Piracy in the Digital Age: Ransomware and Ransomware as a Service

Sivan Tehila, co-authored by Jacob Leichter

History is rife with tales of pirates prowling the high seas and bandits lying in wait along highways, searching for goods to hijack or persons to kidnap. After their mark was acquired, it would be kept with the demand of payment in exchange for its release. Even with humanity’s march into the modern age, such practices have not been abandoned. Rather, the buccaneers and highwaymen of yore evolved alongside society. No longer do they prowl the oceans and roads; instead, these criminals have taken up positions in the digital realm. Data is now seized and held for ransom, in an increasingly common phenomenon known as ransomware.

Ransomware is a member of the expansive malware family. The payload can be delivered in a variety of ways, but primarily reaches users via attachments in phishing emails or malicious links. Once on the system, the malware activates itself and begins the encryption process, which can take one of two forms. The first is known as locker ransomware. As the name implies, this type locks down the entire system, preventing users from executing even the most basic of functions. The other variety of ransomware is known as crypto ransomware and targets the files, restricting access to data but not to the device itself. The encryption may take place behind the scenes, with the device owner being none the wiser until a splash screen takes over the display.

While the encryption can be startling enough, the splash screen masterfully plays on anxiety and fear tactics to coerce victims into paying the ransom. The infamous WannaCry cryptoworm of 2017 is an excellent example of the strategy employed by threat actors during ransomware attacks. A red popup displayed explaining that the device has been infected and outlining the steps required to liberate the encrypted files. Alongside this text box were two countdown timers; the first tracked when the ransom payment would be increased, while the second ticked towards the more concerning time when compromised files would be completely lost. Other ransomware splash screens feature law enforcement agency logos and accuse the victim of violating various laws, such as possessing illicit media or visiting illegal websites. The use of alarming red displays, intimidating law enforcement agencies, and dire countdown clocks are all scare tactics that play on urgency to drive victims to quickly pay without considering other courses of action.

From its emergence as a threat in the late 1980s, ransomware has persisted as one of the most popular attack vectors of choice for cybercriminals. Studies found that, by Q3 of 2021, ransomware attacks had a 148% increase in occurrence from 2020, totaling 495 million attacks. Additionally, in Q4 of 2020,  phishing email campaigns were the attack vector for roughly 50% of ransomware attacks, indicating this as the new and current primary delivery method. Unfortunately, there are no signs of these upward trends slowing anytime soon, especially because threat actors continue employing ransomware campaigns as a means of collecting easy and exorbitant payouts. A 2021 study found that 80% of victims who paid the ransom were hit with another attack shortly thereafter. In some cases, following payment, the returned data was corrupted, though the majority of paying companies regained access to their data in a usable format. 

While giving in to the demands is of little benefit, the aforementioned scare tactics are often enough to convince uninformed victims into cooperating, generating steady revenue streams for threat actors and turning ransomware into an industry of its own. This industry has become known as Ransomware as a Service (RaaS) and manifests as a partnership between ransomware operators and their affiliates. The operators develop the malware, offering affiliates such courtesies as 24/7 support, “build your own package” plans, and payment portals for victims to deposit ransoms. The affiliates handle the selection of targets, the deployment of the malware, and the communication with victims to extort ransoms. RaaS arrangements come in one of four models: a monthly subscription involving a flat fee for the ransomware, an affiliate program where a small cut of each attack is returned to the operator, a one-time licensing fee that allows the affiliates to keep all profits earned in attacks, and a pure profit sharing agreement that divides profits between operators and affiliates based on predetermined percentages. With the popularity of ransomware in recent years, it is likely that RaaS operators will begin offering new features and innovating the service portals to make their products more appealing to threat actors, which will only serve to draw in new affiliates going forward.