Over 25 Hacker Groups Operate Using Ransomware-as-a-Service Model

By Riley ThompsonTechnology News

More Than 25 Hacker Groups Offer Ransomware-as-a-Service

According to a new report published by researchers at Intel 471, more than 25 hacker groups are currently offering their services under the Ransomware-as-a-Service (RaaS) model. This means they rent out ransomware malware to other criminals. Essentially, RaaS developers provide ready-made ransomware code to other hackers, who then rent the code, customize it, and use it in attacks as they see fit.

Rented ransomware can be distributed through targeted phishing campaigns, mass spam emails, the use of compromised RDP credentials, or by exploiting vulnerabilities in various network devices. The only common denominator in these attacks is the ultimate goal: gaining access to the internal network of a victim company.

The ransoms that hackers “earn” from these attacks are first sent to the RaaS developers, who keep a small percentage and then forward the remaining amount to their “clients.”

Intel 471 analysts note that more than 25 groups are now offering RaaS malware on the black market, which is much higher than many cybersecurity experts previously estimated.

Three Levels of RaaS Malware

The researchers also point out that not all RaaS offerings are the same and divide the malware into three levels based on complexity, features, and proven attack history.

Level 1

This level includes the most well-known ransomware groups today. These groups have been active for many months, have proven the effectiveness of their code through numerous attacks, and continue to operate despite public exposure. The list includes REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.

All of these ransomware strains are well-known and, except for Ryuk, have their own data leak sites where they publish stolen information from victim companies if the ransom is not paid.

The operators of these ransomware strains use a variety of attack vectors. They may hack victim networks by exploiting vulnerabilities in network devices (sometimes hiring network experts for this), upload ransomware payloads to systems already infected with other malware (by collaborating with other hacker groups), or gain access to company networks via RDP (by working with botnet operators or sellers of compromised credentials).

Level 2

This level is for RaaS groups that have already built a reputation among other hackers and offer advanced malware, but do not yet have as many “clients” as the top-tier groups. This level includes Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos.

Level 3

Level 3 consists of RaaS offerings that have appeared only recently, with little detailed information available. In some cases, it is unclear whether these groups are currently active or have already abandoned their attempts to establish a ransomware “business.” Newcomers in this category include CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and ZagreuS.

Leave a Reply