VaaS - Cara Baru Menghasilkan Uang Di Era Digital? (ENG)
VaaS - Cara Baru Menghasilkan Uang Di Era Digital? (ENG)
VaaS - Cara Baru Menghasilkan Uang Di Era Digital? (ENG)
By Ahmad Faizun
The term advanced persistent threat (APT) refers to cybercriminals with sophisticated
capabilities and strong motivation - whether political (state-sponsored), financial
(cybercrime), or ideological (hacktivism) - for targeted attacks. APTs are generally in
groups, sometimes with an international presence. In addition to in-depth knowledge
of computers and networks, they may also have some familiarity with esoteric
hardware and financial systems, important skills needed to achieve their goals.
In Indonesia, with the recent infamous Ransomware attack on one of the major
Indonesian banks (BSI Bank), information about this RaaS surfaced.
The LockBit Ransomware group released 1.5 TB of employee and customer data to
the Internet, after their 900 Billion Rupiah ransom went unpaid. The implication of
this attack is the continuity of the Bank's operations for 3 days, until the transaction
data is recovered, and the loss of reputation which has an impact on customer trust in
the bank. Due to this attack, many customers moved their funds to other banks, the
share price for Bank Harga Efek BSI (BRIS) touched the lowest ARB (Auto Reject
Lower) / rejected stock price.
Is BSI Bank the only one hurt by this kind of attack?
This kind of attack has spread globally and affected many industries in many countries.
Why Ransomware can make money for hackers?
The ransomware uses 4-5 extortion methods. The deeper and wider the extortion, the more
damage the attack will do to the organization, as we can see, paying the ransom is quite
profitable on average.
This paper is not a comprehensive analysis of ransomware, but our aim is to increase security
awareness among practitioners and government officials, and then take serious action to address
this kind of security issue.
What is Raas?
Ransomware as a Service (RaaS) is a business model between ransomware operators and their
affiliates in which the affiliate pays to launch an operator-developed ransomware attack. Think
of ransomware as a service as a variation of the software as a service (SaaS) business model.
RaaS kits allow affiliates with neither the skill nor the time to develop their own ransomware
variant to get up and running quickly and affordably. They are easy to find on the dark web,
where they are advertised the same way items are advertised on the legitimate web.
RaaS kits may include 24/7 support, offering packages, user reviews, forums and other features
identical to those offered by legitimate SaaS providers. Prices for RaaS kits range from $40 per
month to several thousand dollars – a trivial amount, considering the average ransom demand in
2021 is $6 million. A threat actor doesn't need every attack to be successful in order to get rich.
Anyone, young or old with access to the internet, can probably join the RaaS squad and make
some money. This became the industrial model of hacker criminal activity.
The ransomware uses 4-5 extortion methods. The deeper and wider the extortion, the more
damage the attack will do to the organization, as we can see, paying the ransom is quite
profitable on average.
This paper is not a comprehensive analysis of ransomware, but our aim is to increase security
awareness among practitioners and government officials, and then take serious action to address
this kind of security issue.
What is Raas?
Ransomware as a Service (RaaS) is a business model between ransomware operators and their
affiliates in which the affiliate pays to launch an operator-developed ransomware attack. Think
of ransomware as a service as a variation of the software as a service (SaaS) business model.
RaaS kits allow affiliates with neither the skill nor the time to develop their own ransomware
variant to get up and running quickly and affordably. They are easy to find on the dark web,
where they are advertised the same way items are advertised on the legitimate web.
RaaS kits may include 24/7 support, offering packages, user reviews, forums and other features
identical to those offered by legitimate SaaS providers. Prices for RaaS kits range from $40 per
month to several thousand dollars – a trivial amount, considering the average ransom demand in
2021 is $6 million. A threat actor doesn't need every attack to be successful in order to get rich.
Anyone, young or old with access to the internet, can probably join the RaaS squad and make
some money. This became the industrial model of hacker criminal activity.
