According to a report published by Intel 471 researchers, more than 25 hack groups offer their services under the “Ransomware as a Service” (RaaS) model. Therefore, hackers lease extortion malware to other criminals.
In fact, RaaS developers provide ready-made ransomware code to other hackers. Such “clients” rent the encryption code from its authors, customize it for themselves, and then use it in their own attacks.The ransoms that hackers “earn” from such attacks go to the accounts of the RaaS malware developers, who keep a small percentage for themselves, and then send the rest to their “clients”.
Intel 471 analysts write that now more than 25 groups offer RaaS malware on the black market, and this is much more than many information security experts previously assumed.
At the same time, the researchers note that not all detected RaaS are the same and divide the malware into three levels, depending on its complexity, functions, and confirmed history of attacks.
Level 1. is the most well-known ransomware today. Groups that have been active for many months have reached this level, having proved the viability of their code with the help of a large number of attacks, and continue to work, despite public disclosure. This list includes REvil, Netwalker, DopplePaymer, Egregor (backed by the same developers behind the late Maze), and Ryuk.
All of these malware are well-known and, with the exception of Ryuk, have their own data leak sites, where they publish information stolen from affected companies if victims refuse to pay.
The operators of these ransomware use a wide variety of attack vectors. They can hack victims’ networks by exploiting bugs in network devices (and hiring network experts to do this); can download the ransomware payload into a system already infected with another malware (cooperate with other hack groups); can access the company’s network via RDP (cooperate with botnet operators or vendors of compromised credentials).
Level 2. is reserved for RaaS groups, which have already gained a reputation among other hackers, offer very advanced malware, but do not yet have as many “clients” as the first level groups. So, Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt and Thanos got to this level.
Level 3. is a very recent RaaS offer, and there is no detailed information about it. In some cases, it is even impossible to understand whether these groups are active now, or whether they have already abandoned unsuccessful attempts to establish their own ransomware “business”. These newcomers include CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus and ZagreuS.
