RaaS: Satan’s business model

The Satan ransomware-as-a-service platform makes it easy for criminals without coding experience to use someone else’s ransomware creations. Ransomware is booming, but there are steps companies can take to stay secure

  • By Naaman Hart, Managed Services Security Engineer, Digital Guardian | Monday, October 8th, 2018

These platforms are allowing inexperienced criminals to deploy complex ransomware attacks. The emergence of these nefarious businesses makes it more essential than ever that companies are adequately prepared to defend against cybercrime

In recent years, high profile ransomware attacks such as WannaCry and NotPetya have hit the headlines, gaining worldwide notoriety for taking over computers and encrypting files which are then ‘held hostage’ until victims pay a decryption ransom.

RaaS platforms allow attackers without coding experience to partner with expert ransomware creators, who write and adapt code on their behalf

Alongside netting cybercriminals millions of dollars in ransom payments, these malware attacks have burdened individuals and organisations around the globe with crippling downtime and damaging business-related costs.

A demonic trend
Now we’re seeing the emergence of ransomware-as-a-service (RaaS) platforms that enable savvy criminal entrepreneurs to sell their services to other criminals. This allows attackers without coding experience to partner with expert ransomware creators who write and adapt code on their behalf.

Available on the dark web, Satan & Co is the latest RaaS platform to provide potential criminals with access to ‘quality’ ransomware. Users simply sign up for an account and pay a subscription to download malicious executable files ready to infect victims’ PCs and they can even tailor their own codes and ransom demands. In exchange, Satan charges a 30 percent commission on all ransom money received.

Devilish business model 
The Satan RaaS platform enables inexperienced cybercriminals to execute large-scale easily customisable ransomware attacks in an incredibly user-friendly manner. Alongside handy tips on malware distribution, service subscribers can take advantage of handy features like attack tracking and Google maps support to monitor the progress of their campaigns. Users can even translate their malware into different languages.

The Satan platform contains templates for creating ransom notes that allows users to set payment thresholds for victims and handles ransom payments, generating a unique victim ID for tracking and reporting purposes. There is also a menu of ‘pick and mix’ options that enable criminals to create their very own customised version of the Satan ransomware.

The RaaS business model levels the playing field for cybercriminals and makes malware accessible to a host of new players, regardless of their technical knowhow. This makes it more essential than ever that organisations ensure they take steps to protect themselves against the tsunami of ransomware that’s now being unleashed.

Repelling the threat
Enterprises looking to mitigate against the growing threat of RaaS attacks can take heart that the steps they need to take are no different from the defences they employ for typical ransomware attacks.

First of all, undertaking regular data backups are essential. Having diligent data backup processes in place will significantly limit the damage caused by a ransomware attack, as encrypted data can be restored without paying a ransom. Companies should regularly test their backup and disaster recovery strategy to ensure it works reliably.

Applying system, network and application updates in a timely manner will also bolster a company’s defences. Software updates usually contain patches for known vulnerabilities and should be installed as soon as they become available. Similarly, training employees on how to spot and handle social engineering and email phishing attacks will boost cybersecurity awareness and keep them updated on known current security threats.

Disabling autorun on all connected devices will prevent malware from spreading autonomously and is an important step for containing malware, should an infection occur. Likewise, macro content in Microsoft Office applications should be deactivated. In many cases, ransomware is spread via infected Microsoft Office documents containing malicious macros that will download and execute the malware once run. Disabling macros by default can help prevent compromises, even if a user opens an infected file.

Preventing remote desktop connections wherever possible will also prevent attackers or malware from being able to access a user’s devices and files remotely. In addition, restricting the use of system administrator tools will help ensure a compromised user does not accidently grant administrator privileges to an attacker who has gained access to their account.

The software shield
Most importantly, security software should always be deployed. There are a variety of solutions that can help to prevent ransomware infections. Antivirus software and firewalls, for instance, can help block known or widespread malware variants. For additional protection, organisations should consider endpoint detection and response and advanced threat protection solutions that optimise malware detection and block the execution of malicious code. Deploying multi-layered security mechanisms such as data categorisation, network segmentation, application control and behaviour monitoring will enable an elevated security strategy that keeps enterprise data safe.

The RaaS model is a game changing development that makes ransomware easy to use, requiring little or no technical skill to configure, customise and execute. This means that attackers can change attack vectors rapidly and adapt fast to security defences.

Business and organisations should deploy a layered approach to security to avoid becoming a malware victim.

Related topics: ,