Ransomware as a Service (RaaS): the subscription service that most affects companies

By Caique Barqueta: Ransomware attacks are constantly on the rise. This increase is due to a new sales model, known as " Ransomware-as-a-Service " ( RaaS). This model is subscription-based and allows affiliates - the buyers - to use the ransomware tools already developed to carry out attacks. In this respect, affiliates earn a percentage of each successful ransom payment the affiliate makes.

Ransomware-as-a-Service is an adoption of the Software-as-a-Service (SaaS) business model and, as a result, criminal agents don't need to be skilled enough to encode a Ransomware code, they just need to make a purchase on demand and receive a certain percentage of the ransom.

In conjunction, Trend Micro, in its Threat Report, mentioned that Ransomware as a Service, showed that there was an increase of 63.2% and new extortion groups in 2022.

Before we delve into some new operators in the course of the report, we illustrate below the number of Indicators of Compromise (IoCs) that the ISH intelligence team collects on a daily basis through GTI (Global Threat Intelligence).

Indicators of Commitment (IoCs)

Below, we illustrate the number of Indicators of Compromise (IoCs) dealt with daily by the GTI , bringing different types of indicators , such as md5, sha1, sha256, malicious IP addresses and others.  

Ransomware

83,288 Indicators of Compromise (IoCs) from various Ransomware families were detected, as shown in the image below:

In addition to the various Indicators already listed, the ISH Heimdall team has focused its efforts on enriching the threat database, with the addition of 436,461,027 Indicators of Compromise (IoCs) in the last 30 days.

IP addresses

Another main trace that threat actors leave that helps them to be identified is the IP address, which is considered very valuable information for tracking and studying threat actors in order to protect themselves from the domain and IP address considered malicious.

ISH collects and analyzes the malicious activity of these main offenders on a daily basis according to the printout below, where from 29/10 to 29/11 we collected and analyzed 18,017,176 malicious IP addresses that were promptly shared with customers via MISP.  

Figure 2 - Geolocation of malicious IP addresses handled by the GTI

How does the RaaS model work?

Remember that for RaaS to work, the operator needs ransomware that has been coded and developed by reliable agents to force affiliates to sign up and distribute their malware.

RaaS developers create malicious code with a high chance of successful intrusion and a low level of detection by solutions.

After development, the ransomware is modified for a multi-end-user infrastructure, so it is ready to be licensed to various affiliates. These affiliates have documentation available for integration and a step-by-step guide to launching ransomware attacks.

We should point out that some RaaS distributors even provide them with a dashboard solution to help them monitor the status of each ransomware infection attempt, as is the case with the operators of the Eternity ransomware.

Figure 3 - Eternity's RaaS portal for selling the artifact.

In addition, for a better understanding, we've brought up the difference between Ransomware Operators and Affiliates, defining their competencies:

RaaS operatorsRaaS Affiliates
Recruiting affiliates on forums.Payment to use Ransomware. You agree to a service fee per ransom collected.
Gives affiliates access to a "create your own ransomware payload " panel Creates a dedicated "Command and Control" panel for the affiliate to track the payload.Identifies target victims. Sets ransom demands. Configures post-compromise user messages.
 It compromises the victim's property. Maximizes infection using "living of the land" techniques. Ransomware execution.
Sets up a payment portal for victims. "Helps" affiliates negotiate with victims.It communicates with the victim via chat portals or other communication channels.
Manages a dedicated leak site.Manages the decryption keys.

There are four common RaaS revenue models:

  1. Monthly subscription for a fixed fee;
  2. Affiliate programs, which are the same as a monthly fee model, but with a percentage of the profits (usually 20-30%) going to the ransomware developer;
  3. One-off license fee with no profit sharing;
  4. Profit sharing.

Examples of RaaS

Below, we list the main RaaS operators:

DarkSide: RaaS operation associated with an eCrime group. They are focused on Windows machines and have expanded to the Linux operating system, targeting corporate environments by running unpatched VMware ESXi hypervisors or stealing vCenter credentials.

