RaaS landscape widens

Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.

RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.

These methods vary between RaaS affiliate and can include email spear-phishing attacks, en-masse indisciriminate email spam campaigns, the use of compromised RDP credentials to gain access to corporate networks, or the use of vulnerabilities in networking devices to gain access to internal enterprise networks.https://9decc16ac028a02c144f7ab21dc2da2a.safeframe.googlesyndication.com/safeframe/1-0-37/html/container.html

Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.

RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.

The RaaS tiers

According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking

While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.

But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.

Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public

This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.

With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.

These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).null

Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.

This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.


Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.null

This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.


All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.

A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks.

Source : zdnet

Ransom Groups are not too honest 👎

Ransomware gangs are progressively probable to break their assure not to leak stolen data as soon as a victim has compensated them, Coveware has warned.

Nevertheless, the tactic has now achieved a tipping stage, with teams this sort of as Sodinokibi, Maze, Netwalker, Mespinoza and Conti starting off to publish facts even following payment, and/or demand a second ransom be paid to avoid publications

Despite some corporations opting to shell out threat actors to not release exfiltrated information, Coveware has seen a fraying of guarantees of the cyber-criminals to delete the facts. Victims to think wisely about the strategy while giving a response

“Paying a menace actor does not discharge any of the higher than, and provided the results that we have recently witnessed, paying a risk actor not to leak stolen knowledge supplies practically no profit to the victim.”

Nevertheless, irrespective of the headline attacks on major-identify brands, SMBs are disproportionately afflicted by ransomware

RDP continues to be the most important attack vector for ransomware groups, and with offer of compromised qualifications exceeding demand, obstacles to entry will proceed to slide, permitting less technically complex cyber-criminals to get associated in ransomware, Coveware warned.

“Until companies effectively heed the risk of an improperly secured RDP connection, this attack vector will carry on to be the most charge-powerful goal for ransomware danger actors to exploit,”

Defence in depth strategy to be get strategiesed , to prevent or control attacks to an extent.


FONIX is a relatively new Ransomware as a Service (RaaS) developed by crypters. The victims associated with this threat actor is small

The ransomware authors don’t require the payment of a fee to become an affiliate of the service, the operators only keep a percentage of any ransoms from their affiliate network. Belived to be quickly rampant when time passes

Fonix RaaS

The communications with the RaaS operators are carried out via email.

“Based on current intelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead, victims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from the victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file “cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who decrypt the files, after which they can be sent to the victims.” continues the analysis.

“Presumably, once the victim is satisfied that decryption is possible, the affiliate provides a payment address (BTC wallet). The victim then pays the affiliate, with the affiliate in turn supplying the FONIX authors with their 25% cut.”

The ransomware uses a combination of AES, Chacha, RSA, and Salsa20 to encrypt a victim’s files, it adds a .XINOF extension. Encrypting only Windows platform excluding windows OS file system

Upon executing the payload with administrative privileges, the following system changes are made:

  • Task Manager is disabled
  • Persistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)
  • System file permissions are modified
  • Persistent copies of the payload have their attributed set to hidden
  • A hidden service is created for persistence (Windows 10)
  • Drive / Volume labels are changed (to “XINOF”)
  • Volume Shadow Copies are deleted (vssadmin, wmic)
  • System recovery options are manipulated/disabled (bcdedit)
  • Safeboot options are manipulated

It’s quite aggressive and low key affair. But Ransomware is a deadly threat that need to counter attacked with BCP measures and decent security hygiene

PayTM fortress breached

Paytm Mall, the e-commerce arm of unicorn Paytm, has suffered a “massive” data breach and a cybercrime group has demanded ransom as it has gained unrestricted access to the platform’s entire database.

Hacker group John Wick is said to be responsible for the Paytm Mall database breach. “According to sources, the perpetrator claimed the hack happened due to an insider at Paytm Mall. The claims, however, are unverified, but possible,” the report said. The ransom demanded was pegged at 10 ETH (ether coins), equivalent to $4,000.

John Wick is a notorious hacking group or actor who broke into multiple India companies, and collected ransoms from various organisations. The actor has other aliases such as “South Korea”, “HCKINDIA”. One of the tactics used by this group is “to act” as a grey-hat hacker and offer help to companies or victims to fix their bugs, the report added.

The report comes a month after reported ransomware attack on Indiabulls Group and the hackers threatened to leak critical data owned by its group firms such as account transaction details, vouchers, letters sent to bank managers and a similar data breach. A data leak of 1.29 million users of Gurugram-based online market place LimeRoad .