Editor's Note: This article covering the Infosecurity Europe event, held in London from June 4-6, first appeared on our sister site SC Media UK.
There are too many misconceptions around the ransomware-as-a-service (RaaS) model and how it operates.
In a talk at Infosecurity Europe in London, Martin Zugec, technical solution director at BitDefender, likened RaaS to the gig economy as it has a similar affiliate business model, uses independent contractors and relies on online applications.
“We as an industry still don’t understand ransomware in 2024, and think it is similar to software-as-a-service, and that criminals pay to use it,” Zugec said, making the point that it is a profit-sharing scheme. He also refuted claims that RaaS enables less technically skilled attackers to participate in cybercrime, saying it is about “substituting generalists with specialists.”
The gig economy’s five factors
In researching the concept of the gig economy, Zugec asked ChatGPT what it was, and it was determined as independent contractors who work for themselves, and in the case of RaaS, it is run by operators and administrators who develop code and build the infrastructure behind the service.
It also employs affiliates who use their own techniques and tools to deploy the ransomware that they are operating. “Ransomware has hit multiple victims and scaled over the years and we see hundreds of victims a month impacted, so how have we got to this stage,” he said.
The first factor is the use of independent contractors, as it is very common to switch between operators, and following the takedown of Lockbit, operators are moving to other models, and affiliates often work with multiple operators at the same time.
Zugec said affiliates are often able to remain anonymous, but are often at the core of the process, and need attention.
Switching model
The second factor is the variable amount of money made, as where RaaS was once like the SaaS model, from 2016 and 2017 there was more focus to attack individual machines, and that increased the size of the ransom payment demanded. “They focused more on data exfiltration and can increase the deployment of ransomware as it went from a few hundred dollars to millions today.”
The third factor is the use of an online platform, using applications and infrastructure, as the operators are their own client managers, and affiliates could spend days, weeks or months to be able to impact a part of a network.
“When there is an impact the affiliate contacts the operator and ask them what they need, then the operator gives ransomware software to the affiliate who launches the attack and most people don’t realise that the affiliate does the work,” he said.
In terms of the money, Zugec said while the affiliate conducts the attack, the operator starts negotiating with the victim, and collect the payment at the end — with a percentage given to the affiliate.
In particular, 76% to 90% of the ransomware payment goes to affiliate and not the operator.
“That is why the affiliate stays anonymous, as soon as they are done with the operation, they stay silent and anonymous.”
The fourth factor is payment on tasks, as “top tier affiliates are highly sought in the ecosystem” and often spend time claiming about the success of the encryption, and pushing the quality of the ransomware code.
The final factor is flexibility, as those involved get paid when they do a task, some do it as a "side hustle," and some work in teams.
Zugec concluded by saying that there is a lot of “misunderstanding and misconceptions” about ransomware, and most people know how it worked five years ago, and “we need to unlearn and learn new stuff.”
In terms of any weaknesses to break the model, Zugec said that researchers understand how the business model works, but he identified the potential dis-trust between the operator and affiliate, “as the affiliate spends money researching the victim and the operator takes the money.”