REvil: also known as Sodinokibi, has been identified as the ransomware behind one of the largest ransom demands ever recorded, approximately US$10 million. RaaS is sold under the affiliate model and usually takes 40% of the profits. Here, REvil warns victims about the data leak by posting to DLS blogs, containing sample data as proof.

LockBit: In operation since mid-September 2019, LockBit is available as a RaaS also announced on its Data Leak website, as shown in the image below with a message to affiliates.

In addition to those mentioned above, the Heimdall team identified new groups of ransomware operators at work , such as AXLocker, Octocrypt and Alice, of which we carried out an analysis of relevant artifacts in order to understand their behavior.

AXLocker ransomware

The ransomware operators have created yet another tool, called AXLocker, which can encrypt various types of files and render them completely unusable. In addition, the ransomware steals Discord tokens from the victim's machine and sends them to the server, after which a ransom note is displayed on the victim's system to obtain the decryption tool used to recover the encrypted files.

In technical analysis, the 256 hash sample was analyzed: c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c, which, in previous analysis, is an executable compiled in .NET based on a 32-bit GUI.

Figure 6 - Static information of the malicious artifact analyzed.

Static analysis revealed that it uses the EncryptFile, AES Decrypt and AES Encrypt functions to encrypt data.

Another piece of information found is that the Ransomware accesses some folders in order to exfiltrate data from the directories listed below:

  • \Discord
  • \discordcanary
  • \discordptb
  • \\Opera Software\Opera Stable
  • \Google\Chrome\User Data\Default
  • \BraveSoftware\Brave-Browser\User Data\Default
  • \Yandex\YandexBrowser\User Data\Default
  • \Local Storage\leveldb

In addition, the function used by the startencryption() ransomware contains code to search for files by enumerating the directories available on the C:\ drive. It searches for specific file extensions to encrypt and excludes a list of directories from the encryption process. Examples of extensions that the ransomware seeks to encrypt:

.rar.zip.m3u.m4a.mp3
.wma.ogg.wav.sqlite.sqlite3
.img.nrg.doc.docx.docm
.odt.rtf.wpd.wps.csv
.key.pdf.pps.ppt.pptm
.pptx.psd.vcf.xlr.xls
.xlsx.xlsm.ods.odp.indd
.dwg.dxf.kml.kmz.gpx
.cad.wmf.txt.3fr.ari
.arw.bay.bmp.cr2.crw
.cxi.dcr.dng.eip.erf
.fff.gif.iiq.j6i.k25
.kdc.mef.mfw.mos.mrw
.nef.nrw;orf.pef.png
.raf.raw.rw2.rwl.rwz
.sf2.srf.srw.x3f.jpg
.jpeg.tga.tiff.tif.3g2
.3gp.asf.avi.flv.m4v
.mkv.mov.mp4.mpg.swf
.vob.wmv   

After execution, the malicious payload is hidden in the folder from which it was executed, and during analysis it shows a way of obfuscating itself in the operating system.

After encryption, this Ransomware displays a "task" message warning that the files have been encrypted, as shown in the image below:

As for encryption, this ransomware does not change the name or extension of the file, but only encrypts the file content, as shown below:

Figure 8 - Encrypted file.

Finally, we can conclude that this ransomware uses the following functions ProcessFilefunction, which then executes the EncryptFilefunction, identified earlier, and then starts encrypting the files with AES encryption.

After this encryption, the ransomware collects and sends hostname information, username, machine IP address, system UUID and Discord tokens to C2 identified by the URL: https://discord.com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75CB6gzTyFE72NQ0DJimbA7xr.

Octocrypt Ransomware

A new ransomware operator has been identified that targets all versions of the Windows operating system. Its developer compiled the threat using the Golang language. In addition, it operates via Ransomware-as-a-service (SaaS) and appeared on forums with posts aimed at cybercriminals around October 2022.

