Business is very good for affiliates of the Qilin ransomware-as-a-service (RaaS) group, which is very bad for the rest of us.
Researchers with cybersecurity firm Group-IB infiltrated the Qilin gang in March and this week analyzed its operations in a report that detailed its inner workings and the economic model that keeps it churning.
That model mirrors those of other RaaS groups and illustrates why slowing the ransomware scourge is so hard – affiliates who help to spread the evil code make lots of money.
According to Group-IB’s report, Qilin affiliates – those who pay to use Qilin’s ransomware for their own attacks – can take home 80 percent of the ransom paid (if the ransom paid is $3 million or less). For ransoms over $3 million an affiliate’s cut can rise to 85 percent.
RaaS operators provide a portal that includes a dashboard, blogs, and an FAQ
That’s a good payoff for miscreants who don’t have to develop their own ransomware and can instead concentrate on finding victims. It also explains why ransomware and RaaS remain prevalent.
“The financial mechanics of ransomware-as-a-service uncover a chilling truth about today’s digital peril environment,” Craig Jones, vice president of security operations at managed detection and response provider Ontinue, told The Register. “Astoundingly high profit margins, epitomized by the 80 to 85 percent share pocketed by Qilin affiliates, spawn a prosperous underworld of cybercrime, exploiting the weak points in global enterprises.”
The money will continue to flow
The industry should expect those high payouts to continue, according to Heath Renfrow, co-founder of disaster recovery and restoration service Fenix24.
“We are seeing RaaS affiliate actors getting paid higher shares of the ransoms than previously,” Renfrow told The Register, noting that these days, the high cut for Qilin affiliates is not unusual. “The BlackCat ransomware affiliates have also allegedly been earning 80 to 90 percent of the take versus 65 to 75 percent for affiliates in years prior.”
RaaS came on the scene several years ago and boosted the flourishing ransomware scene. A previous report by Group-IB found that in 2020, almost two-thirds of ransomware attacks it analyzed involved organizations with RaaS models.
Ransomware-flinging affiliates are often large organizations with upwards of 100 employees, among them developers, managers, negotiators, and other staff. Some affiliates are among the world’s more notorious threat groups, such as LockBit, BlackCat, Hive, and BlackBasta, according to Malwarebytes.
Ransomware developers’ affiliate operations resemble legitimate SaaS models. The organizations sell or rent their RaaS kits to affiliates who use it to carry out their own attacks. The RaaS groups also offer other services, such as support, bundled offers, reviews, and forums, CrowdStrike wrote in a report.
The affiliates are responsible for gaining access to target organizations and running the attacks. They pay from tens to thousands of dollars for the RaaS kits, which is a good deal given that the average ransom demand in 2021 was $6 million, according to CrowdStrike.
Varying revenue models
RaaS revenue models include monthly flat fee subscriptions, one-time license fees with no profit sharing, or pure profit sharing.
For affiliates, the RaaS model lowers the barrier to entry, enabling players with little coding experience to deploy the malware. Matthew Psencik, director of endpoint security at converged endpoint management vendor Tanium, told The Register that some affiliates pay as little as $40 a month for access to the attack code.
While RaaS operators could find their own targets and keep all of a ransom, their affiliates give them useful cover, Fenix24’s Renfrow said.
“It is difficult to attribute the activity [of an affiliate] to a specific country of origin, so it’s similarly difficult to place this activity on a ‘do not pay’ prohibition list,” he said. “By offering higher cuts of the pie, these [RaaS] organizations can both evade the payment bans and inspire more criminals to start new affiliates, adding to larger overall profits.”
Qilin gives a view into the RaaS world
Group-IB’s report on Qilin – also known as Agenda – explains that the group has operated since at least August 2022. It initially preferred to code in Go, but recently adopted the Rust programming language.
Rust is increasingly popular among cybercriminals because it’s more difficult to analyze and detect and it’s easier to customize to particular operating systems.
Like many groups, Qilin uses double-extortion by both encrypting a victim’s data and stealing it, then demanding payment for a decryptor as well as not leaking the data. Phishing schemes are the group’s usual point of entry, allowing its operatives to move laterally through victim networks searching for data.
The group advertises its malware on the dark web and has its own dedicated leak site that includes company IDs and leaked account details, according to Group-IB’s researchers.
Affiliates who use that portal see an administrative panel for managing attacks that includes a dashboard for everything from targets to payments to changing passwords as well as blogs and an FAQ.
How to slow down ransomware attacks?
Cybersecurity experts and governments around the world are using many tactics to reduce the number of ransomware attacks, from improving security to cutting off the money.
The US, along with other countries, is reportedly debating whether to ban ransom payments outright in hopes of choking the profits of operators. At present, the US advises against paying ransoms.
However, the idea of a ban raises concerns that those who fall victim to ransomware would not report their plight to authorities to avoid punishments if they decide to pay the extortion fee.
In the meantime, ransomware attacks will continue, with the RaaS market, the growing numbers of affiliate programs, and the publication of stolen data on leak sites as a threat being key drivers, the Group-IB researchers wrote.
“Additionally, ransomware strains are proliferating quicker than the improves in cyber defenses to detect and contain them, rendering organizations underprepared in facing what’s coming,” they wrote. ®