<img src="https://ws.zoominfo.com/pixel/cEO5AncHScwpt6EaX0mY" width="1" height="1" style="display: none;">
Skip to main content

Threat Actors, Attack Vectors & Malware in the Raas Economy

March 31, 2023


In our latest Threat Spotlight video, company experts describe the key components of the ransomware-as-a-service (RaaS) economy and how they operate. One of those experts, Chris Granger, director of research and security operations at Celerium, defines the threat actors, their attack vectors, and the role Qbot and other malware play in the RaaS economy.

 As detailed in this webinar, ransomware groups are highly motivated and organized businesses with significant resources. The RaaS economic model consists of “operators” who create and distribute ransomware tools and provide other support to “affiliates” who carry out the ransomware attacks. The “operators” often provide step-by-step intrusion playbooks to their “affiliates,” including user-friendly guides and technical support.

 The RaaS economy is like a business franchise. The “operators” are the franchisors, and the “affiliates” are the franchisees. Its other key component is the “access brokers” who sell access to compromised computer systems to ransomware “operators” in order to provide a point of access for the ransomware “affiliates” to start their attacks.

 This webinar identifies a few of the big “operators.” One is Gold Lagoon (aka ITG26, Qakbot), the eastern European, cyber-criminal group behind the development and maintenance of the Qbot malware. Qbot is Gold Lagoon’s modular banking Trojan, primarily used as a loader for other malware and as a remote access tool used by human operators for initial access and lateral movement. These banking trojans are designed to steal individual user’s credentials and financial information. This malware has been causing trouble since 2007, and now has found a niche in the RaaS economy.

 Wizard Spider (aka Trickbot LLC) is another “operator.” Trickbot LLC plays a key role in the RaaS economy as the developer of the Trickbot malware. The Trickbot group has been attacking Ukraine systematically since the Russian invasion of that country. From mid-April to mid-June 2022, the Trickbot group conducted at least six campaigns against Ukraine.

 Watch our information-packed video on the RaaS economy, its key threat actors, their attack vectors and the tools they use to achieve their nefarious goals.