Executive Summary
From 2021 to 2022, ransomware attacks appeared to take a backseat to data extortion attacks as law enforcement began to crack down on ransomware operations. In previous years, holding ransomware operators responsible for their actions was challenging due to differing laws across countries. This allowed threat actors to carry out significant ransomware attacks to critical systems in various nations, including the U.S.
In 2021, hard to catch ransomware operations like Clop, were disrupted by law enforcement and members were arrested. After the arrests, some of Clop’s infrastructure shutdown, however, that did not keep the ransomware gang from becoming active again. In 2023, the group claimed attacks on 130 organizations by exploiting CVE-2023-0669 – a GoAnywhere zero-day vulnerability. They have continued to attack organizations in 2023 and have made headlines by exploiting the MOVEit zero-day vulnerabilities – successfully breaching the New York City Department of Education, Zellis, Johns Hopkins University, and others.
Clop is widely acknowledged as a ransomware group that exploits zero-day vulnerabilities to infiltrate organizations. However, Clop doesn't limit itself to solely functioning as a ransomware gang; it has adopted the "ransomware-as-a-service" (RaaS) model, partnering with criminal associates to spread malware. This kind of decentralized strategy makes it difficult to track and capture the individuals responsible for attacks. Let’s dive into RaaS and how organizations can harden their defenses against the threat actors who leverage this model.
Before we get into how organizations can harden their defenses, it’s important to understand what RaaS is and how it works. RaaS is not much different from the Software as a Service (SaaS) business model. In SaaS, cloud providers offer their technology through a subscription arrangement, while RaaS changes out 'cloud providers' with 'ransomware gangs' and 'technology' with ransomware (along with its accompanying crimes).
In RaaS, threat actors act as service providers, renting out their ransomware capabilities to aspiring threat actors. These aspiring threat actors, often lacking technical skills, can then deploy ransomware attacks without creating the malicious software themselves. This model lowers the entry barrier for cybercriminals, broadening the scope of attacks and contributing to the increasing frequency of ransomware incidents.
The pricing structure for RaaS varies significantly, with some affiliates subscribing for as little as $100 per month, while others invest over $1,000. Regardless of the subscription fee, affiliates gain a portion of the proceeds from every successful ransom payment resulting from an attack.
The RaaS model is easily accessible and empowers individuals with minimal expertise or background in cybercrime to partake in malicious activities that yield substantial rewards. Even those without prior knowledge or experience in the field can effortlessly engage in these attacks, thanks to the ready-made tools and infrastructure provided by RaaS operators. This contributes to the widespread and persistent threat posed by ransomware attacks across various industries and sectors.
The RaaS model is largely used to spread crypto-malware, which are software programs designed to encrypt files on a targeted device and demand a ransom for decryption or recovery. Since 2019, numerous ransomware developers have expanded their services to include data theft as well. This addition involves threatening victims with the public release of stolen data unless the victim pays the demanded ransom.
Within the framework of RaaS, cybercriminals can also distribute lockers, which are programs that restrict access to a device until negotiations are made and a ransom is paid. RaaS services include a range of offerings, including but not limited to:
Some RaaS operations extend their services to facilitate ransom negotiation.
Once again, these services within the RaaS model allow individuals without technical expertise to enter the realm of ransomware attacks with ease, making it necessary for organizations to bolster their defenses.
In addition to Clop, there are many other ransomware groups known to distribute ransomware through the RaaS model. Conti and LockBit both use this model and have profited substantially from it.
Up until May 2022, the Russian ransomware group Conti was known for utilizing RaaS to execute disruptive ransomware attacks that targeted critical infrastructure, including hospitals and government organizations. They specialized in double extortion, involving both simultaneous data encryption and data exfiltration for financial gain. In cases where the ransom was not paid, Conti would blackmail their victims by threatening to release the stolen files.
Conti was responsible for over 400 cyber attacks within the U.S., with ransom demands as high as $25 million. The group utilized known vulnerabilities such as PrintNightmare, exploited unpatched Microsoft Exchange servers with ProxyShell, and infected victims with TrickBot malware. Although Conti went dark after their source code was leaked in 2022, many researchers believe that the gang is still operational and associated with smaller, lesser-known groups.
Since 2019, LockBit, also referred to as LockBit Black, has been operating as a ransomware-as-a- service (RaaS) group, making threats to disclose sensitive data on their leak site as leverage to force targets into paying ransom demands. Historically, LockBit has refrained from targeting systems located within Russia or countries affiliated with the Commonwealth Independent States, likely in a strategic effort to evade law enforcement.
LockBit’s attack on Accenture, one of the world's top technology consulting firms, stands out as one of the group’s notable cyber attacks. This incident occurred in August 2021, during which the group managed to steal 6 TB of data and demanded a ransom of $50 million. The group meticulously researches organizations prior to launching their attacks - Accenture's revenue for 2020 amounted to $44.33 billion.
LockBit’s RaaS model has gained a lot of attention by affiliates through campaigns in underground online communities. The operators behind LockBit stated that their encryption software was the fastest among all active ransomware strains as of June 2021. According to LockBit, this speed enhanced their ability to disrupt the ransomware landscape.
Recently, LockBit has been called out for falsely claiming to have published the stolen data of certain organizations that did not pay their demanded ransom. This impacts the group greatly since they use data extortion as leverage in their attacks. As a result, some of LockBit’s top affiliates have left for other ransomware groups. Despite this recent development, LockBit has been quite active in 2023. The group has successfully attacked and leaked the data of healthcare technology giant Siemens Healthineers, the Indonesian bank Bank Syariah Indonesia, and UK’s largest postal service provider, Royal Mail.
If organizations want to protect themselves from ransomware gangs that utilize RaaS, they need to have a multi-layered approach that will address both prevention and response. Here are some key strategies to consider:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.