Security Experts:

Connect with us

Hi, what are you looking for?



Malicious Insiders Could Tap Ransomware-as-a-Service for Profit

Ransomware has become a formidable enterprise threat, and researchers suggest that it could allow malicious actors to leverage the growing ransomware-as-a-service (RaaS) to cause irreparable damage to organizations.

Ransomware has become a formidable enterprise threat, and researchers suggest that it could allow malicious actors to leverage the growing ransomware-as-a-service (RaaS) to cause irreparable damage to organizations.

There are numerous ransomware families causing havoc these days, including CryptoWall, Locky, TeslaCrypt, and others–but the rise of the RaaS model should be more worrisome to organizations, Imperva’s researchers reveal. This model brings benefits to both the ransomware author and the distributor, while allowing both of them to remain hidden.

RaaS involves a classic “affiliate” distribution model that allows malware authors stay in their comfort zone, while distributors take over the infection chain by leveraging their existing platforms. Supposedly created by Dridex authors, Locky is an example of ransomware being distributed through an existing, well-established botnet.

In RaaS, the ransomware author receives a small cut of the funds, somewhere between 5 and 25 percent, while the rest of the money goes to the distributor (affiliate). By using anonymous Bitcoin addresses, and the TOR network, both the author and distributor ensure they receive their cut while staying hidden from law enforcement agencies, researchers explain.

What spells bad news for enterprises is the fact that malicious insiders could use RaaS to strike targeted blows within an organization’s network. By exploiting their inside information on the organization’s unstructured data, as well as knowledge of where sensitive data is located, along with their permissions, insiders could encrypt the company’s most valuable data and cause irreparable damage.

What’s more, because they know how much the organization values the encrypted data, these insiders can more accurately estimate how much the company is willing to pay to decrypt it. Since the main motivation for a malicious insider is financial, the use of RaaS to conduct such an attack is simple, safe, and profitable.

There are at least four RaaS malware families known today, each allowing distributors to apply specific customizations. The first is Tox, a pioneer in the field that was first identified in mid-2015, and which was sold to a distributor after the author successfully infected around 1,000 computers. In July 2015, another RaaS called Encryptor emerged, and it is still up and running.

In November 2015, the Cryptolocker RaaS appeared, with its author asking for a 50 USD fee from the distributor to get the basic ransomware. In early 2016, researchers at Emsisoft warned about the rise of another RaaS, Ransom32, the first ransomware written in JavaScript, which made it easily adaptable to different operating systems.

“Future RaaS customizable parameters might be more specific and include business- related information such as what are the valuable network shares of interest or even relevant credentials. It is conceivable that a malicious insider could use RaaS to extort his organization and cause irreparable damage,” the researchers say.

Related: Ransomware: A Formidable Enterprise Threat

Related: It’s Official, Ransomware Has Gone Corporate

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.