Ransomware as a Service
Similarly to the legitimate business of providing software as a service (SaaS) online, the ransomware industry has developed a sophisticated cloud-based distribution system for programmes that can be used in attacks. This structure is now called Ransomware as a Service (RaaS) and is indicative of the business model that drives these hacks.
Just like in the legal business world, criminal entrepreneurs can now access a network of suppliers that make it easy for virtually anyone to become a computer file hostage taker. They even advertise on the dark web in the same way legitimate businesses market their brands on the open web.
In a recent New York Times exposé about the current trends in cyber-hacking with ransomware, it is stated that a “Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support”. (DarkSide is suspected of being behind the pipeline attack in May 2021.)
Yes, you read that right. Customer support offered to would-be criminal business operators to use ransomware, which is accessible online, for profit.
In the article, based on secret chats between a hacker entrepreneur and a RaaS operator obtained by the publication, it is noted that: “DarkSide’s attack on … Georgia-based Colonial Pipeline, did not just thrust the gang onto the international stage. It also cast a spotlight on a rapidly expanding criminal industry based primarily in Russia that has morphed from a specialty demanding highly sophisticated hacking skills into a conveyor-belt-like process.
“Now, even small-time criminal syndicates and hackers with mediocre computer capabilities can pose a potential national security threat.”
Now let’s think about this for a minute. These days, in the ransomware industry just like in any other business sector, there’s an advertised, branded supplier (DarkSide) that offers clients (cybercriminals and hackers as intermediaries) paid access to online tools (encryption software variants and associated paraphernalia), with instructions and support on how to use everything, all bundled in a neat package, for payment.
This level of sophistication unfortunately means that unravelling a specific hacking incident becomes difficult to pin to one person or group, as a Byzantine multi-level, vertically decentralised network is at play. In other words, the suppliers of the hacking tools make their money from allowing hackers to use the tools, who in turn do the actual hacking, while another outfit may be responsible for collections, with everyone in the channel collecting a slice of the income paid by the victim organisation.
With anonymity weaved throughout the fabric of the system, no-one in the network need to know who anyone else is. There is also no money trail to follow due to the use of inherently anonymous Bitcoin, so the old All the President’s Men adage of “follow the money” simply can’t be done.
But, in a world first, the American Department of Justice recently managed to seize $2.3 million in cryptocurrency paid to the “ransomware extortionists DarkSide” in the Colonial Pipeline ransomware attack. In this instance, they did manage to follow the money and actually got it back too.
As ransomware attacks are now prevalent and could possibly become more frequent, this topic certainly needs to be debated. Join the UJ Cloudebate™ at 18:00 on 14 July 2021, when a panel of experts will unpack what it all means.