Impacts to Enterprise Security: A Look at as-a-service Attacks

Ever since certain solutions have begun being offered “as-a-service,” the market for this method of delivery has exploded. Now, elements like software-as-a-service, infrastructure-as-a-service and platform-as-a-service are key mainstay components of enterprise IT, with the market values to prove it.

According to MarketWatch, the global SaaS market is on track to expand by a more than 20 percent compound annual growth rate, reaching a value of $185.8 billion by 2024. Allied Market Research reported that the IaaS market will see an even larger CAGR of more than 25 percent through 2023, surpassing $92 million; and Market Research Future forecast that the PaaS sector will reach $12.12 billion through 2022 thanks to a 26 percent CAGR.

The as-a-service model comes with considerable benefits, including lower front-end investments and more consistent uptime and performance of key solutions. Understandably, enterprises of all sizes across industry sectors are now flocking to as-a-service models – and they aren’t the only ones.

Cybercriminals are also jumping on board, with as-a-service threats that make infiltration, data theft and malicious profit more accessible than ever before. Let’s examine the trend of as-a-service threats, and what this means for enterprise data security.


Currently, several different malware samples and threats are being made available in as-a-service capacities through underground marketplaces. However, one of the most formidable of these is ransomware-as-a-service.

Trend Micro reported on this growing trend when it was first emerging in 2016, explaining that samples including one called “Stampado” were being offered for sale in the Deep Web. Hackers were providing the sample alongside a “lifetime license,” costing only $39 at the time.

“This is exactly how ransomware as a service (RaaS) works – do-it-yourself (DIY) kits are sold in forums, making it incredibly easy even for nontechnical people to mount a ransomware operation of their own,” Trend Micro noted in its Security News blog.

Similar to other ransomware samples, this RaaS kit included a sample that encrypted files once executed on a victim’s machine, locking users out of data and displaying a warning notification demanding ransom payment for the decryption key. Instead of having to build this malicious ransomware code themselves, however, RaaS kits provide everything attackers needs to disperse a data-and-file-locking threat onto one or multiple victim systems.

And, as we’ve learned from past ransomware attack scopes, the more victims that can be infected, the higher potential for profit for hackers supporting the attacks. As Trend Micro pointed out in the Security News blog, infection and attack results also depend on the type of organization attacked, and the different kinds of data the ransomware is preventing access to.

Locking users out of highly sensitive data – particularly when no backups are in place – can boost the motivation to pay the ransom. And in some cases, the attack doesn’t end there – hackers have been known to demand a second ransom after successful payment of the first, maintaining the robust encryption preventing victims from accessing their data.

There are tricky ways hackers can exploit and hack brands today.

Combining threats: Ransomware and cryptocurrency mining malware

This year, the RaaS threat saw an upgrade with the discovery of an exploit kit that contained not only the GandCrab ransomware sample, but also a powerful cryptocurrency-mining malware. The so-called Rig exploit kit had been on the market since July 2018, but in August, researchers including Trend Micro’s Fraud Researcher Joseph Chen noticed a change – as opposed to delivering the GandCrab ransomware, the kit included a then unknown sample, which was subsequently identified by Trend Micro researchers as the Princess Evolution ransomware.

As Chen pointed out, this effective malware combo contained in the kit translated to a dangerous threat. And making matters worse is the fact that, based on activity within underground forums observed by Trend Micro researchers, hackers were providing this ransomware-and-cryptocurrency-mining kit in a ransomware-as-a-service capacity, and were on the hunt for supporters.

“[I]t appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates,” Chen wrote. “Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining.”

The Princess Evolution/cryptocurrency mining exploit kit was far from the first time this kind of double-whammy threat emerged. As noted in an October, 2016 Security News blog, one of the very first well-known kits was the Blackhole Exploit Kit, which first came about back in 2013 and included the well-known CryptoLocker sample. Since then, other kits – like the Angler, Neutrino and Magnitude exploit kits – were made available.

This method of delivery became so popular that by Q4 of 2016, 18 percent of all ransomware families were arriving to victim systems through exploit kits. As activity has shown, hacker success with an exploit kit wasn’t too difficult to come by.

“What makes exploit kits an effective means of delivering a myriad of threats? They require less user action, for one, as they take advantage of unpatched vulnerabilities in the most popular software,” Trend Micro pointed out. “At any given time, networks will always have vulnerabilities, especially if they use legacy systems or software.”

What’s more, while activity connected with the likes of the Angler exploit kit has considerably slowed since it first emerged, there is always the next big power combo of threats to take its place. For example, just as Angler began dying down, infections at the hands of Neutrino exploit kit rose sharply.

The danger of as-a-service attacks

No matter what threats a robust exploit kit or ransomware-as-a-service system might include, the bottom line is that these represent a significant and particularly dangerous threat to enterprise security. Overall, as-a-service and other exploit kits are coming up for sale much more often on the Dark Web and underground marketplaces, and as Trend Micro pointed out, they are considerably affordable.

This means that even those without malicious (or any) technical experience can buy up an as-a-service sample or exploit kit for a cost-efficient price, and launch attacks on targets at will. In the case of exploits kits, which often leverage a zero-day threat to support successful intrusion, the risk increases.

“As cybercriminals continue to use the deadly exploit-kit-ransomware combination, enterprises must contend with the risks of infection, along with any other new-fangled malware exploit kit operators decide to deliver,” Trend Micro noted it its Executive Series guide on Exploits-as-a-Service.

Check out Trend Micro’s guide, and reach out to one of our expert security advisors today to learn more.

Read More HERE