Ransomware: at your service

Find out what Ransomware as a service looks like and how to protect your network from it.

ransomware at your service 1


Ransomware is on track to net organized cybercrime more than $1 billion in 2016, not taking downtime and other costs associated with it into account. And according to KnowBe4’s 2016 Ransomware Report, 93 percent of IT professionals surveyed are worried ransomware will continue to grow. 

Most of us know what ransomware is—a vicious malware that locks users out of their devices or blocks access to files until a ransom of some kind is paid. In the past year, however, we’ve been hearing more about ransomware-as-a-service (RaaS). What is the difference? Does RaaS require new forms of protection? In this slideshow, KnowBe4’s CEO Stu Sjouwerman breaks down what RaaS is, provides examples and offers some best practices to protect your organization. (Watch a video of RaaS.)



RaaS is a variant of ransomware that is designed to be user-friendly and easy for cybercriminals to deploy, thus becoming a popular model among cybercriminals.

It piggybacked on the extremely successful software-as-a-service model, then added a dark twist. How does it work? Anyone can access a darkweb TOR site, register with a Bitcoin address, then customize and download their own version of the malware. They can run multiple campaigns with different Bitcoin addresses. The executable can be spread with the usual infection vectors like massive spray-and-pray phishing campaigns, targeted spear-phishing, malvertising with poisoned ads on websites compromised with Exploit Kits causing drive-by-downloads of the RaaS executable, manually hacking Linux servers or brute forcing terminal servers.

The original developers take a 25 percent cut of any ransom collected while the rest goes to their criminal affiliate. Affiliates have a console available where they can view statistics and update settings on their personal ransomware campaign.

ransomware at your service 3

RaaS in real life—Ransom32

While we saw RaaS campaigns in 2015 (TOX, Fakben and Radamant), they have grown in popularity in 2016. Beginning in January, thanks to BleepingComputer, we became aware of a new strain called Ransom32 that was unique: it was fully developed in JavaScript, HTML and CSS which potentially allowed for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brought us one step closer to the "write-once-infect-all" threat.

ransomware at your service 4

RaaS in Real Life—Petya/Mischa

The cyber mafia behind the Petya/Mischa ransomware launched its RaaS offering in late July 2016. It paid "distributors" a part of the ransom that was extorted from victims and increased payouts up to 85 percent of the ransom if they hauled in more than 125 bitcoins. Conversely, if a "distributor" only collected 5 bitcoins, they could keep only a paltry 25 percent. As pointed out again by BleepingComputer, this new RaaS business model was, unfortunately, encouraging people to distribute the ransomware if they were to receive a solid payday.

ransomware at your service 5

RaaS in real life—Cerber

Earlier this year in March, Cerber, a sophisticated ransomware debuted. By September, it had matured and a massive, more sophisticated Cerber ransomware campaign was delivered through somewhat unusual phishing emails. Because it was a RaaS model, users could encounter Cerber campaigns being run by a number of malicious actors through a variety of attack vectors.

Although Cerber campaigns have been growing in size for several months now, the month of September was marked by several sharp spikes in Cerber activity. The malicious emails were noteworthy for several reasons including a series of different, yet remarkably similar Subject: lines and social engineering hooks. Additionally, a password-protected Word document foiled easy detection by anti-virus scan engines, and lent the user experience an air of additional security, reinforcing the sense among gullible users that the document they were handling was, in fact, safe.

ransomware at your service 6

Protecting against RaaS

Ransomware is now so successful and profitable that it has drawn in the largest, well-funded malware mafias who continue to furiously innovate in an attempt to grab market share from each other.

For every under skilled, overly confident new entrant into the ransomware market there is at least one extremely clever group of malicious actors capable of building effectively uncrackable crypto-prisons for your company's data. And when your data goes to malware jail, your organization suffers downtime, data loss, possible intellectual property theft, and in certain industries like healthcare, ransomware infections are now looked at to possibly be a HIPAA violation resulting in heavy fines.

ALSO: The history of ransomware

ransomware at your service 7

Protecting against RaaS—Train your users

Protecting against RaaS is really the same as protecting against any form of ransomware. With every new ransomware strain, it becomes increasingly important to shore up and mobilize your company's last line of defense, your end-users. That means ensuring they have been given effective security awareness training to identify social engineering red flags, whether they come through malvertising on exploit-laced web pages or deviously crafted phishing emails that make it through your filters.

As part of trainings, consider utilizing simulated phishing attempts that allow you to send links, attachments with Word Docs with macros in them, or even text messages asking for credential changes, so you can see which users are fooled by which methods.

ransomware at your service 8

Protecting against RaaS—What else?

Beyond training your users, here are other things you can do to protect your organization from RaaS or ransomware in general:

  • Your best protection remains a solid and proven backup strategy, with regular off-site copies. If you can take snapshots every 10 minutes, so you can roll back what you need, you’ve nearly erased the threat.
  • From here on out with any ransomware infection, wipe the machine and re-image from bare metal.
  • If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly.
  • Make sure your endpoints are patched religiously, OS and third-party apps.
  • Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.
  • Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA).
  • Review your internal security policies and procedures, specifically related to financial transactions to prevent CEO fraud.
  • Check your firewall configuration and make sure no criminal network traffic is allowed out

RELATED: Ransomware as a Service fuels explosive growth

Copyright © 2016 IDG Communications, Inc.

Related Slideshows