Ransomware as a Service

For decades, cyber criminals have been developing malware with the main purpose of extorting money out of people and organisations. The latest development within this fast-growing scene is the arrival of ransomware as a service, or abbreviated as RaaS.

ransomware-logo

Before we get into the subject topic, let’s take a step back and look at what ransomware actually is. In a nutshell, ransomware is a virus that infects a computer system upon its code being executed. The most common method is when the user clicks on what may seem like a legitimate link, but initiates the downloading a malicious file. Once the file is executed, the malware covertly installs and performs an encryption process on the user’s files. Upon completion the user is informed that the only way to retrieve their files is to pay (the ransom) for the decryption key. The target for ransomware can range from word documents and pictures files, to the MFT (Master File Table) or even the entire hard drive. The ransom payments typically start at around $300 and the threshold depends on the individual victim, sometimes with a limited time before the price is raised or before the chance to pay is withdrawn completely.

Ransomware has been around since the early 90s, but only in recent years has it started to comes to people’s attention. In late 2013, a variant of ransomware named CryptoLocker stormed the internet, procuring much more than $27 million from infected users (Bitdefender, 2014). CryptoLocker was one of the first major ransomware vendors to adopt the use of the Bitcoin digital currency platform to collect ransom money, which added to the difficulty in tracking the cyber criminals operating the malware.

One of the highest grossing and most sophisticated ransomware variants to date has brought in a staggering $325 million in profits for the groups deploying it, named CryptoWall (Vijayan, 2015).

 

As-a-Service

as-a-service

In recent months, a new variant of ransomware has been designed for the less technically able and instead, be extremely user-friendly to the point anyone with little knowledge could obtain and deploy it to make a profit. This is known as Ransomware-as-a-Service (RaaS).  RaaS works by creating and launching a campaign that advertises positions for the campaign, known as agents where you sign up, enter a handful of details and download a customer edition of the ransomware that is linked to the agent. Now all the agent has to do is start infecting other computer systems and for the end users affected to pay the ransom to retrieve their information.

By making software that is free and easy for others to deploy, the creator of an RaaS platform can hope to land a cut of ransoms from a large number of infections spread by many agents. Those agents, with little investment of skill, time, or money, stand only to gain from their big percentage of ransoms paid.

One of the more recent RaaS variants, named Shark was seen in early August and targets an even less tech-savvy base of distributors as this strain brings FUD (Fully-Undetectable) polymorphic encryption to the malicious file, giving it a much higher execution rate compared to other variants that require the distributor to deal with the file encryption themselves. Typically, RaaS operates using the anonymous network Tor to host their files mostly because they are perceived to offer anonymity. These online networks are more private and secure, but are not readily available to the more casual internet users as they require a custom internet package and a small amount of know-how to access it. However, Shark adopted a different approach. Shark was instead hosted on a public WordPress site that was accessible to the internet at large, massively extending its audience and resulted in a much higher activity of agents for the service. Having both these additions, Shark have set a dangerous milestone for RaaS that others will be sure to follow.

All in all, it’s a win-win for both the skilled hackers and their script kiddie agents.

 

How to protect yourself

computer-security

After having discussed what ransomware is and what disastrous effects it can deliver, let’s finish off with a discussion on how to best protect yourself from such a threat. Let’s start with the actual computer system. Having some form of anti-virus security software installed is a must; this will safeguard your computer against malicious files being executed on the system. However, this is only effective if the virus signature database for the security software is kept up-to-date regularly, being is at least daily. In excess of a million of new malware variants are being developed and deployed on the internet every day (Trendmicro, 2016), having a set of old virus signatures is almost as bad has having no protection at all.

This concept also applies to all the software on your system, including the operating system, the browser and all of the plug-ins that modern browsers typically use. One of the most common infection vectors is a malicious exploit that leverage a software vulnerability. Keeping software up to date helps minimise the likelihood that your system has an exposed vulnerability on it.

A new and fast growing development to prevent the ransomware threat is a software utility known as anti-ransomware. Anti-Ransomware monitors all activity in the computer and identifies actions which are typical of ransomware activity and blocks the infection and quarantines the ransomware before it has a chance to encrypt users’ files. Malwarebytes have released an anti-ransomware software package, a completely proactive and signature-less technology that is able to detect and block even the most dangerous variants of ransomware like CryptoLocker, CryptoWall4 and CTB-Locker.

Another popular route used to deliver malicious material is via email platforms. Having a spam filter system in place with its blacklist database constantly up-to-date will eliminate a vast majority of harmful emails that would flood your inbox and greatly help towards the prevention of infection.

The next technique doesn’t so much aid towards the prevention of an infection, but is more aimed at the protection and recovery of your files in the case of infection and your files become encrypted. A bulletproof method to protect against losing your files is to perform regular back-ups on an isolated device. Doing regular back-ups on an external device such as an USB external hard drive can be both effortless and effective in the protection and recovery of your files. This is especially aimed towards sensitive files and files of high importance. If your files are backed up straight away, or even on daily basis onto an external device, unplugging that device from the computer stores the files in isolation and protects them (until plugged back in) against encryption from ransomware malware.

All the above with aid you greatly in the protection against becoming infected with the ransomware virus. However, the number one factor in the prevention and protection on this matter is general self-awareness when using the computer. This is the first and foremost important layer of security anyone can have. By this I mean avoid clicking on pop-up advertisements, don’t visit areas of the internet you know you shouldn’t, use legitimated sources and mostly, stay away from any illegal activates. Follow your gut instinct; if something doesn’t look right, seems too good to be true or doesn’t feel right, stay away. Simple.

In the uneventful case you do become infected by ransomware, head over to Kaspersky Labs as it’s a great place to start because they offer a variety of decryptor tools. However, this only applies to the lower-end ransomware which is an unlikely case. The more sophisticated variants are not reversible. If decryption using a free tool is not possible and there is no other option in the retrieval of your files, the choice to pay the ransom is yours to make.

 

References

  • (2014). On Cryptolocker and the Commercial Malware Delivery Platform behind It.Available: https://labs.bitdefender.com/2014/07/on-cryptolocker-and-the-commercial-malware-delivery-platform-behind-it/. Last accessed 05th September 2016.
  • (2016). Malware: 1 million new threats emerging daily.Available: http://blog.trendmicro.com/malware-1-million-new-threats-emerging-daily/. Last accessed 05th September 2016.
  • Vijayan, J. (2015). With $325 Million In Extorted Payments CryptoWall 3 Highlights Ransomware Threat.Available: http://www.darkreading.com/endpoint/with-$325-million-in-extorted-payments-cryptowall-3-highlights-ransomware-threat/d/d-id/1322899. Last accessed 05th September 2016.

Leave a Reply

Your email address will not be published. Required fields are marked *