The Kaspersky Digital Footprint Intelligence team has released a new study that reveals that ransomware has been the most common example of Malware as a Service (MaaS) in the past seven years.
The study is based on research on 97 malware families distributed over the dark web and other sources. The researchers also found that cybercriminals often hire information thieves, botnets, uploaders and backdoors to carry out their attacks.
Malware as a Service (MaaS) represents an illegal business model that involves hiring software to carry out cyber attacks. In general, such services offer customers a personal account where they can control the attack and technical support. This lowers the initial threshold of expertise cybercriminals need.
Ransomware will be the most popular service-as-a-service malware
Kaspersky experts examined the sales of various malware families, as well as correspondence, discussions, posts and advertisements from other sources related to darknet and MaaS, to identify the most popular types. As a result, it turns out that ransomware, or malware that encrypts data and demands payment for decryption, is in the first place. These softwares make up 2015% of all families deployed under the MaaS model between 2022-58. The popularity of ransomware seems to be related to its ability to generate higher profits in a shorter time than other types of malware.
Cybercriminals can subscribe to Ransomware as a Service (RaaS) for free. When they become partners in the program, they pay for the service after the attack occurs. The amount of payment is determined by the percentage of the ransom paid by the victims and usually ranges from 10% to 40% of the ransom. However, getting into the program is not easy and requires some strict requirements.
Information thieves accounted for 24% of distributed as-a-service malware families during the period under analysis. These consist of malicious programs designed to steal data such as credentials, passwords, bank cards and accounts, browser history, crypto wallet data and more.
Services offered by Infostealer are paid on a subscription model and are priced between $100 and $300 per month. For example, Raccoon Stealer, which was discontinued in early February 2023, could be purchased for $275 per month or $150 per week. Its rival RedLine's price is mixed at $150 per month, and there's also the option to purchase a lifetime license for $900, according to information posted by its operators on the Darknet. Attackers can also take advantage of additional services for an extra fee.
“The price of the Matanbuchus loader, for example, tends to change over time,” said Alexander Zabrovsky, Kaspersky Digital Footprint Analyst. Its price in June of the current year starts at $4 per month. This type of malware costs more than information thieves. For example, the malicious code itself is more complex and the operator provides all the infrastructure. So those who buy the service do not have to pay extra for bulletproof hosting services. “The very limited number of subscribers of Matanbuchus allows attackers to remain undetected for longer.”
Hierarchy of MaaS components and malicious
Cybercriminals who operate MaaS platforms are often called operators, while those who buy these services are called associates. Once the affiliates reach an agreement with the operators, the affiliates gain access to all the necessary components of MaaS, such as command and control (C2) panels, programs for rapid generation of unique malware samples, malware and interface upgrades, support, instructions and hosting. they do. The panels form an important component that allows attackers to control and coordinate the activities of infected machines. This allows, for example, cybercriminals to leak data, negotiate with victims, contact support services, create unique malware samples, and much more.
Some types of MaaS, such as Infostealers, allow participants to create their own teams. Members of such teams are called traders. These consist of cybercriminals who distribute malware to increase profits and get interest, bonuses and other payments from affiliates. Traders do not have access to the command control panel or other tools. Their sole purpose is to increase the spread of malware. Often this YouTube They succeed by hiding examples of hacking accounts and legitimate programs on other websites.