There are 4 common RaaS revenue models:
1. Monthly subscription for a flat fee
2. Affiliate programs, which are the same as a monthly fee model but with a percentage of profits
(usually 20-30%) going to the ransomware developers
3. One-time license fee without revenue sharing
4. Pure profit sharing
Ransomware As A Service Offered For $39 On The Dark Net (eg Stampado). Stampado
encrypts files and gives victims 96 hours to pay the ransom. It is advertised as completely
undetectable and usable in .exe, .bat, .dll, .scr and .cmd files. In addition, Stampado deletes
randomly selected files every six hours if the ransom is not paid.
Just in case potential buyers think $39 for a ransomware subscription is too good to be true, the
creators have created this YouTube video showing the program in action.
In particular, because most underground actors are unable to create their own malware, the deep
and dark web provides a huge potential client base for MaaS. Aspiring threat actors can purchase
robust, ready-to-use, and simple malware for a few dozen to a few hundred dollars. This allows
anyone to launch more complex cyberattacks regardless of their technical skills.
With some luck and guts, beginners or with little knowledge of hacking can become a part of this
criminal industry. That's from the business side, how does it work?
To be successful, the ransomware needs to gain access to the target system, encrypt files there,
and demand a ransom from the victim. While the details of implementation vary from one
ransomware variant to another, they all share the same three core stages
One of them is a phishing email. The malicious email might contain links to websites hosting
malicious downloads or attachments that have a built-in downloader function. If the email
recipient falls for the phish, then the ransomware is downloaded and run on their computer.
Another popular ransomware infection vector makes use of services such as Remote Desktop
Protocol (RDP). With RDP, an attacker who has stolen or guessed an employee's login
credentials can use it to authenticate and remotely access computers within a corporate network.
With this access, attackers can directly download malware and execute it on the machines they
control.
Others might try to infect the system directly, like how WannaCry exploited the EternalBlue
vulnerability. Most of the ransomware variants have multiple infection vectors.
Once the ransomware gains access to the system, it can start encrypting its files. Since
encryption functionality is built into the operating system, this simply involves accessing the
files, encrypting them with an attacker-controlled key, and replacing the original with the
encrypted version. Most ransomware variants carefully select files to encrypt to ensure system
stability. Some variants will also take steps to delete backups and shadow copies of files to make
recovery difficult without a decryption key.
Once the file encryption is complete, the ransomware is ready to make ransom demands.
Different ransomware variants implement this in different ways, but it is not uncommon for the
display background to change to a ransom note or a text file placed in each encrypted directory
containing the ransom note. Typically, these notes ask for a certain amount of cryptocurrency in
exchange for access to the victim's files. If the ransom is paid, the ransomware operator will
provide a copy of the private key used to protect the symmetric encryption key or a copy of the
symmetric encryption key itself. This information can be entered into a decryption program (also
provided by cyber criminals) which can use it to reverse the encryption and restore access to the
user's files.
While these three core steps are present in all ransomware variants, different ransomware may
include different implementations or additional steps. For example, ransomware variants such as
Maze perform scanning of files, registry information, and data theft before data encryption, and
the WannaCry ransomware scans other vulnerable devices to infect and encrypt them.
There are many types of malware, and they can complement each other when carrying out
attacks.
• A botnet (short for robot network) consists of computers that communicate with each other via
the internet. Command and control centers use them to send spam, perform distributed denial-of-
service (DDoS) attacks (see below) and commit other crimes.
• A worm propagates itself through computer networks and performs malicious actions without
guidance.
• A trojan acts as, or is embedded within, a legitimate program, but designed for malicious
purposes, such as spying, stealing data, deleting files, expanding botnets, and carrying out DDoS
attacks.
• File infectors infect executable files (such as .exe) by overwriting them or inserting infected
code that disables them.
