2019-present – ransomware-as-a-service

2019 was the year of the rise of ransomware-as-a-service programs, and it is still the main trend today. Multiple ransomware developers started to offer their products to various threat actors in exchange for a percentage of the ransom received.

REvil, LockBit, Ragnar Locker, Nefilim – these are just some of the ransomware families distributed under the ransomware-as-a-service model. Although multiple threat actors may use the same ransomware strain, their tactics, techniques, and procedures may be very diverse.

At the same time, nowadays most ransomware-as-a-service programs affiliates share the same approach – they exfiltrate data before actual ransomware deployment. The trendsetters for this technique were the Maze ransomware affiliates back in 2019, but nowadays almost all threat actors involved in such attacks have their own Data Leak Site (DLS).

Here is an example of a DLS used by DoppelPaymer ransomware affiliates:

Figure 1.7 – DoppelPaymer's DLS

Usually, affiliates do not perform the whole attack life cycle, but rather use other threat actors' services. For example, threat actors may cooperate with initial access brokers, who provide them with access to compromised corporate networks. In some cases, they may pay additional pentesters for privilege escalation or defense evasion, so they can deploy ransomware enterprise-wide and nothing can stop them.

Depending on the role, the threat actors involved in the project may receive various percentages from the obtained ransom payment. Usually, ransomware developers, who run the program, receive around 20%, affiliates receive around 50%, initial access brokers 10%, and the rest goes to additionally hired threat actors, for example pentesters or negotiators.

Ransomware-as-a-service is extremely common nowadays. According to Group-IB's report Ransomware Uncovered 2020/2021 (https://www.group-ib.com/resources/threat-research/ransomware-2021.html), 64% of all ransomware attacks were performed in 2020 by RaaS affiliates.

Who was behind ransomware-as-a-service programs?

One of the NetWalker ransomware affiliates, Sebastien Vachon-Desjardins, who is a Canadian national, was charged in January 2021, and is alleged to have raked in more than $27.6 million overall from his ransomware activities.

Another example is a couple of Egregor ransomware affiliates, who were arrested in Ukraine with help of French authorities, who traced ransom payments to them.

Another example is the Cl0p ransomware affiliates, who helped threat actors with money laundering, and were also arrested in Ukraine in June 2021. There's a video available from this operation at https://youtu.be/PqGaZgepNTE.

As you can see, ransomware-as-a-service programs allowed many cybercriminals to join the big game with ease, even if they lacked skills and capabilities. Of course, this fact played an important role in making human-operated ransomware attacks the cyberpandemic.