In today’s blog post we have part 1 of 2 continuing with a topic that we started covering in a previous blog. That is Ransomware and more specifically the evolving Ransomware chain. Modern Ransomware attacks are no longer carried out by single attackers but by a network of hackers. That usually involves two or more groups of hackers that use different models of implementation. These models starkly resembling those we see in business-to-business software models or Managed Services models. These Ransomware chains have different splits of the Ransom and barriers of entry. So, let’s jump right into and start with what the Ransomware attack model looks like.
The first thing we will look at is the three prevalent models for Ransomware. Long gone are the days of a single attacker. As I mentioned above these Ransomware chains are beginning to resemble a business model. The first being a vertically integrated model where we have a single hacking group that develops the software. In this model, the same group is responsible for hosting the ransomware, the delivery software, and the collection of ransom. Where this is highly effective it creates a high entry barrier as you have lots of highly specialized and knowledgeable people to execute attacks. This Ransomware chain model also allows attackers to maintain total control over all aspects of the attack. In this model, the hacking group retains all the ransom collected.
Second, we have a reseller model where we have two parties involved in attacks. The first is the hacking group that oversees software development and hosts the Ransomware. Then we have a second group that specializes in distributing malicious software. This group’s job is crafting spam emails and infecting websites. These groups use various means to deliver the malware, two means of delivery are phishing attacks and watering hole attacks. The first is where they craft emails trying to trick employees into divulging passwords. These attacks have become very convincing in recent years, so you need to know what to look out for. Second, we have watering hole attacks in which you monitor traffic from a target to find what sites they visit. The site is then infected and tries to get you to download a file or secretly does it.
The advantage of this model for attackers is the development group doesn’t need knowledge of how it will be delivered. The development group only worries about once it has access to how it will escalate its privileges and attack the computer. In programming, this is called abstraction. Abstraction means that your user does need to know about what is going on inside just what it needs to give it. A good example is excel you don’t need to know how it stores the table information just where to input the data. Conversely, the distributor group only worries about infiltration and having the program run its self. In this model the Ransomware software exchange hand the distribution group has a copy of the virus that they deliver. In these Ransomware chain models, the distributor group keeps a large portion of the ransom.
Third, we have the Ransomware as a Service model that resembles a managed service model. This once again has two groups the hacking group and a distribution group. The difference this time is that the distribution group pays a software license fee for Ransomware that has been turned into a service. In this type of model, the Hacking group does what they do best that is attack infrastructure, escalate privileges, encrypt, and replace files. The barrier to entry has been significantly lower for the Distributor group, they keep doing what they do best and not worry about what they don’t. As you can see therefore it is called Ransomware as a service it is the same idea as many services you are probably using. These license fees range from $1000 to $100K USD and these models give the distribution group 100% of the ransom profit.
If You are interested in improving your Security systems please contact us using the form found at the bottom of the page or emailing us at inquiry@powerland.ca. Our Managed Hosted Services and Managed Services team can help you improve security, reduce stress, and reduce cost. We use industry-leading software and firewalls from some of the industry’s best companies such as FireEye and Aruba, 24hr proactive monitoring, and identity monitoring through Okta. We can also help you with upgrading your network hardware with hardware from an industry leader such as HPE. Contact us to learn about the Powerland Advantage and how we can help your organization. Powerland a trusted solutions provider in Canada for over 30 years.