• monitoring actions
• executing orders
• logs keystrokes
• take screenshots
• Ransomware stops users from accessing their devices and asks them to pay a ransom via
certain online payment methods to regain access. A variant, police ransomware, uses law
enforcement symbols to provide authority to ransom messages.
• Scareware is fake anti-virus software that pretends to scan and find malware/security threats on
a user's device so they will pay to remove it.
• Spyware is installed on computers without the owner's knowledge to monitor their activity and
transmit information
Dozens of ransomware variants exist, each with its own unique characteristics. However, some
ransomware groups are more prolific and successful than others, making them stand out from the
rest.
1. Ryuk
2. Mazes
3. REvil (Sodinokibi)
4. Lockbits
5. DearCry
6. Lapsus$A study conducted by our colleagues, showed that a well-defined ransomware kit
could not be detected by any of these antiviruses. Only one can identify a file as suspicious, but
cannot be defined as a ransomware malicious file. With the 1,500$ library for the compiler sold
by the makers of the ransomware kit, signatures and other aids as viruses will cease to exist, and
no antivirus will be able to detect them.
In a Cybereason study for example, of the organizations that reported paying ransom demands
after a successful attack, only 42 percent indicated that the attempt resulted in the restoration of
all services and data, while 54 percent said some had returned to normal but some problems
persisted. , or some data is corrupted after decryption.
Congress should not seek to address the ransomware threat by making ransom payments to
cybercriminals illegally, a top FBI official told US lawmakers Tuesday.
Unintentionally prohibiting ransom payments could create opportunities for further extortion by
ransomware gangs, said Bryan Vornran, assistant director of the FBI's cyber division.
"If we prohibit paying ransoms now, you are putting US companies in a position to face another
racketeering, which is extorted for paying the ransoms and not sharing them with the
authorities," Vornran said at a Senate Judiciary Committee hearing on ransoms.
Transportation Security Administration administrator David Pekoske said paying the ransom
should be a "business decision and a security decision with government guidance."
As such, any intention to ban payments must first consider how to build an organization's
cybersecurity maturity, and how to provide an appropriate backstop to enable the organization to
survive the initial period of extreme testing. Ideally, such an approach would also be coordinated
internationally to avoid giving ransomware attackers another avenue to pursue.
Yes, paying the ransom will not guarantee 100% loss of your data, in fact, it may create the next
level of extortion. Prohibiting the payment of ransoms, however, can lead to unreported attacks
and a higher risk to victims. We suggest that the decision to pay or not pay is the final decision
of the business owner. Those who really understand the going concern situation for their
business. Totally bankrupt or suffer losses as a result of the attack.
Government view
For governments, we can suggest that governments have a strong team to assist their business
owners, citizens and all government agencies with adequate protection, education and post-attack
action plans.
As we can learn from the US, where they have the Patriot Act, OFAC and FBI to monitor and
take countermeasures to recover their business owners money from ransomware attacks.
Examples of their success stories are:
• by 2020, helping law enforcement recover more than $1 billion from the Silk Road dark web
market crash.
• DOJ, FBI hack Hive Network, saving US$130 million from crypto ransomware attack
• In October 2019, the company helped the United States Department of Justice shut down the
world's largest child abuse website.
• It also assists the attribution of seven 2021 cryptocurrency thefts to North Korea's Lazarus
Group.
• Working with American investigators and South Korea's National Intelligence Service, the
company traced $100 million stolen from cryptocurrency firm California Harmony to North
Korean hackers, who have stolen billions of dollars from banks and cryptocurrency firms,
funding its illegal missile program. $1 million of the stolen funds were recovered in April 2023.
Why the need for government intervention? Hackers have stolen a record $3 billion in
cryptocurrency this year. Criminals laundered $8.6 billion (£6.4 billion) worth of cryptocurrency
in 2021, up 30% from the previous year. Illegal crypto transactions total US$20 billion. Crypto
market cap stands at $1.1 trillion, down from $2.1 trillion a few months ago.
