cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Ransomware-as-a-service operation exposed: How does RaaS work?

Security researchers have infiltrated a Russia-based ransomware-as-a-service operation, exposing how the business model works and how much of a cut the gang in charge of the operation gets.

user icon David Hollingworth
Wed, 17 May 2023
Ransomware-as-a-service operation exposed: How does RaaS work?
expand image

The threat intelligence team at security company Group-IB managed the feat in March 2023, when it gained inside intelligence on the Qilin ransomware group. Qilin takes advantage of ransomware written in both the Rust and Golang languages, and it was first discovered in August 2022.

Qilin’s operation actively looks to recruit affiliates on the dark web and boasts a dedicated leak site, or DLS, that contains leaked account credentials and company IDs. And although the group is far from prolific — it has only posted examples of 12 ransomware attacks on its site between July 2022 and May 2023 — its reach is global. Qilin has claimed four victims in North America and one each in the UK, France, the Netherlands, Serbia, Colombia, Brazil, Japan, and Australia.

The group has so far been known to target organisations in education and healthcare, as well as other critical services.

Group-IB’s researchers were able to observe Qilin’s RaaS operations in some detail, including how the admin panel that affiliates can use to manage their attacks.

The panel has a number of sections where affiliates can customise their attacks according to their target. In the Target section, for instance, variables such as company name, ransom amount, and ransom waiting period can be set. The details of the ransom note itself can also be set here, as well as the details of the attack itself, such as which files or directories can be skipped and which processes are killed.

With these details complete, Qilin can create custom ransomware payloads for their affiliates, in both Windows and ESXi versions.

Meanwhile, another section lets affiliates create blog posts, while a section called “Stuffers” lets affiliates create accounts for other members of their “teams”.

There’s even an FAQ section for support and documentation of the ransomware.

The most interesting section, however, regards payments. This is where affiliates can check on transactions, withdraw money, and monitor fees for the RaaS operation. Group-IB discovered that Qilin operates on a very simple sliding scale of payments. For ransoms under US$3 million, the group demands 80 per cent of the cut.

But if the ransom is greater than US$3 million, Qilin’s take rises to 85 per cent.

“Although Qilin ransomware gained notoriety for targeting critical sector companies, they are a threat to organisations across all verticals,” Group-IB wrote in a blog post. “Moreover, the ransomware operator’s affiliate program is not only adding new members to its network, but it is weaponising them with upgraded tools, techniques, and even service delivery.”

Let’s hope business doesn’t get too booming.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.