pixel_dreams - Fotolia

Ransomware as a service is a game changer, warns Sophos

The advent of ransomware as a service heralds a new era in malware, which means security suppliers and user organisations will have to adapt

Ransomware as a service (RaaS) is easy to use, requires little or no technical skill to configure, customise and launch, and is designed to make money with relatively little cost and effort.

These are the main characteristics of RaaS laid bare in a detailed analysis of the Philadelphia RaaS by Sophos researcher Dorka Palotay, published to coincide with BlackHat 2017 in Las Vegas.

RaaS is helping to drive cyber crime and few examples are as slick and dangerous as Philadelphia, according to Palotay, who is based in Budapest, Hungary.

The research paper delves into the inner mechanics of Philadelphia that anyone can buy for $400 through a number of market places on the dark web from The Rainmakers Labs, which is run same way as any legitimate software company selling products and services.

Although Philadelphia is available only on the dark web, Palotay found that The Rainmaker Labs hosts a production-quality “intro” video on YouTube, explaining the nuts and bolts of the kit and how to customise the ransomware with a range of feature options, while a detailed “Help Guide” walking customers through set-up is also available on a .com website.

“It’s surprisingly sophisticated what The Rainmakers Labs is trying to do here. Details about Philadelphia are out in the open on the internet as opposed to underground and secretive on the dark web, which is where most other ransomware kits are marketed,” said Palotay.

“You don’t need a Tor browser to find Philadelphia, and the fact that it’s brazenly peddled is sobering and, unfortunately, indicative of what’s to come,” he said.

Tailor-made ransomware

In addition to the marketing, Palotay reports that the product itself is advanced with numerous settings enabling buyers to tailor how they attack their victims.

Philadelphia RaaS also includes functionality to track victims on Google maps, show victims mercy, and tips on how to build a ransomware campaign, set up the command and control centre and collect money.

However, according to Palotay, the “mercy” function seems to be designed to get The Rainmaker Labs out of trouble when friends and allies are accidentally hit by Philadelphia ransomware.

The tracking option, he said, gives a glimpse into how cyber criminals determine the demographics of victims who have paid to help fine tune future attacks.

“This functionality shows what’s becoming more common in [ransomware] kits and, as result, shows how ransomware as a service is becoming more like a real world software market,” said Palotay.

While Philadelphia is a bit more costly than other RaaS offerings that typically cost $39 to $200, he points out that it includes includes constant updates, unlimited access and unlimited builds. “It’s just like an actual software service that supports customers with regular updates.”

However, at around $400, Philadelphia is also a lot cheaper than the first generation of malware kits, which sold for $10,000 or more, which means more would-be cyber criminals are likely to give it a try.

Philadelphia also has what’s called a “bridge”, which is a PHP script to manage communications between attackers and victims and save information about attacks.

Additional features include the ability to customise the ransom message and to delete some files if the ransom has not been paid after a set time period.

“Having customisation options and bridges drives in more profit and adds a whole new dimension to cyber crime that could increase the speed of ransomware innovation,” said Palotay.

In other RaaS cases SophosLabs examined, pricing strategies ranged from splitting a percentage of the ransom coming from victims with kit customers to selling subscriptions to dashboards that follow attacks.

The report also reveals that some cyber criminals have “cracked” or pirated Philadelphia and sell their own ripped-off version at a lower cost, thereby further increasing the availability of ready-made threats that do not require attackers to know what they doing.

“It’s not uncommon for cyber criminals to steal another’s code or build on older versions of other ransomware, which is what we saw with the recent NotPetya attack,” said Palotay. “The NotPetya attack combined Golden Eye, a previous version of Petya, with the Eternal Blue exploit to spread and infect computers globally,” he said.

Prepare to protect against software exploits, says expert

From the data defender’s point of view, ransomware as a service is a game changer, according to Dan Schiappa, senior vice-president and general manager of enduser and network security groups at Sophos.

“This RaaS model means that attackers are able to change attack vectors and payloads rapidly because that is just part of the service, which means the speed at which they can adapt to security defences has increased,” he told Computer Weekly.