This fact forms a baseline where the government must protect its citizens from the threat of
security problems in the digital money era. Using tools like chain analysis, will not be enough, as
the Darkweb has the mixing engine to obfuscate crypto transactions, coupled with monero-like
capabilities, to hide the true owner of crypto assets, and make law enforcement like the FBI have
yet another challenge to track down stolen or stolen crypto. ransom payments to the real
criminals directly.
As it is now, more and more Americans are Using Digital Assets. However, we are also sure that
the millennial generation in Indonesia will soon follow this pattern.
According to a March 2022 NBC News poll, 1 in 5 Americans have invested, traded, or used
digital assets. 5 That figure goes up to 50% for men ages 18 to 49, 42% for everyone ages 18 to
34, and 40% for black Americans. According to blockchain analytics firm Chainanalysis, the
total volume of transactions across all digital assets rose 567% in 2021 to $15.8 trillion.
Adoption of digital assets is increasing at a significant pace, according to Deloitte research,
almost 75% of businesses expect to accept digital assets as payment within the next two years.
Data on the blockchain is as ripe for exploitation as data obtained through hacking, social media,
or data brokers, as it can provide foreign adversaries a window into various aspects of American
life. Also concerning, it gives foreign governments the ability to track user activity and
movements in near real-time, as transactions are publicly posted to most blockchains within 10
minutes. So if I buy a cup of coffee at my local coffee shop using most digital assets, a foreign
government can know where I am within 10 minutes. We know that foreign governments have
been collecting and exploiting data of US citizens through various channels for various purposes.
For years, China has embarked on campaigns to steal the personal data of American citizens and
businesses. They use this data to drive artificial intelligence, research and development
programs, and to facilitate their military and economic goals. Recently, China has turned its
internal surveillance network outward by analyzing Western social media and other publicly
available data to provide information about foreign targets and government critics to the Chinese
government, military, and police.
We need to protect ourselves now more than ever. With the cyber war, between the US and
China, it is impossible for us to also be a part of their victims, where we intentionally provide our
data to them, through the transactions we make on ecommerce platforms, technology platforms
and many others.
We need to start adopting best practices to protect our data privacy, either by the efforts of
individuals, each person and each company or we can provide strong data protection across the
country, using our own national internet technology, technology independent protocols and
encryption. It is a time where we are in a race against time and technology globally. We must
embrace the latest data protection frameworks and technologies, to the highest and optimal level.
Reference:
Chainalysis - Wikipedia
Chainalysis In Action: How FBI Investigators Traced DarkSide's Funds Following the Colonial
Pipeline Ransomware Attack - Chainalysis
Cybercriminals Turn to Android Loaders on Dark Web to Evade Google Play Security
Dark Web Recruitment: How Ransomware Groups Hire Cybercriminal Talent - ReliaQuest
Defending Against Ransomware Attacks: 11 Best Practices for Success - CBI, A Converge
Company
Diserang Ransomware dan Isu Data Dibobol, Harga Saham BSI (BRIS) Langsung Terhempas
hingga ARB
DOJ, FBI hack Hive Network, save US$130 mln from crypto ransomware attacks
Dugaan Serangan Ransomware Lockbit 3.0 di BSI, 1,5 TB Data Nasabah BSI Dicuri
Evaluation by Chainalysis Declare 2022 to be "The Year of Crypto Thefts" - CySecurity News -
Latest Information Security and Hacking Incidents
FBI Busts Russian-Linked Cybercrime Group Behind Colonial Pipeline Attack Via Chainalysis'
Crypto-Tracer
FBI Infiltrated Hive Network, Blocking Over $130 Million in Crypto Ransomware - Decrypt
FBI: Hackers Are Exploiting DeFi Bugs to Steal Funds - Infosecurity Magazine
Hackers have stolen record $3 billion in cryptocurrency this year - CBS News
https://aipol.org/wp-content/uploads/2022/06/AiPol-Police-Journal-June-2022.pdf
https://arxiv.org/pdf/2211.15405.pdf
https://brandefense.io/blog/dark-web/top-deep-web-websites-for-threat-intelligence/
https://broadbandindiaforum.in/wp-content/uploads/2022/03/Crypto-Crime-2022.pdf
https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-
billion-usd-by-2031/
https://cybersixgill.com/news/articles/apts-on-the-deep-dark-web
https://databoks.katadata.co.id/datapublish/2023/05/15/klaim-serang-bsi-lockbit-termasuk-grup-
ransomware-top-global
https://f.hubspotusercontent20.net/hubfs/7288424/Reports%20and%20White%20Papers/
CYWARE_Final_Ransomware_Index%20Update%20Q321-CSW%20-%20Nov%209.pdf?
