More than 25 hacker groups work under the “Ransomware as a Service” model

Ransomware as a Service model
Written by Emma Davis

According to a report published by Intel 471 researchers, more than 25 hack groups offer their services under the “Ransomware as a Service” (RaaS) model. Therefore, hackers lease extortion malware to other criminals.

In fact, RaaS developers provide ready-made ransomware code to other hackers. Such “clients” rent the encryption code from its authors, customize it for themselves, and then use it in their own attacks.

For example, a rented ransomware can be spread using targeted phishing campaigns, mass spam mailings, compromised RDP credentials, or using exploitation of vulnerabilities in various network devices. These attacks have only one common feature: the ultimate goal is always to gain access to the victim’s internal network.Intel 471 researchers say.

The ransoms that hackers “earn” from such attacks go to the accounts of the RaaS malware developers, who keep a small percentage for themselves, and then send the rest to their “clients”.

Intel 471 analysts write that now more than 25 groups offer RaaS malware on the black market, and this is much more than many information security experts previously assumed.

At the same time, the researchers note that not all detected RaaS are the same and divide the malware into three levels, depending on its complexity, functions, and confirmed history of attacks.

Level 1. is the most well-known ransomware today. Groups that have been active for many months have reached this level, having proved the viability of their code with the help of a large number of attacks, and continue to work, despite public disclosure. This list includes REvil, Netwalker, DopplePaymer, Egregor (backed by the same developers behind the late Maze), and Ryuk.

All of these malware are well-known and, with the exception of Ryuk, have their own data leak sites, where they publish information stolen from affected companies if victims refuse to pay.

The operators of these ransomware use a wide variety of attack vectors. They can hack victims’ networks by exploiting bugs in network devices (and hiring network experts to do this); can download the ransomware payload into a system already infected with another malware (cooperate with other hack groups); can access the company’s network via RDP (cooperate with botnet operators or vendors of compromised credentials).

Level 2. is reserved for RaaS groups, which have already gained a reputation among other hackers, offer very advanced malware, but do not yet have as many “clients” as the first level groups. So, Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt and Thanos got to this level.

Level 3. is a very recent RaaS offer, and there is no detailed information about it. In some cases, it is even impossible to understand whether these groups are active now, or whether they have already abandoned unsuccessful attempts to establish their own ransomware “business”. These newcomers include CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus and ZagreuS.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply