Cybercriminals thriving off DIY ransomware

The self-sustaining ransomware industry earned $692 million from collective attacks in 2020.

28 June 2022

Due to the advent of ransomware-as-a-service (RaaS), ransomware has prospered with the new service model significantly  reducing the barrier of entry, allowing cybercriminals who lack the technical skills to commoditise ransomware, according to the latest report from cyber platform provider Tenable.

Robert Huber, Tenable chief security officer and head of research, said it had indeed become an easy way for cybercriminals to operate ransomware.

"It's run just like a business. And just like a business, certain functions can be contracted out,” Mr Huber said.

"You don't have to be an expert or subject matter expert to actually go out and build a ransomware kit, those components are already available for you."

In 2020 alone, ransomware groups reportedly earned $692 million from their collective attacks, according to Tenable data, a 380% increase over the previous six years combined ($144 million from 2013-19), according to the report.

The success of RaaS has also attracted other players such as affiliates and initial access brokers (IABs) who play prominent roles within the ransomware ecosystem, oftentimes more than ransomware groups themselves.

“In the ransomware world, they have affiliates, they have initial initial access brokers, and then they have the ransomware gangs or the ransomware operators, you can do all three of those functions," Mr Huber explained.

"You can essentially work with one or the other providers to provide that capability for you; instead of having the person actually gaining access to an organisation, it can be farmed out to an affiliate, or an initial access broker.

"Quite honestly, that's a lot of the heavy lifting, that's where some of the technical challenges may occur, or that's where the targeting challenges may occur is getting that initial foothold in the door and a lot of that's been taken off the table."


Explore our cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

Mr Huber said affiliates who earn between 70% to 90% of the ransom payment, are charged with the task of doing the dirty work to gain access to networks through tried-and-true methods such as spear-phishing, deploying brute force attacks on remote desktop protocol (RDP) systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web.

Affiliates may also work with IABs, which are individuals or groups that have already gained access to networks and are selling access to the highest bidder. According to the Tenable research, their fees range on average from $303 for control panel access to as much as $9,874 for RDP access.

"The initial extortion tactic was the ... 'we're just going to encrypt your systems'," Mr Huber said.

"For you to gain access back, you have to pay and we'll unencrypt them, which takes some time to the unencrypted system – it's not like you pay a fee and all of a sudden you have access to your data right away. 

Ransomware’s current dominance was directly linked to the emergence of a technique known as double extortion, according to the Tenable data. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leaked websites, while also encrypting the data so that the victim cannot access it. 

Satnam Narang, senior research engineer at Tenable, said with RaaS and double extortion, Pandora's box had been opened.

"Attackers are finding holes in our current defences and profiting from them,” Mr Narang said.

“The Australian Cyber Security Centre recorded a 15% increase in ransomware cybercrime in 2021. So long as the ransomware ecosystem continues to thrive, so too will the attacks against organisations and governments."

“Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching DDoS attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs' arsenal for placing additional pressure on victim organisations.

"It's imperative that these entities prepare themselves in advance so they are in the best position possible to defend against and respond to ransomware attacks.”


Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Thank you for signing up to our newsletter. You're one step closer to receiving more insightful information to help better your business.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.