The ad identified stated that the Ransomware has the features:

  • Builder, Encryptor and Decrypter written in Golang;
  • Encryption of all Windows versions;
  • Encryption of documents, photos, databases, drives, etc;
  • Encryption using AES-256-CTR;
  • Secure exchange with ECDSA;
  • Simple web interface for building encryptors and decryptors;
  • Dynamic compilation obfuscation;
  • Easy configuration of the web interface via Docker;
  • Changing the desktop background after infection.
Figure 9 - Publishing Octocrypt on Golang.

The ransomware was advertised for US$400.00, with other support channels such as Telegram. Another relevant fact is that several prints were published by the user who made the sale, as shown below:

Therefore, in an analysis of the malicious artifact sha256: 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344, we can see that it is packaged. Some relevant strings have been identified before it is executed, such as data referring to the ransom note created by the ransomware.

Figure 11 - Contents of the ransom note for the malicious artifact

In summary, this ransomware enumerates and identifies the folders on the host and begins the process of encrypting the files using the AES-256 algorithm, changing the file extension to .octo. After that, the ransomware dumps the ransom notes under the file name "INSTRUCTIONS.html" and changes the victim's wallpaper demanding the ransom amount to a specific Monero wallet address.

Before being executed, the Ransomware makes sure the system is connected to the internet, and then checks the TCP connection to access the API URL.

Therefore, after analyzing the behavior of these ransomwares, we have listed all the Tactics, Techniques and Procedures (TTPs) used by them.

TTPs identified

Tactics: Execution

  • T1059 - Command and Script Interpreter.
  • T1204 - Execution of the artifact by the user.
  • T1047 - Windows Management Instrumentation (WMIC).

Tactic: Defense Evasion

  • T1497-Virtualization and Sandbox Evasion.

Tactic: Access to credentials

  • T1528 - Application access token stolen.

Tactic: Discovery

  • T1087 - Account discovery.
  • T1082 - Discovery of system information
  • T1083 - Discovery of files and directories

Tactic: Persistence

  • T1547.001 - Registry Execution Keys/Initialization Folder.
  • T1053 - Use of scheduled task/work.

Tactics: Command and Control

  • T1071-Application Layer Protocol.

Tactic: Impact

  • T1486-Data encrypted for impact.

Tactic: Exfiltration

  • T1020-Automated exfiltration

Commitment Indicators

ISH Tecnologia handles a number of Indicators of Compromise collected through open sources, closed sources and analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IoCs) related to the analysis of the artifact(s) in this report:

