In a recent research report, we followed the infection chain and operation of CryptoWall 3.0 ransomware, focusing on payments made by victims and how those payments eventually aggregate to a small number of Bitcoin wallets – suggesting a well-organized operation.
In this follow-up research, we are highlighting another growing trend in the Ransomware industry which cuts the cord between fund collection and malware distribution. This is yet another data point proving the existence of a thriving industry in which multiple economic models exploit the unbearable comfort of cybercrime. We would like to focus a bit on the insider threat that is getting more attention due to its impact on an enterprise. Now, before you ask why insider threat, think how easily malicious users can wreak havoc and steal confidential data or worse yet open up the organization to the dark underworld. We examine the possibilities of what an insider can do once he gets access to the range of services provided by a ransomware distributor.
The Ransomware as a Service (RaaS) model is an emerging concept in which Ransomware authors provide customized, on-demand versions of malware to distributors. The ransomware author collects the ransom and shares it with the distributor. A classic “affiliate” distribution model, which we know from other domains on the web. Thus, malware authors stay in their comfort zone of writing software while distributors who specialize in spam, malvertizement or BlackHat SEO create a new revenue stream based on their existing platforms. In classical affiliate marketing, the larger cut goes to the possessor of the product. In RaaS, on the other hand, the ransomware author gets a small cut of the funds (5%-25%) while the rest goes to the distributor (affiliate). The RaaS author receives the ransom from the victim using Bitcoins. The distributor is assured he’ll get his cut using the anonymous Bitcoin address he uses to register. This model, based on TOR and Bitcoins, is designed to keep the identity of the author and the distributor hidden from law enforcement agencies.
In the last year, quite a few RaaS malware were spotted. RaaS Tox was the pioneer in the field and was first identified in mid-2015. After encrypting data of at least 1,000 computers, the Tox author decided to get out of the game and attempted to sell his creation. Tox allowed the distributor to set the ransom amount and his Bitcoin wallet address to collect the profits.
Encryptor RaaS is another RaaS that was released in July 2015 by an actor who goes by the name of Jeiphoos. At the time of writing this blog entry, its TOR website was still up and running. Encryptor RaaS allows the distributor to configure many Ransomware parameters such as the ransom price, timeout for the payment, the value of new ransom once the timeout expires and the number of files that can be decrypted for free (to prove to the victim that the data is safe but encrypted). Also, Encryptor RaaS allows the distributor to sign the file containing the ransomware using a certificate, which makes the victim (actually its operating system) think that the file source is trustworthy, totally bypassing many endpoint protection mechanisms. Past reports indicated that VeriSign issued the certificate to a Chinese company. Currently, RaaS uses a different certificate, issued by WoSign, to a suspicious company (Mi You Network Technology Co., Ltd.). Its root certificate is signed by StartCom.
Figure 1 - Encryptor RaaS customization screen
Figure 2 - The certificate used by Encryptor RaaS
During November 2015, an additional RaaS, named Cryptolocker, appeared. A Cryptolocker author identified himself as Fakben and demanded a 50 USD fee from the distributor to get the basic ransomware. It allowed the distributor to set the ransom price, his wallet address, and a designated password. Currently, the Cryptolocker RaaS TOR website is down.
A fourth RaaS that surfaced at the beginning of 2016 and is still active is Ransom32. Ransom32 is the first ransomware written in JavaScript making it relatively easy to adapt to different operating systems. Ransom32 allows the distributor a wide range of customization options in addition to the basic ones introduced in the past. Some examples are:
- fully lock the victims computer upon infection
- evade detection by using low CPU for encryption
- decide whether to display the ransom message before or after encryption
- use a latent timeout, which allows the client to encrypt the files only when timeout is expired
Figure 3 - Ransom32 login screen
Figure 4 - Ransom32 statistics and customization page
Being able to distribute spam massively or effectively create malvertizement campaigns requires skills and infrastructure. RaaS reduces the set of skills, mainly the technical skills required for running a successful Ransomware campaign.
Ransomware now targeting enterprises
This past February, Hollywood Presbyterian Medical Center reported that its EMR system records had been encrypted and held for ransom. The hospital paid $17,000 in Bitcoins to unlock its data and resume operations. The hospital’s operations were severely affected for a week, and some patients had to be transferred. Lincolnshire County Council's IT was able to recover successfully from a ransomware attack in Jan 2016 by maintaining regular backups.Tewksbury P.D., Massachusetts paid a ransom in Bitcoins back in 2015 to unlock the data that was encrypted by ransomware.
RaaS + Insiders: A deadly combination
Malicious insiders can exploit their inside information on the organization’s unstructured data and their knowledge of where sensitive data is located, as well as their permissions, to encrypt the most valuable data. Moreover, they know what the value of the data to the organization is and can assume how much the organization will agree to pay for the data decryption. We are aware that the main motivation for malicious insiders is financial, and using RaaS on the organization is simple, safe, and profitable. Future RaaS customizable parameters might be more specific and include business- related information such as what are the valuable network shares of interest or even relevant credentials. It is conceivable that a malicious insider could use RaaS to extort his organization and cause irreparable damage.