Ransomware has become a formidable enterprise threat, and researchers suggest that it could allow malicious actors to leverage the growing ransomware-as-a-service (RaaS) to cause irreparable damage to organizations.
There are numerous ransomware families causing havoc these days, including CryptoWall, Locky, TeslaCrypt, and others–but the rise of the RaaS model should be more worrisome to organizations, Imperva’s researchers reveal. This model brings benefits to both the ransomware author and the distributor, while allowing both of them to remain hidden.
RaaS involves a classic “affiliate” distribution model that allows malware authors stay in their comfort zone, while distributors take over the infection chain by leveraging their existing platforms. Supposedly created by Dridex authors, Locky is an example of ransomware being distributed through an existing, well-established botnet.
In RaaS, the ransomware author receives a small cut of the funds, somewhere between 5 and 25 percent, while the rest of the money goes to the distributor (affiliate). By using anonymous Bitcoin addresses, and the TOR network, both the author and distributor ensure they receive their cut while staying hidden from law enforcement agencies, researchers explain.
What spells bad news for enterprises is the fact that malicious insiders could use RaaS to strike targeted blows within an organization’s network. By exploiting their inside information on the organization’s unstructured data, as well as knowledge of where sensitive data is located, along with their permissions, insiders could encrypt the company’s most valuable data and cause irreparable damage.
What’s more, because they know how much the organization values the encrypted data, these insiders can more accurately estimate how much the company is willing to pay to decrypt it. Since the main motivation for a malicious insider is financial, the use of RaaS to conduct such an attack is simple, safe, and profitable.
There are at least four RaaS malware families known today, each allowing distributors to apply specific customizations. The first is Tox, a pioneer in the field that was first identified in mid-2015, and which was sold to a distributor after the author successfully infected around 1,000 computers. In July 2015, another RaaS called Encryptor emerged, and it is still up and running.
In November 2015, the Cryptolocker RaaS appeared, with its author asking for a 50 USD fee from the distributor to get the basic ransomware. In early 2016, researchers at Emsisoft warned about the rise of another RaaS, Ransom32, the first ransomware written in JavaScript, which made it easily adaptable to different operating systems.
“Future RaaS customizable parameters might be more specific and include business- related information such as what are the valuable network shares of interest or even relevant credentials. It is conceivable that a malicious insider could use RaaS to extort his organization and cause irreparable damage,” the researchers say.