As ransomware has increased, its profitability has become undeniable. The resulting Ransomware-as-a-Service (RaaS) business model is thriving as well. In fact, RaaS has emerged as one of the most significant cybercrime threats by leveraging the traditional subscription model to give ransomware access to threat actors who would otherwise not be able to pull off such an attack.
RaaS attracts a variety of threat actors with varying skill sets. Some are highly skilled but would rather rent ransomware than build it themselves. Others have very few skills. They find subscription-based hacking a quick entry point into the world of cybercrime.
From the security team’s standpoint, getting a handle on RaaS begins with understanding the ecosystem alongside recruitment methods, affiliate demands, and the shared tactics, techniques, and procedures (TTPs) that lead to ransomware being such a serious threat.
Recruiting RaaS Renters
The subscription model opens the door to two types of affiliates: renters and programmers. By analyzing recruitment efforts, security teams can uncover key indicators about target audiences, expectations, and more.
DarkOwl is a leading provider of threat actor profiling and darknet intelligence. They explain that renter recruitment often focuses on the following three things:
- Revenue Splits – RaaS is typically rented based on some sort of revenue split. Splits more attractive to renters act as effective recruiting tools.
- Ease-of-Use – Groups often emphasize ease-of-use to address renter concerns about challenging deployments.
- Required Skills – When RaaS groups develop highly specialized software targeting certain environments, they may need renters with equally specialized skills.
By dissecting and analyzing recruitment strategies, security teams can gain insight into the renters that developers and groups are trying to bring on board. By extension, this helps them better understand the potential threats their own networks face.
The Demand for Skilled Programmers
Recruiting in the RaaS space is limited to finding new renters willing to sign on with a subscription. Sometimes it is about recruiting affiliates capable of helping a group improve or expand its software offerings. These affiliates are essentially contractors who provide programming services. Recruited affiliates are expected to bring in the following:
- Proficiency in certain programming languages, including Python and C++.
- A strong understanding of network vulnerabilities.
- Strong social engineering skills that make ransomware deployment easier.
As with recruiting strategies, security teams can learn a lot by studying the types of skills RaaS developers and groups are focusing on in their recruiting efforts. Skill sets relate directly to how attacks are pulled off. For example, some skill sets could point to insiders, while others suggest external attacks.
Tracking Tactics, Techniques, and Procedures
TTP tracking is a common tool for building threat actor profiles. It can be leveraged in the fight against ransomware because of one convenient fact: RaaS groups often share TTPs. Such sharing creates a playbook defenders can deploy to counteract ransomware threats.
Here are three TTPs that tend to be fairly standard with RaaS:
- Phishing – Many ransomware attacks begin with standard phishing emails.
- RDP Services – RaaS affiliates tend to target vulnerable RDP (Remote Desktop Protocol) services.
- Encryption – Groups often share encryption methodologies, openly discussing them on the dark web.
Threat actor TTPs can be tracked, analyzed, and correlated with known incidents. Over time, security teams can develop detailed profiles that lead to better detection methods. In theory, this helps them put down potential threats in the earliest possible stages. For example, maybe a phishing email is intercepted or an RDP vulnerability is identified and patched.
Ransomware’s proliferation is being driven forward by the RaaS business model. For security teams, protection is about information. And that means profiling both RaaS affiliates and the threat actors behind ransomware itself.
