Ransomware-as-a-Service
Though Rhysida’s means of attack may be unsophisticated, the business model behind the group is anything but. In recent years, the ransomware “industry” has evolved to a point where groups such as Rhysida now offer what has become known as “Ransomware-as-aService” – which to an extent apes the legitimate SaaS business model, as hackers sell their services to “customers” and offer extras such as technical and marketing support on top.
“They maintain the tools, they pick the targets, they deal with the victim of the attack, but then they work side by side with a hacker who they’ll pay to actually carry out the hack and be able to make live decisions while they’re inside the environment,” said Daniel Clayton.
As a result of RaaS, the ransomware industry has specialised, with some hackers focused on phishing or stealing credentials, and others on deploying and developing the software. “Gangs are really good at this,” said Clayton. “They’ve kind of turned ransomware into a business.”
According to Clayton, this new form of attack is called a “triple extortion”.
“We started off with ransomware as this technology-driven thing that was really about deploying a malware kit that would go and encrypt certain files in the environment,” he said. “Then they added an extortion element to it, which required them to exfiltrate data. And now what we’re seeing is… the possibility of asking for additional money on top of that.”
The additional income will arrive from the exfiltrated data being used to extort customers of the hacked service. So, for example, you could imagine a criminal gang acquiring the cache of British Library data that has leaked on to the dark web and using that to target library users to demand even more money.