I have written multiple times about the danger of disruptionware to both Information Technology (IT) networks as well as Operational Technologies (OT) networks of victims globally. As discussed here, many different nefarious tools make up the disruptionware “tool kit.” These tools include, but are not limited to:
- Bricking capabilities tools
- Automated components
- Data exfiltration tools
- Network reconnaissance tools
The most well-known and most used of all these tools is ransomware malware. Ransomware attacks have grown exponentially over the past few years. Dozens of ransomware gangs are launching ransomware attacks and terrorizing and extorting businesses throughout the world. This has included specific attacks against the U.S. energy sector as well as U.S. infrastructure projects.
In order to stay ahead of law enforcement and to increase profits, these ransomware gangs have created a new type of “business model,” where these gangs are now “franchising” their ransomware software to smaller nefarious cyber threat actors. This new evolution of the traditional disruptionware attack introduces the concept of Ransomware as a Service (RaaS). RaaS is an actual subscription-based model that encourages cyber threat actors to use already developed and effective ransomware tools to execute ransomware attacks against unsuspecting victims. This allows less sophisticated cyber threat actors to literally rent effective ransomware software and use it to continue the exponential growth of ransomware attacks.
According to Forbes, the “RaaS model permits talented hackers to use sophisticated and proved tactics, techniques and procedures to perpetrate the attack, while outsourcing the commodity infrastructure proven out in several years of ransomware attacks.” This has allowed cyber threat actors to increase attacks on energy, infrastructure and supply chains in numbers that are overwhelming businesses around the world. According to Protocol, this evolution of RaaS has led to a criminal marketplace of additional RaaS services, including:
- Infrastructure as a Service – includes “bulletproof” web-hosting and domain registration services to help carry out new ransomware attacks
- Hacking tools and access providers to gain access to victims who have already been compromised
- Fraud shops that sell stolen data, including passwords and personal identifiable information (PII), of victimized individuals. This may also include compromised log-in credentials to allow the buyers access to a victim’s network
- Post-attack services that provide underground call centers to call victims directly to try and further victimize them
This growth and evolution of ransomware to include new criminal “product lines” such as RaaS, is a frightening evolution in the growth of cyber-attacks, particularly disruptionware. RaaS opens up the ability for less-skilled cyber threat actors to literally rent a ransomware attack from a more sophisticated ransomware gang and successfully launch it against an unsuspecting victim. Prior to 2020, these types of illicit third-party services only accounted for 3% of ransomware proceeds. In the last year alone, that number has tripled, with RaaS now accounting for over 9% percent of ransomware profits.
It appears that cyber threat actors have latched onto the famous axiom, “evolve or die.” Ransomware attacks, as they previously existed, have now evolved to present a new and greater threat to the world at large.