https://gbhackers.com/ransomware-as-a-service-2/
https://investor.id/market/329646/diserang-ransomware-dan-isu-data-dibobol-harga-saham-bsi-
bris-langsung-terhempas-hingga-arb
https://keuangan.kontan.co.id/news/dugaan-serangan-ransomware-lockbit-30-di-bsi-15-tb-data-
nasabah-bsi-dicuri
https://logrhythm.com/uws-ransomware-as-a-service-white-paper-ppc/
https://www.cisa.gov/stopransomware
https://publications.parliament.uk/pa/ld5803/ldselect/ldfraudact/87/87.pdf
https://securityandtechnology.org/wp-content/uploads/2021/09/IST-Ransomware-Task-Force-
Report.pdf
https://techinformed.com/ransomware-youve-been-hacked-so-whats-the-plan/
https://theblockchaintest.com/uploads/resources/Chainalysys%20-%20Crypto%20Crime
%20Report%20-%202022%20Feb.pdf
https://theblockchaintest.com/uploads/resources/Chainanalysis%20-%20Ransomware%202021-
Critical%20mid-year%20update%20-%202021%20-%20may.pdf
https://thehackernews.com/2023/04/cybercriminals-turn-to-android-loaders.html
https://venafi.com/blog/babuk-source-code-darkside-custom-listings-exposing-thriving-
ransomware-marketplace-dark-web/
https://www.afp.gov.au/sites/default/files/PDF/Reports/afp-annual-report-2021-2022-1.pdf
https://www.antivirusguide.com/cybersecurity/ransomware-statistics
https://www.atlanticcouncil.org/wp-content/uploads/2022/08/
Behind_the_rise_of_ransomware.pdf
https://www.bleepingcomputer.com/news/security/the-dark-web-is-getting-darker-ransomware-
thrives-on-illegal-markets/
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-
Sicherheitslage/Analysen-und-Prognosen/Ransomware-Angriffe/ransomware-
angriffe_node.html
https://www.cfr.org/task-force-report/confronting-reality-in-cyberspace/download/pdf/2022-07/
CFR_TFR80_Cyberspace_Full_SinglePages_06212022_Final.pdf
https://www.cfr.org/task-force-report/confronting-reality-in-cyberspace/download/pdf/2022-07/
CFR_TFR80_Cyberspace_Full_SinglePages_06212022_Final.pdf
https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/
https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
https://www.cisa.gov/sites/default/files/2023-05/aa23-131a_malicious_actors_exploit_cve-2023-
27350_in_papercut_mf_and_ng_1.pdf
https://www.cnbcindonesia.com/tech/20230512145240-37-436909/belajar-dari-kasus-bsi-cek-
10-ransomware-terganas-di-dunia
https://www.consumerfinancialserviceslawmonitor.com/wp-content/uploads/sites/501/2022/03/
FINAL-Chainalysis-JL-Senate-Banking-Written-Testimony-March-2022-v2.pdf
https://www.crimrxiv.com/pub/48bmtkg0/release/3
https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/
https://www.cybereason.com/blog/what-is-the-dark-web-ransomware-marketplace
https://www.datto.com/resource-downloads/UKDatto-State-of-the-Channel-Ransomware-
Report-v2-2.pdf
https://www.europol.europa.eu/crime-areas-and-statistics/crime-areas/cybercrime
https://www.forbes.com/sites/kevinmurnane/2016/07/15/ransomware-as-a-service-being-offered-
