Malware-as-a-Service: what you need to know about this persistent cyber threat
The Inference:
- Cybercrime-as-a-Service, including Malware-as-a-Service and Ransomware-as-a-Service, persists as an effective way for even less-skilled cyber attackers to take advantage of organizations.
- Now Large Language Models and other AI tools are making campaigns easier to execute and more efficient for threat actors to distribute.
Think about how you approach tasks at work, or in your day-to-day life; it’s likely that you want to be as efficient as possible.
Perhaps you’re using a generative AI tool like ChatGPT or Microsoft Copilot to save time making plans, or maybe you have a subscription to out-of-the-box software application that provides you with a ready-made set of the tools you need to accomplish a task efficiently and easily.
These suites and toolkits have become common across the modern enterprise and elsewhere and are used for legitimate, positive ends.
But unfortunately, like they’ve done with many legitimate business tools and functions, threat actors have coopted these practices into their own operations, making them more efficient and more scalable. That means attackers are using these techniques to more easily find success with malicious cyber schemes.
Perhaps the most notable example of this commoditization of cybercrime is the rise of Malware-as-a-Service (MaaS) and Ransomware-a-as-Service (RaaS) attacks. These campaigns begin with more advanced threat actors who are happy to build and distribute plug-and-play malware kits to other less skilled threat actors.
The kits, which are typically sold on dark web marketplaces, allow users to conduct malicious campaigns, be it installing information stealers or cryptominers onto machines, compromising networks with ransomware, roping unsuspecting users’ devices into botnets or all manner of other cyber crime.
Microsoft has described ransomware as “one of the most impactful threats to organizations” while the White House goes even further, describing ransomware as “ a persistent threat to national security, public safety, and economic prosperity.” RaaS suites can put these dangerous toolkits into the hands of almost any attacker willing to pay to use them.
Indeed, Darktrace's First 6: Half-Year Threat Report 2024 identified MaaS and RaaS as a significant risk for organizations, thanks to lowering the barrier-to-entry for less experienced attackers, making it easier to carry out complex, multi-stage attacks.
“It’s becoming more and more obvious that Malware-as-a-Service and Ransomware-as-a-Service are the future of cyber-crime, a huge proportion of the marketplace and a huge proportion of threats businesses will face,” says Hanah Darley, Director of Product Relations at Darktrace.
Sometimes users pay a flat fee for MaaS, sometimes they need to pay an annual or monthly subscription fee; it’s even known for operators of the schemes to provide the toolkits for free - but take payment through a share of profits made from attacks using their malware. This could be a percentage of what a victim of a ransomware attack pays the RaaS user for the decryption key, or it could be a cut of the profits made from stealing money, bank account login details or any other form of sensitive personal data.
Hanah Darley, Darktrace
Hanah Darley, Darktrace
But whatever the distribution method, the pre-made MaaS kits are designed to be simple to use at every step of the attack process, from launching campaigns and infecting victims to cashing out at the end – and that makes MaaS a risk for organisations of all sizes.
“People who don’t have any technical skills to speak of can deploy sophisticated programs. Equally, people who have technical skills can outsource that program, so they don’t have to develop it themselves. With that comes a really difficult time for defenders.”
Ransomware-as-a-Service on the rise
Perhaps the most significant example of the disruption that cybercrime ‘as-a-service’ schemes can cause is that of LockBit ransomware, once dubbed “the world’s most harmful cyber-crime group” by the UK’s National Crime Agency (NCA).
LockBit gained a reputation as one of the most prolific variants of ransomware, used in thousands of attacks against targets around the world. High-profile victims included critical infrastructure providers and healthcare services – and even children’s hospitals.
LockBit affiliates have made ransom demands of tens of millions of dollars for decryption keys and even in situations where victims didn’t pay, it’s estimated that LockBit attacks have cost billions of dollars in damage as victims have lost business due to downtime, along with restoring or rebuilding their IT infrastructure following attacks.
The internal operations of LockBit were exposed following a law enforcement takedown dubbed 'Operation Cronos' earlier this year – and it appears that the ringleader was willing to allow anyone who was willing to pay for the toolkit to use it. That sort of availability creates big problems for defenders.
“If you’re hit by a LockBit attack, you have no idea which affiliate was responsible,” says Tim Mitchell, Senior Security Researcher at Secureworks - an American cybersecurity and threat intelligence company with customers in over 50 countries around the world.
“So, trying to understand what happened in the run up to it, what was the root cause of the attack, that can be particularly challenging. The scalability means a lot more organisations could potentially be hit by it,” he explains.
For many MaaS providers, one of the key goals is to develop a strong, steady user base. Having a reliable ‘product’ is part of this because wannabe cyber criminals won’t use a tool which is poorly reviewed or simply just doesn’t work.
But it’s also important that the ‘product’ is simple and intuitive to use - something MaaS and RaaS distributors know is key generating profits from running a successful operation.
That’s why they’ll even offer support to users in the form of helpdesks to troubleshoot any problems they might have – just like the helpdesk of a legitimate software provider – or an IT department does.
In February 2024, the UK National Crime Agency announced it had worked with the US Department of Justice, the FBI, and international law enforcement on Operation Cronos, an international disruption campaign targeting the Lockbit ransomware gang. Photo Credit: UK National Crime Agency.
