Make Millions Hacking. No Experience Necessary: The Emergence of Ransomware-as-a-Service

There’s a sale going on that you probably haven’t heard about. A hire-a-hacker site is offering a special low price for hacking any Facebook account you may want hacked. Yes, if you act now, this group of hackers will hack the Facebook account of your choice for a mere $600. (I will not give the site address.) All you need to do is give them the email address or mobile number of the owner of the Facebook site. Obviously, they will then do some social engineering, lead the victim to a fake Facebook login page, and capture their login information. They will then transfer the site into their name and, in effect, become the owners of the site. Once done, they will turn the site over to the person who paid the $600. Of course, there’s no guarantee this will work and it’s not clear if you will get a refund if it doesn’t. After all, what are you going to do? Call the police?

I have been asked by people for help in hacking Facebook accounts. Usually, it is someone who wants to hack an ex to see what they are doing or, perhaps, get some revenge. Even though I may be able to do this, it falls outside of what I consider to be ethical behavior. I did help someone recover a stolen account, but that’s as far as I would go. I would caution anyone hiring a hacker to be careful because it would be really easy to get scammed. Besides, you would be breaking the law. Nonetheless, there is no doubt that a good living could be made by hacking Facebook accounts alone.

Hacking groups for hire, such as the one mentioned here, are usually contacted for small jobs. The biggest job they will undertake is hacking a website, supposedly to allow the customer to deface it in some way. This will cost the customer $1200. They can also help you set up a DDoS attack or break into a network to alter data, such as school grades or bad reviews. In my opinion, the most dangerous service they claim to offer is installing a backdoor on the computer of your choice so that you can remotely monitor all activity on it (turn on the camera, get all the passwords, read all the emails etc.).

So why aren’t these people arrested or the site taken down? Well, who knows what the end user intends to do with the hack. People may want a backdoor installed to use their own computer remotely. Maybe they are doing penetration testing and need to see how well protected their website or network is. The hackers who run these services will simply plead ignorance. However, my guess is that these hackers are being monitored by law enforcement. Of course, you can’t rule out the possibility that law enforcement is operating the site to gather information. In other words, use this service at your own risk.

Although such sites may be troubling, they usually don’t cause major problems to anyone but the people who are hacked. This is not true for other hacking services. In recent years, organized crime has been using hackers to bring in big money. (See  this post for more examples of organized crime groups using hackers.) Even nation states are not without their team of hackers, though they are not referred to as such. Sometimes these nation-state operatives hack for information while, at other times, they hack to make money. In either case, these are the hacks you may see reported in the news because of the extensive damage they can cause.

Recently, the most successful, and most malicious, malware making the rounds has been ransomware. This is malware that encrypts a victim’s files, making them unusable until they pay a ransom. There are a number of high profile hacking groups that have used ransomware to make big profits. Generally, they attack health services, city governments, universities, or government agencies. Large businesses and other enterprises have also been victims. All of these are targeted because they hold large stores of data: data that they need to operate effectively. They are, therefore, victims that are more likely to pay the ransom.

Most of these hacking groups have developed their own ransomware or have developed variants on publicly available ransomware code. This all takes some coding skills so it is out of the reach of the average petty criminal. If any petty criminal wanting to make some quick bucks could get their hands on easy-to-use ransomware, the cyber landscape would be many times more dangerous than it currently is. If the day ever comes when you could be extorted with ransomware by anyone who had a grudge against you or who saw you, or your business, as a source of income, it would be a sad time, indeed. Well, ladies and gentlemen, sad times are here.

We have now entered the age of Ransomware-as-a-Service (RaaS). You can hire a hacking group to perform a ransomware attack, or you can become an affiliate to the group and agree to help distribute their malware. When you act as an affiliate, you gain a certain percentage of whatever income the organizers rake in.

To become an affiliate of Jokeroo RaaS, for example, you can pay for various affiliate packages. The cheapest package will cost you $90, and it allows you to keep 85% of whatever you make from those you distribute the ransomware to. The remainder goes to the malware operators. You, as an affiliate, will get access to a dashboard which will allow you to see your victims and see whether they have paid or not. For higher priced packages ($600) you will get to keep more money and receive more services. The technical work will be taken care of by the ransomware owners.

Jokeroo’s ransomware is said to be related to the infamous GandCrab ransomware. (See my post for more information on GandCrab.) In January, the operators of Jokeroo suddenly ‘retired’. They claimed that they had made billions of dollars during their reign and were taking in an average of $2.5 million a week. Who wouldn’t want to get a piece of such action?

But if you signed up for the Jokeroo package, the joke is on you. Apparently, the operators have staged an exit scam. Once they gathered enough cash, they simply disappeared.

jokeroo

Jokeroo may have vanished, but the threat from RaaS is very real. The fact that petty criminals can get to use it without any special skills means that the number of ransomware attacks are bound to increase and will target more than just large organizations. The attacks will filter down to small businesses and even individuals.

When agreeing to be an affiliate, you receive certain privileges. One is that you have some control over the ransomware you are using. For example, you are allowed to rename the ransomware to confuse those you attack. (If victims know the common name of the ransomware, they can find a tool to remove it for free.) This renaming accounts for the large number of supposedly new ransomware variants that appear every week.

Generally, the attacks follow the same pattern and are installed on computers in all the traditional ways – phishing, infected attached documents, links to malicious websites- that have all been seen before. Sometimes they are not easy to detect, like when it looks like an email with an attachment from your boss or a friend. It only takes one person making one mistake on one network endpoint to infect a whole network. (Read about the best architecture for endpoint protection here.) This is what happened in the ransomware attack on the city of Baltimore. At last count, this attack had cost the city tens of millions of dollars as experts continue to work on purging the malware from their network. City officials have, to their credit, still not paid the $100,000 ransom.

But it may get much worse. A great deal of this ransomware originates in Russia, and the Russian government is not shy about using it if they need to. Of course, they will deny this. The Baltimore attack shows how a city can be paralyzed by a ransomware attack. Any organization, any business, any enterprise can be brought down in this way. If Russia really wanted to interfere with the 2020 elections, they could do so with a ransomware attack that could have political implications. They could bring down political organizations at the national, state, or local level. What would, on the surface, appear to be a ransomware attack from a private hacking group, may, in fact, be coordinated with the help of the Russian government.

Since most political organizations depend on donations, they need to promote a serious, professional image. No one wants to give money to an amateurish organization that treats their personal donations or data carelessly. But that’s exactly what organizations look like when they get hit with a ransomware attack. For this reason, hacked organizations may not tell anyone that they have been attacked to preserve their image. They may even pay the ransom and be done with it. When the DNC was hacked, they didn’t want to have the FBI look at their servers and they didn’t want the hack to be reported. The reason? Money. They were afraid the revelation that they were hacked would hurt donations. We will, therefore, hear of far fewer attacks than what actually occur.

In the end, ransomware attacks will continue to increase and continue to produce a good income for the hackers as long as those who get hacked agree to pay the ransom. Amateur hackers may be less inclined to decrypt stolen files even when a ransom is paid. Another problem with more amateurs flooding networks with RaaS attacks, is that a major hack could occur by pure chance.

And if you think that all of this is bad news, there is now evidence that there is another hacking-as-a-service threat. There are now nefarious groups offering banking Trojans as a service. For a fee, criminals will agree to hack bank accounts.  As if the cyber landscape wasn’t already dangerous enough.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s