The dark web is the dreaded online supermarket: cybercriminals rent out ransomware, infostealers, botnets, loaders and backdoors. In some cases, the providers receive a share of up to 40 percent of the victims' ransom. Offerings start at just $100 for Malware-as-a-Service.
In the past seven years, ransomware was most frequently distributed via Malware-as-a-Service (MaaS), as current Kaspersky analyzes show. It accounts for 58 percent of the MaaS market. Cyber criminals can “opt-in” to ransomware-as-a-service (RaaS) for free. However, once they become partners with the program, they pay for the service after the attack occurs — 10 to 40 percent of the victims' ransom. Infostealers, botnets, loaders and backdoors can also be "rented".
Rent cyber attack weapons for little money
🔎 Malware families were added to Malware-as-a-Service most offered by 2015 to 2022 (Image: Kaspersky).
Malware-as-a-Service (MaaS) describes an illegal business model in which software is rented to carry out cyber attacks. As a rule, the cybercriminal users of such services are offered a personal account – in addition to technical support – with which they can control the attack.
An analysis by Kaspersky experts now shows that ransomware in particular is used as part of MaaS. It accounted for 58 percent of all malware distributed through the Services between 2015 and 2022. The basis of the analysis was the examination of 97 malware families distributed via the dark web and other Internet sources.
Ransomware as the most popular malware-as-a-service
Cyber criminals can “subscribe” to ransomware-as-a-service (RaaS) for free. As a member of such a program, they pay for the service only after the attack occurs. The payment amount depends on the share of the ransom paid by the victim and is usually between 10 and 40 percent per transaction.
Infostealers also continue to be popular: They reached a share of 24 percent in the period examined. This is malware that can steal data such as login credentials, passwords, bank cards and accounts, browser history or crypto wallets.
A quarter of malware families are infostealers
These five ransomware families from well-known groups were distributed under the MaaS model on the dark web and deep web from 2018 to 2022 (Image: Kaspersky).
Infostealer services are paid for through a subscription model; the price is usually between 100 and 300 US dollars per month. For example, Raccoon Stealer, discontinued in early February 2023, could be purchased for $275 per month or $150 per week. Competitor software RedLine costs $150 per month, although a lifetime license can also be purchased for $900, according to information published by the operators on the dark web. In addition, the attackers offer other paid services.
Along with infostealers, botnets, loaders, and backdoors make up 18 percent of malware families sold as a service. Often, such malicious programs are grouped together because they share a common goal: to load and run other malware on the victim's device.
Components of MaaS and ranking of malicious programs
Cyber criminals running MaaS platforms are typically referred to as operators, while those who buy these services are known as affiliates. After signing a contract with the Operators, Affiliates get access to all necessary components of MaaS, such as Command and Control Panels (C2), Builders (programs for quickly creating unique malware patterns), malware and interface upgrades, support, guides and hosting. The panels are a crucial component that allows the attackers to control and coordinate the activities of the infected machines. For example, cybercriminals can exfiltrate data, negotiate with victims, contact support, create unique malware patterns, and more.
Certain types of MaaS, like infostealers, allow affiliates to create their own team. The members of such a team are called trafficrs. They distribute malware to increase their profits and collect interest, bonuses and other payments from the affiliates. Trafficrs do not have access to the C2 panel or other tools. Their only goal is to increase the spread of the malware. They usually do this by disguising samples as cracks and instructions for hacking legitimate programs on YouTube and other websites.
Price determines the complexity of the malware weapon
"Malicious programs such as the Matanbuchus loader show price fluctuations over time - in June the price was $4.900 per month," comments Alexander Zabrovsky, Digital Footprint Analyst at Kaspersky. “This type of malware is more expensive than infostealers because the malicious code itself is more complex. At the same time, the operator makes the entire infrastructure available so that partners do not have to pay extra for secure hosting when using Matanbuchus. The number of subscribers to Matanbuchus is very limited, which allows attackers to remain undetected for long periods of time.
Cyber criminals actively trade illicit goods and services, including malware and stolen data, on the shadowy corners of the internet. The better companies understand how this market is structured, the more they can learn about the methods and motivations of potential attackers. Armed with this information, we can better support organizations in developing effective strategies to protect against cyberattacks, as we can detect and monitor cybercriminal activity, track the flow of information, and stay abreast of new threats and trends.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/