Top 10 Infrastructure Elements of Ransomware-as-a-Service

The days of the lone wolf ransomware operator are fading. Today, ransomware has evolved into a sophisticated ecosystem where various actors collaborate to maximise their returns. 

This intricate web of participants, from skilled hackers to market intermediaries, each contributing their unique skills and resources, has transformed ransomware into a lucrative business.

This division of labour allows for a more efficient and effective execution of ransomware attacks, making them harder to prevent and mitigate.

One of the most prominent models in this ecosystem is ransomware as a service (RaaS). 

RaaS platforms provide a marketplace where anyone can purchase or rent ransomware tools and infrastructure regardless of technical expertise. This democratization of ransomware has lowered the barrier to entry, enabling a wider range of individuals and groups to engage in cybercrime.

Infosecurity explores some of the most crucial infrastructure elements that can be used to deploy a ransomware attack.

Information stealers (infostealers) are malicious software designed to steal sensitive information from compromised systems. They can target a variety of data, including login credentials, credit card numbers, personal identifiable information (PII), and intellectual property. 

Ransomware actors often use infostealers as a precursor to their attacks. By stealing sensitive information before encrypting data, they can extract additional value from their victims, either by selling the stolen data on the dark web or using it to blackmail victims. Infostealers can also be used to identify valuable targets within an organization, helping ransomware actors prioritize their attacks.

Cybercrime intelligence provider Hudson Rock offers a platform that regularly produces reports on the use of infostealers. The firm argues that better understanding the role of infostealers in cyber-attacks and better tracking them could help identify cybercriminals.

Alternatively, ransomware actors can also purchase access to vulnerable systems from initial access brokers, allowing them to bypass the initial hurdle of gaining entry into a target network. This can significantly reduce the time and effort required to launch a ransomware attack.

Ransomware actors employ a sophisticated arsenal of tools to execute their attacks efficiently and evade detection. 

Will Thomas, an instructor at the SANS Institute and co-founder of Curated Intel, maintains a list of key ransomware operational tools, including:

• Remote monitoring and management (RMM) tools

• Exfiltration tools

• Credential theft tools

• Defence Evasion tools

• Networking tools

• Discovery tools 

• Offensive Security tools

• Living-off-the-land (LOTL) binaries and scripts

Ransomware encryptors are the core tools used in ransomware attacks. These tools are designed to encrypt files on a compromised system, making them inaccessible to the victim until a ransom is paid.

Ransomware actors use a variety of encryption algorithms to encrypt files, making it difficult for victims to recover their data without paying the ransom. 

Some ransomware encryptors also include features that make it difficult for victims to restore their data even if they have a backup, such as deleting backups or encrypting shadow copies.

Command and control (C2) servers are used to communicate with and control infected devices. They are essential for ransomware actors to manage their botnets and execute attacks. 

Ransomware actors use C2 servers to distribute ransomware payloads, receive updates from infected devices, and issue commands to compromised systems. C2 servers can also be used to exfiltrate stolen data and to coordinate attacks against multiple targets.

Dark web markets are online marketplaces that operate on the dark web, a part of the internet that is not indexed by search engines. These markets are used to buy and sell illegal goods and services, including ransomware tools and services.

Ransomware actors can use dark web markets to purchase ransomware encryptors, C2 servers, and other tools needed for their attacks. They can also use these markets to recruit affiliates to distribute their ransomware. Additionally, some dark web markets offer services such as money laundering, which can help ransomware actors to obfuscate the origin of ransom payments.

Data leak sites (DLS) are platforms used to publish stolen data. They are often used by ransomware actors as a threat to encourage victims to pay the ransom.

Ransomware actors may threaten to publish stolen data on a leak site if victims do not pay the ransom. This can cause significant reputational damage and financial loss for the victim. Additionally, the publication of sensitive data can lead to identity theft, fraud, and other serious consequences.

While dark web markets are usually accessible via secured access, typically a TOR connection to access a .onion site, DSL can sometimes be found in the clear web. 

Affiliate programmes are partnerships between ransomware actors and affiliates who distribute ransomware. Affiliates are typically paid a commission for each successful infection.

Ransomware actors use affiliate programmes to expand their reach and increase the number of victims. Affiliates can distribute ransomware through a variety of methods, including email spam, malicious advertisements, and social engineering attacks.

ADVERTISEMENT

Bulletproof hosting (BPH) refers to web hosting services that are designed to be resistant to takedowns or seizures by law enforcement agencies. These servers often reside in countries with lax cybercrime laws or weak law enforcement capabilities, making them attractive to cybercriminals. 

Ransomware actors can use bulletproof hosting to host their ransomware infrastructure, including command-and-control (C2) servers, data leak sites, and dark web market pages. This ensures that their operations can continue uninterrupted, even if their other infrastructure is taken down. Bulletproof hosting also provides a layer of anonymity for ransomware actors, making it difficult to trace their activities.

Cryptocurrency wallets are digital wallets used to store, send, and receive cryptocurrencies. They are often used in ransomware attacks because they provide a way for victims to pay the ransom without leaving a traceable trail. 

Ransomware actors typically provide a cryptocurrency wallet address in their ransom note, instructing victims to transfer the ransom payment to this address. The decentralised nature of cryptocurrencies makes it difficult for law enforcement to track the movement of funds, making them an attractive option for cybercriminals.

Several private intelligence companies analyse cybercriminal activities through the prism of cryptocurrency flows.

Money laundering services are used to disguise the origin of funds. They can involve a variety of techniques, such as layering, placement, and integration.

Ransomware actors use money laundering services to obfuscate the origin of ransom payments. By laundering the funds, they make it more difficult for law enforcement to trace the money back to them. This can help to protect their anonymity and reduce the risk of prosecution.

The evolution of ransomware into a sophisticated ecosystem, driven by models like RaaS, has significantly increased its reach and impact. This interconnected web of participants, each contributing their unique skills, has made ransomware attacks more accessible and effective, posing a growing threat to cybersecurity.

Enjoyed this article? Make sure to share it!

Looking for something else?