Ransomware as a Service and insider threats: these are two phrases that, alone, would bring out IT security professionals in a cold sweat. But now researchers from security firm Imperva have brought to light a new concept where the two types of threat are combining to make a deadly duo.
In recent years the Ransomware as a Service (RaaS) model has emerged as the latest step in the evolution of malware that can extort money from organisations by encrypting their data. With RaaS, authors provide on-demand versions of malware to distributors, which the distributor can customise through an easy to use tool.
It's a classic 'affliate' distribution model where the author of the malware shares 5-25% of the ransom collected with the distibutor, allowing malware author 'script kiddies' to concentrate on writing the code, while distributors can easily send out nasty ransomware without any programming, allowing them to do what they do best: spamming unsuspected people and organisations with malicious software – a win-win for hackers and their accomplices.
> See also: How to make your data immune to ransomware
'The distributor can set parameters such as the ransom price, timeout for the payment, the value of a new ransom once the timeout expires and the number of files that can be decrypted for free (to prove to the victim that the data is safe but encrypted),' explains Imperva researchers in their blog post.
Last year's 'Tox' RaaS was among the first to experiment with this model, allowing the distributor to set the ransomware amount and his Bitcoin wallet address to collect the profits.
A month after it appeared the platform's teenage creator decided to quit the RaaS game after his creation became 'too hot to handle', infecting more than 1,000 computers in just the space of a week, with an average ransom of between $50 and $200.
But while the Tox RaaS has been dismantled, other RaaS remains at large, warn the researchers at Imperva. There are now a variety of RaaS floating around on the deep web, including a new product that lets distributors utilise the infamous CryptoLocker for anyone willing to pay 10% of the collected ransom.
It isn't just individuals that are affected by this threat: RaaS has hit the enterprise. This past February, Hollywood Presbyterian Medical Centre paid a whopping $17,000 in Bitcoin to unlock medical data and resume operations. Before paying, the hospital’s operations were severely affected for a week, and some patients had to be transferred.
In an enterprise situation, Imperva warns that it's highly possible for a malicious insider to use RaaS to extort their organisation and cause irreparable damage.
> See also: Ransomware now costing big businesses in downtime
Imperva warns that someone on the inside could exploit their inside information on the organisation’s unstructured data and their knowledge about where sensitive data is located, as well as their permissions, to encrypt the most valuable data.
'Moreover, they know what the value of the data to the organisation is and can assume how much the organisation will agree to pay for the data decryption,' said the researchers.
'We know that the main motivation for malicious insiders is financial, and using RaaS on the organisation is simple, safe, and profitable. Future RaaS customisable parameters might be more specific and include business- related information such as what are the valuable network shares of interest or even relevant credentials.'