Beginning of the millennia, we could hardly go by one day without reading about a newly concocted offering based on the ‘as-a-service’ model. Today, we have Software-as-a-Service (SaaS), infrastructure-as-a-service (IaaS) and even Cybersecurity-as-a-Service (CaaS, which not-so-coincidentally happens to also be the slogan of ITrust). The list goes on as the expression has expanded to refer to almost any type of service being made available over the Internet and within the reach of enterprises of all sizes and budgets.
While this is nothing new to you, dear reader, know that there is one more technology out there that the general public is not yet as familiar with. For the sake of aesthetics, we shall call it Cybercrime-as-a-Service (CaaS). Yes, indeed, in this day and age, in order to hack someone, one doesn’t necessarily need to be a hacker him or herself. A limitless array of tools, from mere exploit kits to more complex malware, are readily available to help amateurs launch their own cyber-attacks.
According to a DNS threat index released by Infoblox in 2016, the CaaS trend is expanding at an explosive pace. This particular index measures the number of existing malicious websites offering cybercriminal-wanna-be’s a hacking-made-easy toolkit. As it turns out, 2016 stood out with an impressive spur of growth as opposed to previous years, with an index 7% higher than the one recorded in 2015. Here’s another interesting fact: until recently, the majority of domains created for cybercrime were registered in the U.S, but five other countries managed to wiggle their way to the top. These are Portugal, Russia, Netherlands, the U.K. and Iceland, and in the case of each of them, the CaaS presence is overwhelming. That being said, American-registered domains still account for almost half of all new malicious domains (41%).
On a different note, the same study showed that the hottest growth segment in the hacking-served-on-a-platter area is *drumroll please* ransomware! It’s estimated that last year alone, ransomware scams cost victims nearly $1 billion. The number of ransomware domains tracked in the DNS Threat Index has increased 35 times since 2014.
It’s become clear that ransomware has hit the proverbial jack pot — not just in the sheer number of malicious websites involved, but also in the scale of attacks and in the nature of their targets. It’s almost something natural nowadays to hear about a data hostage situation associated with a small-scale attack aimed at duping individual consumers. Slowly, but surely, ransomware attacks conceived as a service, will become just as commonplace.
SPECIAL OFFER: RANSOMWARE ON SALE, ONLY $39.99
When taken on its own, ransomware is already quite effective, typically infecting computers through spam email or infected web sites. We don’t need to run you through every step, we’ve done so it countless other articles (see here and here). Suffice to say just that ransomware encrypts files in the victim’s system and then asks the user for a certain amount of money in exchange for the decryption key.
Now, Ransomware-as-a-Service (RaaS), on the other hand, takes the cyber-villain bar and puts it at an all time high. We’ve already established that black hat hackers have their own business model, always on the lookout for new and ingenious ways to increase their revenues, all the while cutting costs (if you missed out on that one, click here). Well, RaaS does all that and more.
While its beginnings were modest, malicious service offerings as we know them today have proven to be… quite scary. But we’re getting ahead of ourselves. For starters, let’s take Stampado, which it encompasses the original, yet more mellow, RaaS offering. The creators of this particular ransomware offer access to it through means of a lifetime license, at the very attractive price of ‘just $39.99’. This special offer instantly tapped the black market, by proposing incredibly low prices as opposed to other more well-known ransomware strains such as Locky. Indeed, Stampado tapped the RaaS on a budget market, but just as low-cost airlines, it doesn’t come with all the perks of the original Cryptolocker. Nevertheless, inexperienced evildoers won’t even notice the difference.
Then there’s Ranion, a RaaS discovered by security researcher Daniel Smith. This particular malicious actor guarantees access to a ransomware distribution network hosted on the Dark Web, only this time there’s a time limitation and two price offers given accordingly: 0.95 Bitcoin/year ($960/year) or 0.6 Bitcoin/6 months ($605/6 months). According to our source, Ranion seems to have been created for ‘educational purposes only’, but we find hard to believe seeing how there’s never sure telling with data hijackers.
Nonetheless, thanks to this easy buy-in, the RaaS business model has only continued to grow more refined. Which brings us to our final variant of the Ransomware-as-a-Service model – and the worst. The first of its kind was revealed in the beginning of 2017 and involves a devilish strategy. In this particular case, operators monetize their ransomware by enabling its download via a free signup. Once it’s available on an onion platform, less experienced hackers will jump at the occasion to test this DIY malicious kit.
From a ‘buyer’s’ perspective, this type of offering is particularly more attractive than Stampado or Ranion, for instance, since it unlocks the pay-as-you-go option. There is, however, a catch. Once this network of distributors starts infecting people, the creator puts aside for each new victim a share of the ransom. And as the distribution network grows, so does the profit of those having launched the operation to begin with.
QUICK WIN OR PYRAMID SCHEME?
Independent security researcher Xylit0l discovered that the Satan malware (no, we assure you, we’re not talking about the 9 circles of the Dark Web Hell again), part of the Gen:Trojan.Heur2.FU family, has been launched to the public as part of a RaaS platform. Among those pushing the boundaries of the current RaaS model and one great example for its state-of-the-art representatives, Satan attempts (and does quite a good job at it) to imitate legitimate businesses by taking their commercial promotion at a whole new level.
The program first made its appearance on January 17th with the following announcement:
That being said, in the case of this particular RaaS, not only do we encounter the same join-up-for-free and pay later strategy that EBay is known for, we also stumble upon a more good-looking, ergonomic and intuitive GUI.
Satan RaaS Landing Page (source: Naked Security)
As you can see from this welcome screen, the platform can be accessed using Tor via an onion address on the dark web. The actual Satan malware is backed by a cloud service and in order to start using it, one must first create an account.
Once you’ve chosen a user name and a password, things just keep getting easier. You move on to choosing the desired amount in ransom, starting at BTC 0.1 (or $125). You can also define the number of days you want the price to remain unchanged and a multiplying factor after a decided period:
Satan RaaS Generation Page (source: Naked Security)
After creating your sample, the Satan RaaS platform offers you additional help in the shape of supporting files that guide you in creating a dropper (scrambling your ransomware in order for it not to look like you average executable file) and even developing a HTML page or a Microsoft Word macro to host your malicious software.
Having completed all these steps, as a Satan distributor (that has a nice ring to it, doesn’t it?), you’ll probably end up infecting some poor users. What we didn’t mention in the beginning is that once the victim decides to pay, the payment goes directly into the bitcoin wallet of the operators. So you’re basically supposed to blindly trust cybercriminals to only keep 30% of every ransom payment and then transfer you what would actually amount up to 70%.
Satan RaaS Ransom Page (source: Naked Security)
While the Satan ransomware distribution platform is indeed, in lack of a better word, evil, we caution those inclined to try it out – this is nothing more than a pyramid scheme.
As advanced cybercriminals often opt for more refined, flexible vectors, this new instant-hacker category is something to be a look out for. Because, at the end of the day, for the average Joe, there is no difference between attackers who leverage RaaS tools and those who develop their own deadly ransomware.
 A pyramid scheme is a business model that recruits members via a promise of payments or services for enrolling others into the scheme, rather than supplying investments or sale of products or services. As recruiting multiplies, recruiting becomes quickly impossible, and most members are unable to profit; as such, pyramid schemes are unsustainable and often illegal.