Ransomware gangsters steal a page from the legit software industry’s distribution playbook
Ransomware has emerged as the most prolific new malware threat of the 21st century, with online criminals expecting to reap a billion dollars from victims from it in 2016. We have talked here about what is ransomware and how it works (it infects your PC, server or phone, encrypts your files, and demands an online payment in return for the decryption key) and why so many criminals are getting into the ransomware business (it’s an extremely profitable racket). We expect the ransomware epidemic to continue to mushroom in size, becoming a multi-billion dollar business in 2017, making it inevitable that you or someone you know has to pay a hefty ransom or lose their files forever. How is this crooked business growing so quickly, despite the efforts of law enforcement and the IT security industry to thwart it?
Ransomware as a Service
One huge contributing factor to this astronomical growth is the clever business model that certain ransomware gangs have adopted: Ransomware as a Service (RaaS). It’s a proven distribution method copied from the legitimate software world, in which ransomware authors enlist a tier of distributors whose job is to “sell” the malware (get it onto end-users’ machines). Once these “resellers” collect their ransom payments, they cut the ransomware originators in on their profits. There are several fascinating consequences to this new model – don’t be surprised if they remind you of outtakes from a high-tech vendor’s channel marketing strategy session:
- Fast enablement of new partners – Ransomware as a Service amounts to a wholesaling of pre-fabricated malware, which has given birth to a new class of criminals who can get into the online extortion business without any programming skills or knowledge of how to write their own attack code. For a low, low price on the dark web, sometimes as low as $40, dumber criminals can get into the ransomware game as malware resellers – or more accurately, resellers of the cure to the malady they have inflicted on their targets. Many RaaS offerings also include features like operator consoles that tell distributors how many infections they have in progress and how much they’ve accumulated in ransoms; links to back-end payment systems like BitCoin; and chat or email-based technical support to help victims figure out how to pay the ransoms.
- Expanded sales reach – Just like an indirect sales force of channel partners enables a software vendor to reach a much larger prospect base, RaaS give malware authors much greater sales leverage. Instead of five guys in their gang working to infect end-users, they can have the services of 5000 independent operators working on their behalf.
- Two-headed product optimization – In the RaaS world, ransomware refinements are happening on two fronts. Distributors tasked with infecting as many machines as possible are concentrating on attack vectors: writing craftier phishing emails to get users to open embedded malicious links and attachments; crafting convincing fake online ads that lead users to malicious drive-by download sites; and creating websites that host content (adult entertainment, pirated software, games, movies, music, etc.) that infects visitors. Meanwhile, ransomware originators can focus their development efforts on improving their products’ ability to evade IT security defenses like anti-virus scanners, intrusion detection systems and application sandboxes. The result of this double-edged effort is that more ransomware is getting onto more systems, and it is doing a better job of extracting cash from its victims once it gets there.
Of course, the bad guys don’t deserve all the credit for the scary surge of the Ransomware as a Service tide. End-users are still too unwary of emails from strangers, still too willing to click on links or open attachments, or download files from dubious sources. In addition to the traditional array of defense-in-depth measures on your endpoints, servers and mobile devices, you need to conduct security awareness training to reduce the attack surfaces you present to ransomware thieves. But there’s always one user naïve enough to let something bad into your campus, and all it takes it one breach to end up with ransomware on every one of your PCs and servers.
Further, with the RaaS model’s double-edged optimization, your IT security vendors will continue to struggle to keep up with the gangsters’ well-funded development of evasion techniques. Ultimately, the only foolproof defense against this fast-growing illicit industry is a solid data protection scheme, one that combines on-premise backups and cloud-based backups. You will never be able to rule out the possibility of an infection, but proper backup means you can always rewind the clock to your pre-breach state.
For a look at how one medium-sized business managed to successfully defeat a ransomware attack, download this case study, “Ready Honda Recovers from Ransomware with Acronis”.
In future editions of this series, we’ll look in more detail at how some (legitimate) service providers are successfully defending their customers against ransomware attacks, and dive deeper into how you can build your own defenses with effective backup and data protection.