Everyone wants to know how to make money on the internet, and there are an endless number of ways to go about it, such as becoming a video game streamer, a digital nomad, or starting up a tech company. These days there's a new, more nefarious option on the table. That is, becoming a hacker, or at the very least, paying to use someone else's ransomware service.
Ransomware-as-a-Service: The New Business Model
Ransomware-as-a-service (RaaS) allows a person to buy ransomware from the deep web and use it in any way they want on whoever they want. It enables cybercriminal gangs to make money from ransomware without having to actually use it themselves, putting them in the same category as counterfeiters who create fake money and sell it rather than using the money they, quite literally, make.
Using ransomware like this is so easy that even a journalist at Bloomberg with limited IT knowledge managed to used it to encrypt his own editor's computer to prove how simple and effective it could be.
They found the ransomware on a deep web forum. The people on the forum were surprisingly helpful and were more than willing to offer people resources to learn more about hacking, ransomware, and cybercrime in general. They took a surprisingly guarded stance towards security as well, with many people working to verify the authenticity of any services or malware sold through the forum.
The 'Ransomware Heist' Begins
The plan was simple; the man – Drake Bennet – worked with his editor – Max Chafkin – to orchestrate a plan where Drake would hit Max with a ransomware attack. In order to protect Max's personal files and the confidential information on his work computer, they bought up several cheap laptops and loaded them with an assortment of files. Drake would then prepare an attack and even announce it ahead of time to give Max all the time needed to put up defenses and hope to stop it.
The legality of the experiment was a little suspect. Maryland recently introduced a bill to criminalize even possessing ransomware, and there are several federal statues too. Luckily they were operating out of Michigan, which states that "a person shall not knowingly possess ransomware with the intent to use or employ that ransomware, without authorization of the other person." Since Max was aware of the attack, their lawyer reassured them the experiment was perfectly legal, so the game was afoot.
Problems arose when the server that hosted the ransomware went down. The ransomware was to send a signal to a server. Drake would access the server and say that he had received the ransom payment in order to issue the decryption key to Max to get the files back. With the server down, however, there was no way to work things like a real ransomware attack. The day was saved by security expert Joe Stewart, who had helped some of Drake's colleagues in the past to discover a hacker working with the Chinese People's Liberation Army. Stewart modified the code of the ransomware so that it would send a signal to one of his servers instead of the defunct server. That meant that the plan could go ahead.
With the groundwork in place, Drake launched his reverse-engineered ransomware as intended. Almost instantly, Max got an email from Drake with the virus attached. When Max clicked on the attachment, his antivirus software told him not to download it because it was so obviously a piece of malware. Max opened the file, but not a whole lot happened at first. The two exchanged a few messages, wondering what happened, and then all of a sudden a crazy message appeared on the screen.
"Your Files Are Encrypted"
The ransomware successfully installed in Max's test computer and displayed the message stating the computers files are encrypted
After another bit of banter, Drake issued Max with the ransom demand of $100 to be paid in bitcoin. Drake had the option of increasing the demand or outright deleting the decryption key as well but chose to be kind to his boss. After getting a notification that his payment was processing, Drake sent Max the decryption key. Max used the decryptor as instructed, and his files were returned to normal. He got all his useless files back, Drake got his money, which he later returned. However, there was another problem; the ransom image of the grasping hand was still there.
Given that the experiment wasn't a complete success, Drake came to the conclusion that RaaS seems scary, but it's still some ways off. The cybercrime community seems to agree with him. He spoke to one hacker who said that people take these ransomware programs and try to pass it off as their own.
Ransomware-as-a-Service Is a Ticking Cybercrime Bomb
While it does mean more people have access to ransomware, a lot of them fail, and almost all of the big attacks that make the news are made by the experts who program the malware itself. However, this is bound to change, given how profitable RaaS can be for both the malware developers and the ones purchasing the illicit services. Hackers will likely continue to develop more robust and user-friendly versions of their malware to bridge the knowledge gap and, as a result, increase profits for all parties.