Ransomware-as-a-Service: demystifying a multi-billion dollar industry

Isuf Deliu - Ransomware-as-a-Service: demystifying a multi-billion dollar industry - BSides Prishtina 2022 Ransomware has become one of the main keywords in the cyber security world in recent years. While it has been around for more than 20 years, ransomware today has reached a level that by many security professionals is considered an industry of its own. Ransomware operators look very much like a legitime organization with employees on their payroll, suppliers to facilitate their operations, and partners to maximize their profit. They have an HR department to handle recruitment and employee vacations, a Finance department to manage their expenses, and an IT team to set up their infrastructure. Unlike in the movies, these groups consist of tens or hundreds of cyber criminals and are making billions in revenue. Despite their popularity, there is still insufficient awareness about their capability, intent, and targets. There are many decision-makers who believe that their company is not on the “list” of the desired targets. The recent trends, especially after the outbreak of the Covid-19 pandemic, however, have proven the contrary. Ransomware attacks have skyrocketed targeting even entities that one would not expect to. This presentation will shed some light on Ransomware-as-a-Service (RaaS) operational model. It will be a short walk-through of different stages of ransomware evolvement, from being a virus developed by an individual and spread to some medical researchers via a floppy disk, to a sophisticated operation run using Initial Access Brokers and Affiliates that have in the past years paralyzed the operations of many organizations worldwide. The difference between simple encryption, double and triple extortion will be explained. The presenter will provide a fine balance between strategic and operational/technical details and share real-world references to the main ransomware groups (Conti, Lockbit, Pysa, etc.) and their Tactics, Techniques, and Procedures (TTP). This includes screenshots of their activity on the Dark Web such as recruitments of new members and sales offerings. The levels of the details of this presentation can be adjusted depending on the audience with the main goal of raising awareness of the security community in Kosovo about the threat that Ransomware poses both globally and to the enterprises and public institutions in Kosovo.