Schiappa said although the Philadelphia report is packed with technical detail, the main takeaway for companies and organisations is that this type of threat is likely to get worse.

“RaaS is arming would-be attackers with a low-cost, easy-to-use product that use advanced exploits and payloads, so businesses and organisations can’t just cross their fingers and hope that it won’t hit them,” he said.

Schiappa also warns that RaaS is only one of several trends that Sophos researchers have identified that organisations should be aware of and planning for now.

The biggest of these trends, he said, is the use of business software vulnerability exploits rather than executable malware.

“We saw this with WannaCry and NotPetya, and we are likely to see it become increasingly evident,” said Schiappa, particularly with groups such as the Shadow Brokers releasing to cyber attackers exploits that are unknown to cyber defenders.

“We expect attackers to use the same low-level methods such as phishing to deliver payloads, but those payloads are increasingly likely to become exploits, such as the Eternal Blue SMB [server message block] protocol exploit used by WannaCry.

“Eternal Blue is a kernel-level exploit in Windows, and this type of exploit is extremely difficult to find and really difficult to protect against,” he said.  

To counter this and other emerging attack types, Sophos has developed a product called Intercept X, which is designed to identify and block the attempted use of exploits by attackers.

According to Schiappa, Intercept X “performed very well” to protect organisations from WannaCry and NotPetya, which highlighted that not all software suppliers are good at issuing security updates or patches and that, even if patches are available, not all organisations are good at applying them.

Changing digital landscape brings threats

Another significant area of emerging cyber threats, said Schiappa, is linked to the constantly shifting IT landscape and the fact that younger, highly-transformative companies are moving to things such as DevOps and cloud-based applications.

“That’s a whole different security paradigm, because what you have with [Microsoft] Azure and AWS [Amazon Web Services] is an operating system that functions at cloud scale, and so you still have to build protections, workload protections, and build visibility into what is happening inside virtual containers,” said Schiappa.

The internet of things (IoT) is another important area of development in the digital world that is likely to have important implications for data security, according to Sophos.

“One of the biggest challenges is just identifying what you have in your IT environment and apply some management, network and other security polices to them, which is likely to become a huge issue in the next few years,” said Schiappa.

In the face of these threat trends, he said Sophos is moving to a more predictive model across its product portfolio rather than a reactive model.

“Instead of analysing each vulnerability or scanning a file for malware, we look at the techniques that attackers put into their malware to exploit a vulnerability such as infecting the Master Boot Record [MBR],” said Schiappa. “This approach meant that Intercept X was able to detect the NotPetya attacks at the point that they attempted to alter the MBR.”

Sophos has also invested in developing a behavioural analytics capability so that even if ransomware is triggered, for example, the attack will be shut down when an abnormal pattern of behavior or activity is detected and original versions of the affected files will be restored, using the CryptoGuard product.

“Our main area of innovation is around being more predictive,” said Schiappa, pointing out that Sophos has recently acquired a company called Invincea that has developed machine learning technology focused on the “deep learning neural network”, which is an advanced way of doing deep learning to understand malware to raise detection rates, while lowering the number of false positives.

“This technology gives us further capabilities around the predictive nature of things such as executable-based malware, potentially unwanted applications, and unknown bad websites, providing another way of using algorithms and data science to be predictive rather than reactive,” he said.

Sophos then ties its portfolio together with what it calls “synchronised security” so that if something is identified on an endpoint, that is shared with other Sophos products such as the firewall, it isolates the endpoint from the network while the endpoint is cleaning it up.

Another key element of innovation from Sophos is Sophos Central, which is a cloud-based management platform that enables Sophos products to share common access to data.

“This enables organisations to create security policies that automatically adapt to products across the platform,” said Schiappa. “This means organisations can also share events and alerts, and ultimately will be able to share data around security analytics and be able to do things like automation and orchestration.”

For best practices against all types of ransomware, Sophos recommends users to back up regularly and keep a recent backup copy off-site; not enable macros in document attachments received through email; be cautious about unsolicited attachments; and patch early, patch often.

Read more about ransomware

  • Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Read more on Hackers and cybercrime prevention