 4 and Figure 5).
Figure 4: Atom Ransomware Affiliate Program advertised on criminal location
Figure 5: AtomProject marketer emphasizes the new interface and easier to use payload builder
 CheckPoint, CerberRing: An In-Depth Expose on Cerber Ransomware-as-a-Service, 15 Aug 2016