Ransomware in the cloud: becoming a cyber criminal the easy way

By: Max van der Horst, Security Officer

Who wants to be a million… I mean cybercriminal? What if I told you that starting a ransomware campaign is as easy as emailing a support desk? Those are the key questions of this blog. Ransomware is still wreaking havoc everywhere we look, and the common belief seems to be that this is done by large criminal organizations with many years of hacking experience. This is an illusion. Alongside, for example, Software as a Service (SaaS) and Platform as a Service (PaaS), allow me to introduce you to Ransomware as a Service (RaaS).

As a service?

Yes, exactly. These criminal organizations I mentioned earlier took the following step a while back. The ransomware they are spreading is no longer being kept to these organizations exclusively, they are renting it out. Ransomware is being offered on Darknet sites for rental and I must confess, the system they have behind it is quite sophisticated.

If you think the Bacon of the Month and Dive Bar Shirt Club subscriptions are strange, a ransomware subscription may as well be added to that list. The system works as follows: customers can buy their own copy of the software that is used to generate the ransomware, which is altered by the authors to be customizable. Customers are then able to set the amount of ransom they want to demand. The authors, besides the costs of the subscription, often take a percentage of every paid ransom.

This is generally how the business models of these criminals work. They provide subscriptions that allow people to customize and spread themselves, to then take a percentage of every successful hit these people make. It turns out to be quite successful, as the most common type of ransomware at this moment seems to be the REvil ransomware with 15%, which is Ransomware as a Service[1].


As it turns out, RaaS is surprisingly easy to find. Being curious, I went to look for it myself. In only eight minutes of basic searching on the Tor-network, I came across Ranion. Ranion is a RaaS that promises FUD (Fully UnDetectable) ransomware with features such as Windows UAC bypasses, delayed encryption and disabling the Task Manager, ensuring a swift attack that encrypts all indicated files and turns them into .R44S-files.

What stands out on Ranion’s homepage, is that they do not seem to take a cut from ransom payments. They promise fully-functional malware with Command and Control center, AES-256 encryption and the possibility of encrypting practically every file extension you might come across. There are multiple tiers from which a customer can choose. These are the Test tier for $120, Standard for $490, Premium for $900 and Elite for $1900 per month respectively. The Test tier is included to allow customers to test Ranion at a lower price to eliminate the suspicion of the product being a scam. Prices are ought to be paid in Bitcoin and requires sending an email to their support address.

Let us help surviving Ransomware in the cloud

It is a common misconception that cloud components automatically have superior security as compared to on-premises installations when it comes to ransomware. While cloud components might be harder for malware to navigate, the assets it is after (data) are just as easy to reach due to cloud storage allowing people to synchronize locally. What cloud does offer, however, is more versatility and security in terms of backing up these data. This might be an overwhelming subject to just jump into, but help has come! Do you think you could use some extra security against the increasing threat of ransomware? Please do not hesitate to give us a call, as we are more than happy to help you survive Ransomware as a Service.

[1] https://pentestmag.com/ransomware-statistics-trends-and-facts-for-2020-and-beyond/