Decoding the DNA of Ransomware-as-a-Service (RaaS)

Cylance dropped a new tech blog this week talking about ransomware-as-a-service (RaaS) and delving into the latest malware trends - in particular, how the bad guys are remixing previous ransomware ‘hits’ into something new.

Cybersecurity’s man on the street Matt Stephenson caught up with Cylance Vice President of Sales Engineering Gabe Deale at RSA 2017 in San Francisco, and discussed the ongoing battle against these forms of automated ransomware.

What is worrying about the success of these types of attacks, says Deale, is the fact that people are still falling prey to the exact same thing that the rest of the industry is encountering. “They (bad actors) are trying to get products out to market, while the market is still accessible and vulnerable to the particular types of attacks that they are leveraging.”

More importantly, says Deale, those cybercriminals are working night and day to create all the tools necessary to make ransomware very easy to use, to monetize it, and to get it into the hands of those who intend to use it to extort money from businesses, organizations, and the general public.

Watch the full interview with Gabe Deale here:

Cylance has been seeing a lot of ransomware doing the rounds lately, due in part to the wild success of the RaaS model of ransomware distribution. Notes Deale: “The interesting thing about their approach is that they are following the industry the same way we are. But what we are doing that’s a little bit different, is that we’re using artificial intelligence (AI) that can understand and essentially decode the DNA of the malware that they’re using.”

However, there is an upside of this, for businesses and enterprises that use Cylance’s products. If the bad actors continue to re-use previous versions of malware, such as Cryptowall or Locky, even if the malware is mutated, chopped up, resampled or spun into a new variant, Cylance will detect it and shut it down, pre-execution.

Stephenson likens this process to a highly trained audiophile being able to spot an original horn sample from Miles Davis, even if it is buried in a remixed song.

The musical analogy holds up well when it is considered how CylancePROTECT® works, using machine learning to ‘train’ it, by looking at millions and millions of characteristics of malware, and so it is able to spot and immediately block each individual characteristic if used in new or mutated malware.  

As ransomware evolves and updates with the times, new and disturbing trends are springing up, sometimes by the hour. Deale notes that one of the latest things Cylance has seen is that PadCrypt has some new capabilities in it to provide live chat - believe it or not - so that the malware authors can actually provide better support to people who have had their computers encrypted by the virulent ransomware.

Says Deale, “We’re seeing all these new components, but in terms of the underlying mechanisms that are ‘Crypto-ing’ the devices themselves, those components are being re-used.”

Essentially, the very ease of use that makes the RaaS model of distribution so attractive to malware authors, is also the exact same thing that causes its downfall, when it tries to get by AI-powered antivirus solutions like those provided by Cylance.


Join in the conversation with Cylance at the 2017 RSA Conference in San Francisco by following @cylanceinc and #RSAC2017 on Twitter. Stay tuned for more great videos, live from the floor of RSA!