for-39-on-the-dark-net/?sh=76076f8b55a6
https://www.genevaassociation.org/sites/default/files/research-topics-document-type/
pdf_public/ransomware_web.pdf
https://www.govinfo.gov/content/pkg/CHRG-117hhrg45867/html/CHRG-117hhrg45867.htm
https://www.justice.gov/ag/page/file/1510931/download
https://www.justice.gov/archive/ll/what_is_the_patriot_act.pdf
https://www.kompas.com/tren/read/2023/05/13/134500165/hacker-ransomware-lockbit-klaim-
curi-15-juta-data-bsi-pakar--diperkirakan?page=all
https://www.liputan6.com/tekno/read/5287845/kelompok-ransomware-lockbit-akhirnya-sebar-
15-tb-data-karyawan-dan-nasabah-bsi-ke-internet
https://www.medcom.id/english/business/0kpM5x6K-hit-by-cyber-attack-bsi-system-knockout
https://www.packetlabs.net/posts/ransomware-as-a-service-dark-web/
https://www.radware.com/getattachment/Security/Hackers-Corner/2181/
rad1290_DarkNet_v2_Final.pdf.aspx/?lang=en-US
https://www.radware.com/getattachment/Security/Hackers-Corner/2181/
rad1290_DarkNet_v2_Final.pdf.aspx/?lang=en-US
https://www.reliaquest.com/blog/dark-web-recruitment-how-ransomware-groups-hire-
cybercriminal-talent/
https://www.researchgate.net/figure/Ransomware-for-sale-on-dark-web_fig3_343706763/
download
https://www.safetydetectives.com/blog/antivirus-statistics/
https://www.safetydetectives.com/blog/ransomware-statistics/
https://www.scmagazine.com/analysis/ransomware/nearly-three-quarters-of-ransomware-
revenue-generated-by-russian-strains
https://www.sxsw.com/wp-content/uploads/2018/03/Legality-of-Paying-Ransom-FINAL-
2018.1.19.pdf
https://www.tijthailand.org/public/files/highlight/Cryptocurrency%20and%20Crime/3/
Virtualcurrencies%20rusi.pdf
https://www.trendmicro.com/vinfo/ru/security/news/cybercrime-and-digital-threats/shurl0ckr-
ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications
https://www.un.org/counterterrorism/sites/www.un.org.counterterrorism/files/malicious-use-of-
ai-uncct-unicri-report-hd.pdf
https://www.un.org/counterterrorism/sites/www.un.org.counterterrorism/files/malicious-use-of-
ai-uncct-unicri-report-hd.pdf
https://www.unitrends.com/blog/ransomware-as-a-service-raas#:~:text=Ransomware%20attacks
%20as%20well%20as,and%20extorting%20ransom%20from%20victims.
https://www.cisa.gov/zero-trust-maturity-model
Illegal crypto transactions hit high of US$20 billion: Chainalysis - Cryptocurrency - Digital
Nation
Kelompok Ransomware LockBit Akhirnya Sebar 1,5 TB Data Karyawan dan Nasabah BSI ke
Internet - Tekno Liputan6.com
Losses from crypto hacks surged 60% to $1.9 billion in Jan-July: Chainalysis | Mint
Patriot Act Summary, Pros & Cons | What is the Patriot Act? - Video & Lesson Transcript |
Study.com
ShurL0ckr Ransomware as a Service Peddled on Dark Web, can Reportedly Bypass Cloud
Applications - Новости о безопасности - Trend Micro RU
The rise of crypto laundries: how criminals cash out of bitcoin | Financial Times