Indicators of malicious artifact compromise/analyzed
md5:a18ac3bfb1be7773182e1367c53ec854
sha1:c3d5c1f5ece8f0cf498d4812f981116ad7667286
sha256:c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c
Imphash:f34d5f2d4577ed6d9ceec516c1f5a744
Authenthash:4e66b0300b44f80b12619c3a6ad6906cf31018f67b2c6bd99ce62637a525b4a2
Size in bytes:74752 bytes
Indicators of malicious artifact compromise/analyzed
md5:ad1c2d9a87ebc01fa187f2f44d9a977c
sha1:03d871509a7369f5622e9ba0e21a14a7e813536d
sha256:d9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57
Imphash:f34d5f2d4577ed6d9ceec516c1f5a744
Authenthash:bbb846f427711ff608da75e4dc5a6e816d508ff1798b90a2abea3c511c61f590
Size in bytes:90624 bytes
Indicators of malicious artifact compromise/analyzed
md5:9be47a6394a32e371869298cdf4bdd56
sha1:ca349c0ddd6cda3a53ada634c3c1e1d6f494da8a
sha256:9e95fcf79fac246ebb5ded254449126b7dd9ab7c26bc3238814eafb1b61ffd7a
Imphash:f34d5f2d4577ed6d9ceec516c1f5a744
Authenthash:5015f41c8f309b7d52e7e1adb2d45285daa003ca1cb649d44998dab67d9f14ac
Size in bytes:413696 bytes
Indicators of malicious artifact compromise/analyzed
md5:07563c3b4988c221314fdab4b0500d2f
sha1:a5f53c9b0f7956790248607e4122db18ba2b8bd9
sha256:0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224
Imphash:f34d5f2d4577ed6d9ceec516c1f5a744
Authenthash:f9dfc44a1a52c15b633782931ee2dae0b8f21ff0a7f41db626151edb0ae514f9
Size in bytes:1547264 bytes
Indicators of malicious artifact compromise/analyzed
md5:ab2c19f4c79bc7a2527ab4df85c69559
sha1:60a692c6eaf34a042717f54dbec4372848d7a3e3
sha256:d51297c4525a9ce3127500059de3596417d031916eb9a52b737a62fb159f61e0
Imphash:f34d5f2d4577ed6d9ceec516c1f5a744
Authenthash:e2f5d36c75e1289051613a4ba84a2c0b9b0b0fda69c961b623be075aa09d8cf5
Size in bytes:71168 bytes
Indicators of malicious artifact compromise/analyzed
md5:346e7a626d27f9119b795c889881ed3d
sha1:ce25203215f689451a2abb52d24216aec153925a
sha256:9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344
Imphash:9cbefe68f395e67356e2a5d8d1b285c0
Authenthash:aaa6af90f28c35da27e32cd1d307498760366fdec81d91beb15315dc0f112795
Size in bytes:5054976 bytes
Indicators of malicious artifact compromise/analyzed
md5:5a39a2c4f00c44e727c3a66e3d5948c2
sha1:07e7341b86ace9935c4f1062d41a94f3b31f9bf6
sha256:65ad38f05ec60cabdbac516d8b0e6447951a65ca698ca2046c50758c3fd0608b
Imphash:9cbefe68f395e67356e2a5d8d1b285c0
Authenthash:faf8f5d166135deaaef70c115cf18e95468a5ab7703f04c3a27780bcb05ac374
Size in bytes:5054976 bytes
Indicators of malicious artifact compromise/analyzed
md5:2afdbca6a8627803b377adc19ef1467d
sha1:13a0ce1c3ac688c55ba3f7b57fb6c09ad0e70565
sha256:e65e3dd30f250fb1d67edaa36bde0fda7ba3f2d36f4628f77dc9c4e766ee8b32
Imphash:6ed4f5f04d62b18d96b26d6db7c18840
Authenthash:6213361e9f102fe42b033da2dc97f5ce6c8ce3d133ff2430286f5f969c8181f0
Size in bytes:1936896 bytes
Indicators of malicious artifact compromise/analyzed
md5:8dea06f2ba3faf074876e78324412375
sha1:1a3f94b59728358da7c149f240a734293492a7d2
sha256:a7528fefccbb36949a97476e4717bc0af1359c13d028a5df6a5c8c8687d851e8
Imphash:9cbefe68f395e67356e2a5d8d1b285c0
Authenthash:f5627003a7c26ff0ddf43dc8dd512fb833f34908a84f7a2203a27632208b9ea9
Size in bytes:5054976 bytes

Mitigation

We've listed some security tips to adopt and use for all your organization's assets and infrastructure.

  • Implement strong passwords;
  • Activate Dual Factor Authentication (MFA);
  • Re-evaluate and simplify user account permissions;
  • Always have backups of the entire system and snapshots/images of the local machine prepared and stored securely so that they can be used in the event of ransomware;
  • Use tools to monitor e-mails, the network and other methods of inputting and outputting files and company data, in order to immediately identify potentially malicious files;
  • We also recommend using the information extracted by consuming the IOCs in continuous infrastructure monitoring tools.

References:

  • Heimdall by ISH Tecnologia
  • GTI by ISH Tecnologia
  • VX-underground
  • Malware Bazzar