Ransomware-as-a-service? There’s a marketplace on the dark web for it

• Ransomware-as-a-service is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators
• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.
• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.
• Overall, 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

Ransomware has been a problem for years, and attacks have become increasingly disruptive and damaging for victims, while cyber-extortionists are demanding millions of dollars in ransoms. What is less well known is ‘ransomware-as-a-service,’ though it’s easy to find on the dark web, where ransomware attacks are advertised in the same way that goods are advertised on the legitimate web.

Ransomware-as-a-service is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. It allows affiliates who lack the skill or time to develop their own ransomware variant to get up and running quickly and affordably. Venafi, the inventor and leading provider of machine identity management, recently did a dark web investigation into ransomware spread via malicious macros. 

Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analyzed 35 million dark web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine. The analysis uncovered 475 webpages of sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service.

Venafi’s vice president of security strategy and threat intelligence, Kevin Bocek, said that “Ransomware continues to be one of the biggest cybersecurity risks in every organization. The ransomware attack on Colonial Pipeline was so severe that it was deemed a national security threat, forcing President Biden to declare a national state of emergency.”

Other findings of the research suggest that 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems. Macros are used to automate common tasks in Microsoft Office, helping people to be more productive. However, Venafi said attackers can use this same functionality to deliver many kinds of malware, including ransomware. 

In February, Microsoft announced a major change to combat the rapid growth of ransomware attacks delivered via malicious macros, but they temporarily reversed that decision in response to community feedback. “Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft’s indecision around disabling macros should scare everyone. While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector,” Bocek added.

On top of those findings, the research also noted that 30 different “brands” of ransomware were identified within marketplace listings and forum discussions. Among the many strains of ransomware being sold — including Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

Almost certainly, ransomware strains used in high-profile attacks command a higher price for associated services. For example, Venafi and Forensic Pathways said the most expensive listing was US$1,262 for a customized version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021.

In general, source code listings for well-known ransomware command higher price points. Babuk source code is listed for US$950 and Paradise source code is selling for US$593.  On the other hand, generic ransomware build services also command high prices, with some listings costing more than US$900. At the other end of the price spectrum, many low-cost ransomware options are available across multiple listings — with prices starting from as low as US$0.99 for Lockscreen ransomware. 

These findings, as Venafi puts it, are another example of the need for a machine identity management control plane to drive specific business outcomes including observability, consistency and reliability. In particular, code signing is a key machine identity management security control that eliminates the threat of macro-enabled ransomware. 

“Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks,” Bocek concludes. “This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare and energy where macros and Office documents are used every day to power decision making.”