In February 2024, the UK National Crime Agency announced it had worked with the US Department of Justice, the FBI, and international law enforcement on Operation Cronos, an international disruption campaign targeting the Lockbit ransomware gang. Photo Credit: UK National Crime Agency.
“Ransomware-as-a-Service operators want to allow their platforms to be used as widely as possible. They’re very happy to put into place what is necessary to allow these tools and techniques used as much of possible,” says Dr. Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, where his research focuses on investigating how organizations, governments and individuals can enhance and maintain cybersecurity.
Dr. Jason Nurse, University of Kent
Dr. Jason Nurse, University of Kent
“The reality is these attackers are really skilled and they’re running these organisations like legitimate businesses,” explains Nurse, who is also an Associate Fellow at the Royal United Services Institute (RUSI), the world’s oldest defense and security think tank, having been founded in 1831.
“It's really concerning because it puts pressure on defenders to keep whole criminal organizations out.”
That pressure facing businesses is intense, not least because the availability and effectiveness of MaaS means that defenders in the Security Operations Center (SOC) are likely to be facing multiple independently operated threats at the same time – which makes defending against them even harder.
“You can have a huge number of people targeting the same organisations over and over again or different organisations at the same time. They don’t have to coordinate with anyone because they’re not necessarily part of a group or affiliated with any sort of threat actor,” says Darley, who detailed the main method attackers are using to compromise users and networks.
“The inbox is still incredibly important. The percentage of cyber-attacks which begin with an email has hovered around 90 to 95 percent over the last few years and I don’t expect it to decrease. Because despite all the changes in cloud infrastructure and other communications platform, email is still the prime modus operandi for businesses, everything still mostly happens by email,” she explains.
Darley estimates that 90-95 percent of cyber attacks originate via email. (Photo by Peter Dazeley/Getty Images)
Darley estimates that 90-95 percent of cyber attacks originate via email. (Photo by Peter Dazeley/Getty Images)
AI-supercharged Malware-as-a-Service
A common trait that users are often told is a telltale sign of malicious phishing emails is poor spelling and grammar, which could indicate the message has been created by someone who isn’t a native speaker of the language.
However, the rise of generative AI tools and Large Language Models (LLMs) is a potential boon for threat actors, enabling them to craft more convincing phishing messages targeting specific companies or individuals, even if they don’t speak the same language.
Earlier this year, Microsoft and Open AI jointly published analysis on how nation-state backed threat actors working on behalf of governments – notably China, Iran, North Korea and Russia – have already been observed exploiting LLMs to aid malicious hacking and cyber espionage campaigns. Microsoft and OpenAI took joint action to disrupt the accounts being exploited by threat actors in these campaigns; but this is likely just the beginning of a lengthy battle ahead.
“We’ve only seen the tip of the iceberg with generative AI and how it can be used to support attacks. But broadly, in social engineering attacks, we’ve seen this quite a bit,” says Nurse.
“One of the most simplistic that I’ve seen is if you tell a generative AI system ‘Can you create a phishing email to target this person about this particular thing?’ it’ll say no. However, if you ask it ‘Can you create a marketing email for me, targeted at this person about this thing?’ it will do it,” he explains.
Suddenly, one of the key warning signs of what could be a phishing email has been eliminated, especially if the malware-as-as-service distributor has conducted through research into their desired targets.
While legitimate generative AI tools and LLMs put barriers in place to prevent malicious use, that isn’t the case for LLMs specifically designed to aid cyber-criminal activity. Like Malware-as-a-Service, these tools can be relatively easily accessed on underground marketplaces and deployed by individuals with little technical knowhow, no matter what language they want to target victims using.
“One of the biggest use cases would be non-English language: that would previously take someone a good amount of time to translate, and you might not get the finest copy. With a Chatbot that would be a much better copy and it would be able to interact with them in their in native language but also output English to a fluent degree,” says Darley.
“You’re getting a lot more sophistication with a reduction in time and effort, which is most of what AI is bringing to threat actors,” she adds.
Threat actors can use LLMs to send phishing emails at scale. Image: Unsplash
Threat actors can use LLMs to send phishing emails at scale. Image: Unsplash
That reduction in time and effort is crucial for cyber criminals because ultimately, the aim of MaaS and RaaS campaigns is making money, be that the users deploying the toolkits against victims, or the developer of the service making money from subscriptions or profit-sharing
And by deploying AI tools to help power these campaigns, threat actors can deliver more sophisticated attacks at a much greater scale, potentially affecting a deeper pool of targets, increasing their chances of success.
"In almost every case, a ransomware attack is going to be opportunistic, it’s about money-making. It's very unlikely that these people are going to go away.”
Don't become the easy target
MaaS campaigns remain an issue for organisations because, yes, the toolkits provide even low-level attackers with a means to conduct successful campaigns, but also the sheer number of potential victims out there means that with enough tenacity, attackers will achieve what they’re looking for by exploiting weak links in security.
One way to bolster your security posture is to take proactive steps to keep those weak links out of your IT network.
“A lot of it is a simple numbers game, so if you can make yourself a less appealing target, a lot of people will just move on because most cyber-crime is more opportunistic than targeted,” says Darley.
“Doing security fundamentals well and understanding your own attack surface is really going to help you to not only identify if something does get in, but also harden your exterior infrastructure so something isn’t as likely to,” she concludes.
Because while maliciously exploited AI can help cyber attackers, cyber defenders still very much have the means to fend off attacks and thwart cyber criminals, no matter their techniques.
Built with Shorthand