Insights > Network Visibility + Security

Combatting RaaS with BAS

2021-05-25  |  6 min read 

RaaS means business

We would expect every successful multi-million dollar business has to have structure, process, regulation, and so forth right?  But would the same be true on the Dark Web?  Surely not – that’s just full of kids in their parents’ basements wearing hoodies, right?

Okay, so maybe that’s taking stereotypes to the limit – I am sure we believe it can be more complex than that.  In my last blog we saw how many millions of dollars appear to have been made recently by the Darkside Group in the past few months with their Ransomware-as-a-Service model, so maybe they too have a formal business model.

The Photon Research Team at Digital Shadows have produced some extremely insightful research into the RaaS model, as well as a specific use case focussed on the DarkSide group responsible for the recent Colonial Pipeline attack.  The research shows us that Ransomware as a Service business model consists of three main players:  operators, affiliates, and Initial Access Brokers (IABs).

Ransomware operators own the malware source code and distribute it to the affiliates, who take a cut of the ransom (split reported to be 65-90%). IAB’s complete the business model by identifying and selling victims details to the affiliates.

Within this model there is process & regulation.  The operators recruit affiliates and vet their technical skills.  They also have rules, which have been made stricter following the pipeline attack as seen is this screenshot.  They make it clear that there are certain targets that are off limits, specifically the likes of Healthcare, Education & Government.

Ransomware REvil operators publishing new, stricter guidelines for their affiliates’ operations Source: Digital Shadows

Even more recently we have seen these “ethics” in action following a RaaS attack hitting healthcare services in Ireland.  Initially the attackers were reported to be asking $20M payment as a ransom, yet have since given the victim the decryption key for “free”.  This isn’t the first time attackers have made mistakes with the target and subsequently backtracked, but maybe the fate of Darkside has influenced actions.

So what of the Colonial Pipeline attack?  Now we understand the model, we can reasonably surmise that IABs were involved.  In the research, the Photon team published a screenshot of an advert from an IAB selling access to a US Oil/gas production company back in March 2021.  The adverts typically gives enough detail to prove validity without exposing the full details of the proposed victim.

IAB advertising Remote Desktop Protocol (RDP) access to a US “oil/gas production” company that was sold on 07 Mar 2021.  Source: Digital Shadows


Making Intelligence Actionable

Now we understand the business model, the motives, the Tactics & Techniques, it’s time to take action - after all, what is threat intelligence if it’s not actionable?

Most corporations have a large number of security vendors that comprise their security infrastructure.  Whether it’s IPS signatures, a SIEMs data sources, or newly deployed technologies such as Zero Trust to name a few, misconfigurations are a common problem for many organisations.


Keysight’s Threat Simulator, our SaaS Breach & Attack Simulation Solution gives organisations the ability to find gaps and misconfigurations in their security infrastructure.  Having the ability to safely emulate real attacks on live networks on a continual basis allows gaps to be identified and remediated as they happen.  Whether it’s a gap that’s been there since just after last years annual pen test, or assurance that the configuration changes made to defend against the latest RaaS threats are effective, there is now a solution to continuously validate.

ThreatSim DarkSide Malware Samples
Keysight's ThreatSimulator DarkSide malware samples ready to use in an attack simulation


If you are interested in predictions for some of the key security threats that are shaping up for 2021. Download this report to get the latest security threat information you need to help protect your network.

Or as we like to say, Find it Before They Do