Microsoft has shone a spotlight on ransomware-as-a-service (RaaS), a style of criminal enterprise that relies on gig workers and is structured around profit-sharing to reduce risk borne by a single actor.
Microsoft security teams are tracking more than 35 unique ransomware families and 250 threat actors across nation-state, ransomware and criminal activities. RaaS, it says, is a gig economy involving multiple actors around three key pillars.
“In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves,” Microsoft Security says in a blogpost.
“This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks,” it said.
RaaS has forced Microsoft to look at attacks differently. It’s not one actor, but many, meaning that identifying the ransomware family itself doesn’t give defenders the full picture of threats on the network.
Stealing data from a target, for example, may be carried out by one group for double extortion, but another group is responsible for developing ransomware payloads, while other RaaS affiliates may deploy a given ransomware payload. In other words, knowing that you’ve fallen victim to one type of ransomware only tells half the picture, wasting defenders’ time chasing down the wrong signals.
“Payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group”, even though many affiliates had wildly different tradecraft, skills, and reporting structures,” Microsoft notes.
“Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools.”
Researchers at security firm Intel471 recently detailed the Conti group’s cooperation with members of LockBit 2.0, Maze and Ryuk gangs to refine encryption algorithms and ransom notes, and contract developers from other groups to build new ransomware.
At a high level, key actors in RaaS include the operator who develops and maintains ransomware payloads and payment portals to communicate with victims; access brokers that compromise networks and sell RaaS affiliates access to it; and RaaS affiliates who run the ransomware attack, steal data, move laterally on compromise networks and persist on systems.
Ransomware really becomes dangerous at the “hands-on-keyboard phase”. “When the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment,” Microsoft notes.
By this stage, the attackers has likely exfiltrated data and would require defenders to prioritize the investigation of alerts or detections of tools like Cobalt Strike and quickly launching incident response (IR) procedures to contain a human adversary before they can deploy ransomware.
Others actors in this economy may handle the leak site to share snippets of data stolen from victims. Other extortion services include leak site hosting, decryption negotiation, payment processing, and cryptocurrency transaction services.
Microsoft estimates that where an access broker has compromised 2,500 potential victims, about 60 victims encounter activity associated with known ransomware attackers. Around 20 of these victims are successfully compromised, and then one of these organizations sees an actual ransomware payload deployed on their network.
Microsoft rates Trickbot, which it has been tracking as DEV-0193 since October 2020, as “the most prolific” ransomware group today. It is responsible for developing, distributing and maintaining the Trickbot, Bazaloader, and AnchorDNS payloads. The group also managed the Ryuk RaaS program before its shutdown in June 2021, as well as Ryuk’s believed successor, Conti. DEV-0193 has also hired developers from Emotet, Qakbot, and IcedID, according to Microsoft.
Microsoft’s report also covers ELBRUS, also known as FIN7, which uses point-of-sale (PoS) and ATM malware to harvest payment card information. In 2020, it deployed MAZE and REvil RaaS, but then developed DarkSide as their own RaaS ecosystem, which it then retired in May 2021 and replaced with BlackMatter in July, only to retire it in November.
“The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS,” Microsoft notes.
While Microsoft hasn’t seen ELBRUS running a RaaS program today, it says it’s still “very active in compromising organizations via phishing campaigns” that lead to their JSSLoader and Griffon malware. Microsoft has also seen the group exploiting CVE-2021-31207 in Exchange — a low-privilege ProxyShell bug — to elevate to high SYSTEM-level privileges in victim organizations in April 2022.
The BlackCat ransomware gang is another notable RaaS affiliate actor. It appeared in November 2021 and was created by ‘access brokers’ that previously sold access to multiple RaaS groups, including BlackMatter, according to Cisco’s Talos researchers.
The group Microsoft tracks as DEV-0504 currently deploys BlackCat, but previously deployed Ryuk, Revil, Lockbit 2.0, BlackMatter, and Conti. When one RaaS program shuts down, it moves to another, Microsoft notes.
While most of these RaaS groups are believed to operate from Russia, Microsoft highlights DEV-0401 as a unique “China-based lone wolf turned LockBit 2.0 affiliate” that recently started targeting the CVE-2021-44228 vulnerability in Log4j 2 in VMWare Horizon.
“Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them,” Microsoft notes.
Microsoft’s top advice for organizations to is to protect credentials.
“More than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment,” Microsoft says.
Attackers can deploy ransomware through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc), but spreading ransomware to multiple systems is much harder without the credentials that provide administrative access in a network.
“Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with,” says Microsoft.