RaaS for loan for whomever is after your data

August 10, 2017


Ransomware as a service, (RaaS), lets malicious parties use predefined malware, in order to extort their victims of choice. Available online, these cyber crime – to lease – deals are making the digital environment even worse. So far, only those who had hacking abilities could (in theory) pose serious cyber-security threats. Now, even those who cannot code could launch devastating cyber-attacks, by using rented weapons.

One of the latest famous RaaS instances works by sharing the extorted money between the ransomware developers and the cyber attacker – in a 30/70 proportion.

The convenience of digital theft

While the inner psychology of digital theft cannot be too far from the mechanisms that enable physical theft, there is one extra detail. Digital theft is very convenient, when done right. The criminals don’t even need to leave the comfort of their own homes. As long as the cyber-attackers erase all incriminating trails that might lead back to their lair, stealing is easy as pressing a button.

Therefore, an extra convenience incentive really does not benefit all the innocent potential victims out there. Just think of how many morally faulty individuals would suddenly be enabled by “to rent” hackers’ tools. Locking people out of their own devices and their own data just got a whole lot easier – and that is not good news.

BusinessInsider managed to interview a teen hacker, a RaaS author. The ease with which Tox speaks of making money out of his creation is frightening. Makes one think of a wild young animal that goes for the hunt in a luxurious jungle – the continually developing digital jungle.

RaaS changes the ransomware attack parameters

The same source quotes cyber-crime specialist Brian Krebs, while explaining how RaaS authors will make money twice. Firstly, they are to gain their share from the split deal with active cyber-attackers employing their software. Secondly, the same entities may intervene and mediate the payments, in a twisted “customer service” approach. It seems to get weirder and weirder.

That is because suffering a cyber attack is as real as it gets – if and when it happens. No more nice talks, no point in belated cyber-security training sessions. The victims just want help. They desperately want a solution to make things good again. Ransomware counts precisely on this logic. For a certain sum of money, the attackers will let go of the prisoner – the data, the computer, the device… The malicious attackers are one and the same with the savers – for a considerable fee, that is.

However, when cyber-criminals take hold of the victim’s digital possessions via a rented tool, the equation changes a bit. The attackers are mere petty thieves working with tools crafted by someone else. Not that the ransomware authors would be more honorable when attacking themselves. It’s just that this is a new low. Threats everywhere, coming from people that could seem truly harmless before. Not a nice image to picture, isn’t it?

RaaS, predicted years ago, yet blossoming now

What determined the criminal underground to make this digital weapon available now? Talented, yet dark side coders, make their products available to just anybody willing to unleash cyber-attacks upon the world. Why is that?

Perhaps striving to find a plausible answer is not the main goal here. It suffices to acknowledge the fact that we are there, on the brink of endless malicious possibilities. Perhaps it all has to do with IoT and its anticipated structure, powers and vulnerabilities. Perhaps not.

Some ransomware authors, like the ones that produced Stampado, offer their product in exchange for a lifetime license. Others want a share of the prey. In time, surely, more options will emerge. Trend Micro researchers have noticed an accelerated attack-payment timeline. The newer versions press victims for faster payments, or else they showcase their abilities of data deletion.

A brave, dangerous new world

In conclusion, with RaaS, anyone can act like a hacker and demand money in exchange for a person’s digital data/device access. Equally democratic, anyone can be a victim. Surely, the ransom money probably makes the difference between the companies and the mere individuals. Nevertheless, there’s no safety guarantee. Imagine you consider your data unimportant and your finances insignificant – where would you hang a sign announcing this to your potential digital robbers?

Perspectives like this enhance the importance of keeping informed and staying prepared. There is a cyber-security hygiene – and it encompasses all the old-school, basic rules. Security awareness training, learning the importance of privacy protection and of vigilance. It might not serve as an impenetrable shield against potential attacks, but at least it increases your chances. Acting as a digital era individual, or acting on behalf of your department or your company, going through these steps may not seem impressive, but it’s important. And in the long run, it might just make the difference between being a victim or being the one that escaped the clutches of cyber-attackers.