Buckle up: a novel RaaS group, Ranion, offers 'pay & go' malware

As if there were not enough ransomware-related crimes in the past year, a new ransomware-as-a-service (RaaS) group just made cyber extortion easier.

Even though reports show that ransomware already forms 69% of attacks against businesses, that figure might go further up. Researchers at CyberNews spotted a new RaaS group on the darknet, offering an unusual payment structure, potentially easing access to anyone interested in cybercrime.

Major ransomware cartels like REvil, Conti, or DarkSide usually charge their affiliates a hefty 30% fee per ransom payment. The cartels provide the malware, whereas threat actors carry out the attacks.

Main banner with many multi-language banners created to tell user their files have been encrypted.

However, a new RaaS group that is calling itself Ranion adopts an entirely different payment structure. The group only asks for an upfront payment for its malware without additional service fees.

The Ranion malware uses AES 256 encryption and is almost fully undetectable, with only one enterprise antivirus solution able to detect it, a development that might turn a disastrous year worse.

From threat actors' point of view, Ranion might seem like a more viable malware option since a single fixed payment doesn't require to return the malware provider a third of the cut.

RANION (RaaS) Decrypter.

Different Ranion malware packages are offered from $150 to $1,900, a shockingly low price compared with corporate ransomware losses of several million dollars per attack. The pricier offers are said to guarantee fully undetectable (FUD) status.

Clients are supposedly given a unique stub, making every malware file different and thus hard to detect. The stub is executable and a packer of crypto, giving the malware its impregnable features.

To offer threat actors a greater range of inflicting damage, Ranion added a functionality, creating a delay between infection and encrypter execution. The malware, however, only works on Windows, offering some respite for users of different operating systems.

Somewhat shockingly, for a completely illegal business venture, the RaaS groups also offer real-time customer support services for their clients. However, that is somewhat a 'good practice' within the cybercrime ecosystem, full of supporting personnel.

RaaS seemingly sold as any other service on the internet.

Year in turmoil

Cyberattacks are increasing in scale, sophistication, and scope. In 2020, ransomware payments reached over $400 million, more than four times the level of 2019. This year will likely set another record benchmark for ransomware cartels globally.

The last 12 months were ripe with major high-profile cyberattacks on network management companies such as SolarWinds, the Colonial Pipeline's oil network, meat processing company JBS, and software firm Kaseya. Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.

Recently, a Russia-linked cyber cartel attacked a major US farm service provider New Cooperative Inc., demanding $5.9 million in ransom.

A recent IBM report shows that an average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.

Some ransomware groups went dark for a while, after carrying out major attacks. A cool-off period is likely meant to regroup, and recent developments show that cybercrime cartels are waking up and will likely be on the prowl for the next major extortion scheme.

Source