Ransomware 2021: criminal business models and payment realities

The Colonial Pipeline attack and another which severely disrupted the Irish Health Service have one thing in common (beyond being despicable): they were both the result of ransomware-as-a-service (RaaS) operations. This area of criminal cooperation has become the norm for threat actors, but what are the business mechanics at play? How does it change the risk to business? And can it survive these high-profile attacks on critical infrastructure?Four years to the week after WannaCry caused major disruption to the NHS, the Irish Health Service had to cancel outpatient appointments as a ransomware attack caused the Health Service Executive IT network to close down. This came just a week after another ransomware attack, on Colonial Pipeline, severely disrupted fuel supplies in parts of the US. Unlike WannaCry, no ‘spray and pay’ tactics were behind these attacks, no worm capability to spread the infection: these were highly targeted from partners of the Conti and DarkSide RaaS operations respectively. What is RaaS?The RaaS business model consists of the cybercriminal organisation that develops both the malware code itself and the back-end infrastructure it runs on, along with a management system and the affiliates who employ it in attacks. These affiliates, usually recruited through dark web crime forums, take responsibility for infiltrating a target network and installing the ransomware code. "Once the ransomware is successfully delivered into the victim’s environment, it will often auto-execute,” James Weston, principal consultant of cyber and digital at Gemserv, explains. "At this point, the affiliate may have access to a control server or dashboard allowing them to monitor the attack in progress as well as interact with the victim through encrypted messaging channels, emails, or chat functions."Are you wearing a wire?There is a fair degree of vetting involved when it comes to taking on ransomware affiliates, not only in an attempt to prevent law enforcement infiltration, but also to ensure the highest financial returns."Ransomware operators are looking for the best affiliates who can provide the most lucrative accesses while affiliates are looking to use the most effective ransomware," Tim Mitchell, senior security researcher at Secureworks, told SC Media UK."All RaaS operations split the profits of a successful ransom according to a pre-arranged share," he says, with the division of proceeds usually depending on "the affiliate’s experience, the type of access they have provided, the revenue of the victim organisation and, ultimately, the size of the payout”. DarkSide, for example, had a sliding scale of payments: 25% for ransom payments of $500,000 or below and 10% for $5 million or more, the rest is somewhere between. Being a business model, affiliate shares vary according to market conditions. "In February 2021, the Avaddon group announced a temporary increase in its affiliate share from 25-40% to 80% following the production of a decryptor for its ransomware that would clearly have undermined its profitability," Mitchell says.Outsourcing ransomware riskThink of RaaS as being, in effect, the outsourcing of the most risky part of the whole process: the attack itself and the ransom extortion that goes with it."It shows that the RaaS sellers are more than willing to outsource the hacking of computers," Corey Nachreiner, chief security officer at WatchGuard Technologies, says. "That is what will definitely get you in jail if a criminal is caught. But, making and supplying ransomware to others, though possibly a crime in some countries, is less risky than actually infecting computers with it." In this sense, Nachreiner doesn't see the business model as one of cooperation, but rather "the affiliates are used as the sheep or mules doing the dangerous work, while the ransomware seller is just gathering profit”. That said, the cooperative, profit-sharing model does get distributed down the line. Affiliates will purchase the credentials or exploits needed to access a targeted network from an initial access broker. “These brokers collect victims in large numbers and skim the most valuable ones to resell to ransomware affiliates,” says Chet Wisniewski, principal research scientist at Sophos. "Affiliates take over from there. They will exfiltrate sensitive data, move laterally and map out all the assets, backups, admins, databases and ultimately trigger the ransomware itself." And the cooperation doesn’t end there, once a ransom has been paid, other criminals are often employed to launder the cryptocurrency in return for a cut.Enterprise mitigation? So, does this model change anything when it comes to risk to businesses or the defensive reality of ransomware mitigation? “It means a would-be cyber criminal doesn't need to have technical skills to launch a ransomware attack, just the will and the funds to procure the capabilities," says Jen Ellis, VP of community and public Affairs at Rapid7 and co-chair of the Ransomware Task Force. Ellis argues that the odds are already stacked against defenders, so you could say more attacks makes those odds worse, but RaaS does not necessarily increase the breadth or complexity of attacker trends. "If an organisation is already taking appropriate steps to protect themselves those mitigations should be sufficient against RaaS attacks." Wisniewski says: "A more diverse set of skills among those attackers means some go after smaller, weaker victims for lower ransom amounts, while the more skilled can go big game hunting."The mitigation remains the same, David Cummins, VP of EMEA at Tenable, says. "When you look at the attack path of ransomware, the majority of attacks target a handful of known and patched vulnerabilities. “User awareness, malware detection, system back-ups, and strong vulnerability management can all significantly reduce the likelihood of harm from a ransomware attack."

Your cyber intelligence source

Ransomware 2021: criminal business models and payment realities

Related content

Government Security Group Seeking New Members and Expertise

Microsoft Takes Down Phishing-as-a-Service Domains

Research: Half of Working Week Commonly Lost to Manual Tasks

Five Named and Charged in SMS Phishing Effort

Businesses Commonly Attacked Outside of Working Hours

Industrial Cybersecurity Under Attack in 2024

The Most Overlooked Cybersecurity Risk - How to Protect the Mainframe

Upcoming Events

Ransomware 2021: criminal business models and payment realities

Related content

Government Security Group Seeking New Members and Expertise

Microsoft Takes Down Phishing-as-a-Service Domains

Research: Half of Working Week Commonly Lost to Manual Tasks

Five Named and Charged in SMS Phishing Effort

Businesses Commonly Attacked Outside of Working Hours

Industrial Cybersecurity Under Attack in 2024

The Most Overlooked Cybersecurity Risk - How to Protect the Mainframe

Upcoming Events

Confirm cancellation

Sign up benefits