Readers will doubtless have heard the phrase “Ransomware as a Service” (aka RaaS). The ransomware part of that term gets a lot of coverage but what about the service?
Ransomware services, one might assume, must be served from somewhere, but where does this happen?
The Dark Web
It’s a question surprisingly few people ask. As with so many other aspects of cybercrime, the assumption is that’s it’s just “out there” somewhere, a place that doesn’t need to be clearly defined.
And yet the journey from the local servers on which the ransomware and malware code is developed to the computers of victims depends on a web of usually overlooked third-party computers, software, and services. Only some of which are co-opted without consent.
In reality, a surprising industry of “bulletproof” hosting providers has grown up to provide infrastructure to cybercriminals without asking too many questions about what their customers are using it for.
Not everything can conveniently be hosted on the dark web, which is why bulletproof hosters are so valued by criminals. In most—but not all—cases, they operate from countries with no or lax cybercrime laws to make disrupting them harder. They don’t host everything involved in RaaS, but they’re still an important infrastructure.
We got an important reminder of just how important on Aug. 11 with the news of global legal action against a hosting provider called LolekHosted[.]net. As the U.S. Department of Justice laid out its charges against the company and its (still at large) manager, Artur Karol Grabowski:
“LolekHosted clients used its services to execute approximately 50 NetWalker ransomware attacks on victims located all over the world, including in the Middle District of Florida.”
NetWalker is a Russian ransomware group that adopted RaaS around three years ago. Since then its software has been responsible for numerous attacks, including an infamous attack against the University of California, San Francisco (UCSF), at a time when it was researching COVID-19. That incident resulted in the University reportedly paying a ransom of $1.14 million.
For NetWalker, this was barely a day rate. According to the DOJ, the malware was used to attack at least 400 organizations in the United States, including cities, schools, hospitals, and emergency services, resulting in $146 million being paid out in ransoms.
NetWalker depended on a range of infrastructure, but being able to use a bulletproof hoster certainly helped:
“Specifically, clients used the servers of LolekHosted as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims,” alleged the DOJ. LolekHosted also allegedly helped launder the ransoms from NetWalker attacks.
An Old Internet Problem
LolekHosted is the most significant bulletproof hosting provider to be shuttered for some time, but its disappearance is still a small blip in the grander scheme.
The authorities have been here before. A well-publicized example some readers might remember is McColo, another bulletproof hoster. At the time of its takedown in 2008 it was thought to be responsible for sending 75% of the world’s spam. Did its disappearance stop spam? Arguably, it had some effect, but cybercriminals soon moved on to other forms of cybercrime which proved harder to contain.
If stopping cybercrime was as simple as shutting down bulletproof hosters, we’d hear of these seizures more often. Taking a bite out of the rogue hosting problem is inconvenient for criminals, but unfortunately it won’t stop them from moving to a new shady hoster somewhere else.