The ransomware attack on the Lazio Region brought the risks associated with attacks of this type to the attention of the media. There has been discussion of extortion models, attacks on third-party service providers and credentials available on the dark web, but let’s try to understand what are the models behind the criminal enterprise that is responsible for these attacks.
Let’s start from the concept of Ransomware-as-a-Service (RaaS) and try to understand what we mean when we talk about multiple extortion.
The main criminal gangs behind almost all ransomware attacks implement a RaaS model, i.e. they offer their ransomware and personalization services to a network of affiliates whose only job is to distribute the malicious code to infect the greatest number of systems. . Criminal gangs offer their malware while retaining a fraction of the ransom for themselves, typically 10 to 25 percent of the ransom paid by the victims.
What happens if the victims don’t pay
At the end of 2019, a now defunct group known as Maze introduced the concept of double extortion into the criminal ecosystem. The Maze group stole data from victims before encrypting their systems and then threatening to publish the valuable information online on specially structured websites on the dark web called leak sites.
The practice is to put pressure on victims if they opt to restore their backups instead of paying a ransom. The publication of the stolen information causes multiple damages to the victims, from reputational to legal. Today, almost all criminal gangs implement this model.
The evolution of strategies
The model has evolved over time and there has been talk of triple and quadruple extortion. In the first case, some groups, such as the REvil gang, have made a service available to their affiliates to launch DDoS attacks, making the response to an ongoing incident more complex. We are talking about quadruple extortion when some criminals make voice calls to victims’ business partners and journalists to put pressure on the affected companies and force them to pay the ransom.
The attack on the Lazio Region
Returning to the case of the Lazio Region, we talked about the availability of access credentials to the region’s network, but what is it? We have said that the affiliate’s task is to implant the ransomware within the networks of the targeted companies and to do this it is essential to have privileged accesses such as Vpn or RDP (remote desktop protocol) credentials to connect remotely.
How to get such access? Once again the criminal enterprise is ready to meet this need, and a model known as Access-as-a-Service (AaaS) has been consolidated.
At the heart of the AaaS model are markets for “remote access”, ie online stores that allow their customers to sell / buy / exchange access credentials to compromised websites and web services. This is where a group of affiliates of a RaaS model can purchase the credentials to access an organization previously compromised by another criminal group. You will understand that by combining the RaaS models with AaaS it becomes really easy for a criminal group with no special skills to buy a ransomware which is then implanted in the networks of a company for which the login credentials were available in the criminal underground world.
Remote access can be obtained in various ways, attackers can use Rdp, Vpn, Ssh credentials, credentials for access to content management systems (Cms) such as WordPress or Magento, or web shells previously implanted in the systems to be attacked.
The turnover
The high earnings behind ransomware campaigns are driving an increasing number of groups to affiliate with major ransomware gangs. To get an idea of the turnover behind these operations, we refer to an analysis of the Elliptic company specializing in investigations on cryptocurrencies. Elliptic analyzed the activity of the Darkside gang, the one that hit Colonial Pipeline before disappearing, and found that the group has earned over $ 90 million in ransom payments from its victims since October 2020.
The researchers examined the Bitcoin wallets used by the criminal gang to receive ransom payments from victims over a nine-month period, and the data emerged is staggering. “In total, just over $ 90 million in Bitcoin ransom payments were made to DarkSide, from 47 separate wallets,” reads the report published by Elliptic. “According to DarkTracer, 99 organizations were infected with DarkSide malware, suggesting that around 47 percent of victims paid a ransom and that the average payment was $ 1.9 million. There is therefore no doubt how profitable this criminal activity is.
Below is the graph of profits over the various months. It must also be considered that on May 13 the group ceased its activities, otherwise we would have found ourselves in front of a month of record takings.
How to deal with this threat
Darkside implemented a Ransomware-as-a-Service model: the core group kept 25 percent of the ransoms paid and the percentage dropped to 10 percent if the ransom was more than $ 5 million. Under these conditions, the Ellittica experts hypothesize that Darkside has earned about 15.5 million dollars in a few months, the rest has been shared among the affiliate network. If you consider that Darkside was one of the dozens of gangs that crowd the dark web and that offer affiliate services, you can realize that the turnover is in the order of several billion dollars.
The example shown provides an idea of the millionaire earnings behind the ransomware threat, revenue that pushes major groups to improve their malware by making it more evasive and capable of targeting an increasing number of platforms to maximize the impact on victims.
There is no doubt, in the future we will have an increasing number of criminal actors who will use the RaaS model for their illegal activities, for this reason a holistic approach to the problem based on the sharing of information about the growing threat is needed.
.