Kaspersky Study Reveals Ransomware as the Dominant Malware-as-a-Service (MaaS) in the Past Seven Years

A recent study by the Kaspersky Digital Footprint Intelligence team reveals that ransomware is the most prevalent form of Malware-as-a-Service (MaaS) over the past seven years. The study, based on research of 97 malware families distributed on the dark web, highlights the popularity of ransomware, accounting for 58% of all MaaS families between 2015 and 2022. The study also uncovers the leasing of infostealers, botnets, loaders, and backdoors by cybercriminals to carry out their attacks.

KUALA LUMPUR, 20 June 2023 – The Kaspersky Digital Footprint Intelligence team has conducted a new study uncovering ransomware as the dominant Malware-as-a-Service (MaaS) over the last seven years. Based on research of 97 malware families distributed on the dark web and other resources, the study highlights the prevalence of ransomware and the leasing of infostealers, botnets, loaders, and backdoors by cybercriminals to carry out their attacks.

MaaS is an illicit business model where software is leased to execute cyberattacks, providing clients with personal accounts for attack control and technical support. This model lowers the expertise threshold for aspiring cybercriminals.

Kaspersky’s experts analyzed the sales volumes, mentions, discussions, posts, and search ads on the darknet and other resources to determine the most popular types of MaaS. The study found that ransomware accounted for 58 percent of all families distributed under the MaaS model between 2015 and 2022. Ransomware’s popularity is attributed to its ability to generate higher profits in a shorter time compared to other malware types.

Malware families distribution, 2015-2022, with examples of the most popular families in each type[1]. Source: Kaspersky Digital Footprint Intelligence

IoT botnets are not included since they are not distributed under the MaaS model, but DDoS-as-a-Service model, which is not classified as MaaS.

Cybercriminals can subscribe to Ransomware-as-a-Service (RaaS) for free and pay for the service after the attack, typically a percentage of the ransom paid by the victim. However, gaining entry into the program requires meeting rigorous requirements.

Infostealers represented 24 percent of malware families distributed as a service during the analyzed period. These malicious programs are designed to steal sensitive data such as credentials, passwords, banking information, and browser history. Infostealer services are typically offered through a subscription model with prices ranging from $100 to $300 per month.

Botnets, loaders, and backdoors accounted for 18 percent of malware families sold as a service. These threats, often combined, are used to upload and run additional malware on victims’ devices. The price of loader Matanbuchus, for example, starts from $4,900 per month.

The study also shed light on the hierarchy of MaaS, with cybercriminals operating platforms referred to as operators, while those purchasing services are known as affiliates. Affiliates gain access to all the necessary components, such as command-and-control panels and malware samples, to carry out attacks.

 An example of a video used by traffers to spread an infostealer

Understanding the structure of the MaaS market provides valuable insights for businesses to develop effective strategies against cyberattacks. By monitoring cybercriminal activities, tracking information flow, and staying updated on emerging threats, organizations can bolster their defenses and mitigate risks.

To protect against MaaS-related threats, Kaspersky recommends keeping software updated, using the latest Threat Intelligence information, leveraging Kaspersky Digital Footprint Intelligence to explore potential attack vectors, and engaging the Kaspersky Incident Response service to respond to incidents and minimize consequences.

Author: Terry KS

Share This Post On