For more than a decade, cyber criminals have been developing malware to extort money out of people and organisations.
The latest step in that evolution is the arrival of ransomware as a service, or RaaS.
Like many viruses, ransomware infects a machine when the user clicks on a seemingly legitimate link and unknowingly downloads a malicious file. The virus will then encrypt the user’s files, leaving them inaccessible unless the victim pays for the decryption key.
Ransoms typically range from $300 to $500, sometimes with a limited time before the price is raised or before the chance to pay is withdrawn completely.
One of the most sophisticated ransomware strains has brought in $325 million in profits for groups deploying it, according to a report by the Cyber Threat Alliance, a group sponsored by several major security companies.
Ransomware as a service is a variant of ransomware designed to be so user-friendly that it could be deployed by anyone with little cyber know-how. These agents simply download the virus either for free or a nominal fee, set a ransom and payment deadline, and attempt to trick someone into infecting his or her computer. If the victim pays up, the original author gets a cut (around 5% to 20%) and the rest goes to the “script kiddie” who deployed the attack.
RaaS is one of the “many possible twists and turns” in the evolution of malicious software, according to Moti Yung, a security researcher and an adjunct professor at Columbia University. Yung should know: His 1996 paper, co-written with Adam L. Young, described ransomware nearly a decade before similar attacks were ever seen in the wild — other than one bizarre, ineffective fluke in 1989.
The RaaS model doesn’t surprise him.
“This model is the usual profit sharing over the web. Ads do it, URL referrals do it, so it make sense for [the] proliferation of malware infection too,” said Yung.
By making software that is free and easy for others to deploy, the creator of an RaaS attack can hope to land a cut of ransoms from a large number of infections spread by many agents. Those agents, with little investment of skill, time, or money, stand only to gain from their big percentage of ransoms paid.
Theoretically, it’s a win-win for hackers and their cyber-accomplices.
In practice, results vary.
The RaaS creators
While a major ransomware operation called Reveton may have used a referral program to encourage sites — often porn sites — to help spread the virus to their visitors starting 2012, the earliest ransomware provided freely in exchange for a cut of the ransoms seems to have been Tox, which surfaced in May.
Tox was created by a teen hacker, also going by the name Tox, who spoke to Business Insider shortly after shuttering the service and again, via email and encrypted chat, for this article.
When Tox was highlighted on McAfee’s security blog — before the service was even ready, according to the creator — it garnered a lot of attention. In a short period of time, a “couple dozen” users were able to deploy Tox and infect over 1,500 victims, according to Tox’s creator. The average ransom, he said, was between $50 and $200. While he wouldn’t reveal how much money he made, Tox seemed pleased with his profits.
“Imagine just having 2-3 payments per day … It’s already a lot of money!” Tox told Business Insider.
After Tox drew media attention, the author began to fear his creation’s growth and the risk of getting caught.
“I had to choose, to decide whether to truly start investing on it, or shut it down before it became too big and too dangerous to handle.”
Tox chose to shutter the service and sell, only days after a different, apologetic ransomware author shut down his own virus. The entire service, including the source code, web domain, database, and decryption keys, went to a buyer for, according to Tox, approximately $5,000.
Another RaaS author who goes by the handle Jeiphoos told Business Insider over encrypted chat that, as of late November, his software Encryptor RaaS hadn’t made him any money since its release in July. Over 300 devices had been infected, but not a single victim had paid the ransom.
Only after Motherboard published an interview with him in early December did Jeiphoos receive his first payment. His 5% fee of the $20 ransom netted him a single dollar, the only one he has made to date. The other $19 was transferred to the Bitcoin wallet of the person who deployed the attack.
The millions reportedly earned by large ransomware operations, the short-lived success of Tox, and the variety of RaaS attacks available suggest that there is or will be profit for RaaS authors and the users that deploy them. But, as Jeiphoos learned, any certainty of profit is hard to come by.
“Many will try but few will profit reliably (and much at that) for any period of time,” cybercrime journalist Brian Krebs told Business Insider in an email. Krebs believes that the ones who will succeed are those who offer good “customer service” to both their affiliate agents and victims trying to figure out payment.
One of Jeiphoos’s victims was Roger, who spoke to Business Insider via email, elaborating on his post from a tech support forum. Roger was infected by Encryptor several months ago. He found all his files encrypted with a note informing him that he’d have to pay 1.7 bitcoins, about $450 at the time, to unlock his files.
Roger was lucky. He had a backup of nearly all of his files and decided not to pay. The process of removing the virus and restoring his computer, however, took “a month of agony,” even for the purported power user.
When Business Insider told Jeiphoos that Roger had been infected with his virus, Jeiphoos noted that if Roger wanted to restore any remaining encrypted files, he could still do so by paying the ransom.
Several other ransomware victims who spoke to Business Insider for this story were able to restore from backups like Roger did. However, many victims of ransomware don’t have that luxury. Their choice: Pay up or lose the files.
Matthijs, one of the victims Business Insider spoke with via email, had Geek Squad remove the virus and lost the ability to pay the ransom and restore his files in the process. He said that if he could go back, he would have paid the $300 ransom.
“Peanuts for getting [15 years worth of digital photographs] back,” said Matthijs.
Pressed on the impact of his service, Tox expressed some remorse.
“Of course I felt bad for the victims, but it’s not that bad: it will probably ruin your day … [but] it will pass,” he wrote. “On the other side, some random guy [receiving the ransom] might be recovering from a very bad economical situation. A lot of relatively small bad things [that] make up one big good thing. Might not be right, but it’s balanced.”