Crimeware-as-a-Service (or Cybercrime-as-a-Service) has increasingly enabled both technically inexperienced criminals and advanced threat actors to rapidly arrange sophisticated attacks.
The term Crimeware-as-a-Service (CaaS) refers to the practice in the cybercriminal ecosystem to provide products and services to other cybercriminals.
This model facilitates the activities of cybercriminal groups and helps criminals to carry out complex attacks without the need for advanced technical skills.
CaaS has decreased the barrier of entry for new, less savvy threat actors, and now represents an optimum choice for advanced attackers that want to conduct hit-and-run operations. The Crimeware-as-a-Service model makes it difficult to attribute the crime to a particular individual because the means and the infrastructure are shared among multiple bad actors.
The most popular services and products offered under the Crimeware-as-a-Service umbrella are malware, ransomware, phishing kits, and also command and control infrastructure.
Most of these services are characterized by their ease of use and strong customer orientation. They usually have user-friendly administration consoles and dashboards to control the earnings.
A lower entry barrier
The cost of criminal activities is shared between all the ‘customers’ thanks to a model based on a subscription or flat-rate fee, making cybercriminal services convenient and attractive. In this scenario, the service providers could increase their earnings, while the clients benefit from a sensible reduction in terms of the expense and knowledge needed to manage the illegal business.
According to the INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2020 report published by the Europol commodity, malware offered as a service (Malware-as-a-Service (MaaS)) lowers the barrier for threat actors that want to arrange cyberattacks.
Prominent examples of malware offered through this model are Emotet and Trickbot.
These malware programs use modular structures to enable reselling and renting sections of their malicious code to their peers without compromising their key differentiators.
Customers of the malware operators could spread them by adopting their own tactics, techniques, and procedures and in some cases use them in highly targeted attacks.
Authorities and law enforcement agencies across the world warn of an increased professionalization in the cybercrime threat landscape that makes the CaaS model very dangerous. Some criminal organizations specifically focus on the offering of criminal services and products to other criminal gangs instead of directly targeting users and organizations with their means.
“Simultaneously, European law enforcement has reported a rise in less tech-savvy cybercriminals in the context of widely available CaaS solutions” - reads the IOCTA report.
“There has been an observable shift from what used to be a business for threat actors, now being more of an enterprise. Where specialist skills are needed (e.g. malware-coding, malware-distribution), criminals are able to hire developers or consultants to fill this need.”
By using combination attacks, criminals effectively challenge law enforcement’s capacity to investigate incidents and attribute attacks to specific perpetrators and crime groups.
CaaS services in cybercrime forums and marketplaces hosted on the dark web are quite easy to find and feature a broad range of offers.
Crooks can rent a botnet by just making a payment in Bitcoin. Then, thousands of infected machines worldwide could be employed in all kinds of illegal services, such as distributing malware, launching DDoS attacks, or sending out spam emails.
Another factor that makes Crimeware-as-a-Service very attractive to the criminal underground, is the availability of stolen data that could be used to run further attacks.
What are the dangers of CaaS?
Crimeware-as-a-Service is a demand-driven market. The prices of services and products reflect the levels of complexity of the resources involved and are influenced by the availability of the means in the underground ecosystem.
The principal danger of the CaaS model is its role as an enabler for increasingly sophisticated attacks that are fueling the rapid development of new advanced threats.
Another danger is related to the difficulty of attributing attacks that originated from CaaS services or products to specific threat actors.
The model is efficient and especially dangerous when applied to malware, such as ransomware. In the recent months, there was a surge in the number of ransomware attacks fuelled by the diffusion of the Ransomware-as-a-service model (RaaS).
RaaS is available on a cloud-based subscription model to anyone who pays a subscription fee. On the other hand, some ransomware operators don’t ask for subscription fees and instead use an “affiliate” model where they receive all of the ransom amounts extorted to the victims by the affiliates, keep some percentage as commission for themselves, and then pass the rest to the affiliates.
RaaS applications are very easy to use and don’t require coding efforts. The affiliates can manage their campaigns directly from an online portal.
The cost for a RaaS kit can range from around $50 and go upwards into the thousands.
The biggest danger of RaaS is that it potentially allows anyone to carry out a malware campaign and become a cyber extortionist.
The diffusion of RaaS contributed in a significant way to the exponential growth of ransomware attacks.
A growing number of ransomware gangs are extending their networks of affiliates, a move that will cause a spike in the number of infections in the incoming months.
One of the most active ransomware gangs, the REvil Ransomware (Sodinokibi) operators, recently deposited $1 million in Bitcoin on a Russian-speaking hacker forum to demonstrate their willingness to involve new affiliates.
What can be done to combat CaaS?
Unfortunately, there isn’t a definitive solution to mitigate the risks associated with the diffusion of the CaaS model. The fight against this paradigm urges a holistic approach and continuous information sharing from security firms and law enforcement agencies.
Security experts have to monitor cybercrime and hacking forums, especially those hosted on the darknet, in the attempt to identify new threats early and rapidly share information to detect them and limit the dangers caused by the cyberattacks.
Early identification of the threats could allow experts to share Indicators of Compromise to detect the attacks and mitigate them, while law enforcement agencies could attempt to identify and shut down the infrastructure used by crooks to offer their products and services.