What is Ransomware as a Service (RaaS)?
Ransomware as a service (RaaS) is a business model on the dark web that encourages cybercriminals to develop ransomware software and then sell or lease it to other criminals for profit.
Ransomware is a type of malware that locks the victim out of a computer system by encrypting the victim’s own data. The attacker then contacts the victim to demand a ransom payment in exchange for the decryption key.
Key Takeaways
- RaaS operates similarly to legitimate Software-as-a-Service (SaaS) models but for criminal purposes.
- The accessibility provided by RaaS has led to a surge in ransomware incidents worldwide.
- Many RaaS operators now employ “double extortion” techniques. In addition to encrypting files, they exfiltrate sensitive data from victims and threaten to leak or sell it unless the ransom is paid.
- RaaS attacks typically focus on large organizations because they are more likely to pay ransoms to avoid business disruptions and data breaches.
- RaaS developers regularly update their malware to bypass new security defenses.
How RaaS Works
Essentially, the RaaS business model allows threat actors with general technical skills to conduct sophisticated data extortion attacks.
Many RaaS operators today use fairly traditional cloud service provider business models. They lease infrastructure, create and maintain ransomware software and tools, package RaaS resources into user-friendly kits, and use ads to reach potential customers.
There are a few important differences between legitimate software as a service (SaaS) providers and RaaS operators, however.
For example, once a potential affiliate creates an account with ransomware as a service platform, they will be vetted. Because RaaS providers and affiliates operate within a cybercrime culture, payments are almost always made in cryptocurrency to provide anonymity.
How RaaS Has Changed
Until fairly recently, RaaS was associated with lone developers who used inexpensive spyware to gather information about a potential target. After reconnaissance, they’d set up a tailored attack and then sell the instructions and necessary tools to a fellow criminal.
Today, RaaS operations are typically run by foreign nationals and organized criminal gangs who prefer to share profits rather than sell ransomware toolkits. This provides the operator with a steady income stream and motivates them to continually improve their malware and services.
What are the RaaS Revenue Models?
A revenue model is a strategy that a business uses to generate income.
Commonly used revenue models for RaaS include:
Why is RaaS Dangerous?
The RaaS business model has lowered the entry bar for cybercriminals and made it easier for gangs of criminals to scale their illegal activities.
- Roughly one-third of all breaches involved ransomware or some other extortion technique.
- Over the past three years, ransomware and other extortion breaches accounted for almost two-thirds of all financially-motivated cyberattacks.
- The median amount of the initial ransom demand was 1.34% of the victim organization’s total revenue.
- The median adjusted loss for those who did pay a ransom was $46,000.
- Ransomware is the top threat across 92% of industries.
- The human element was a component of 68% of breaches.
Examples of RaaS Exploits
In 2024, the U.S. Federal Bureau of Investigation, along with the Cybersecurity and Infrastructure Security Agency, confirmed that RansomHub ransomware as a service has targeted organizations across nearly every industry worldwide and encrypted and exfiltrated data from at least 210 victims.
Here are some examples of other well-known exploits:
- LockBit 3.0 affiliates are known to have targeted major corporations like Boeing and the Industrial and Commercial Bank of China.
- BlackCat (ALPHV) affiliates are known for using social engineering and malvertisements to deploy ransomware.
- Dispossessor, a ransomware platform that is often compared to LockBit, is often credited with popularizing a dual-extortion RaaS business model that demands two ransoms.
5 Tips to Prevent RaaS Attacks
RaaS cybercriminals often deliver malware through automated exploit kits, malicious advertisements, and sophisticated spear phishing emails.
Safeguarding against RaaS exploits requires a strong risk management strategy that includes:
- Mandate multi-factor authentication (MFA).
- Ensure endpoint protection software and all other software are up-to-date.
- Create 3-2-1 backups and implement a recovery plan.
- Provide and/or attend security awareness training on a consistent basis.
Is Ransomware as a Service Legal?
Ransomware as a service is illegal because the malware enables cybercriminals to gain unauthorized access to computer systems and networks.
Criminals who conduct this type of attack can be very difficult to catch, however. They typically use layers of anonymization techniques to hide their identity and often operate in jurisdictions that have weak data privacy laws and limited cooperation with international law enforcement.
RaaS Future
As RaaS providers increasingly use artificial intelligence (AI) to streamline their business models, law enforcement agencies are concerned that the number of ransomware attacks will only increase.
AI is already helping RaaS operators automate low-level malware development tasks and anonymize their communication with affiliates more effectively.
In the future, it’s likely that AI integration will allow smaller, more low-profile RaaS operators to extend the scale of their operations and even automate ransom negotiations with victims.
The Bottom Line
The definition of RaaS has evolved over time in response to the profitability of this cybercrime business model. Twenty years ago, when bad actors sold ransomware malware, it was a simple one-time transaction. Today, ransomware as a service has transformed into a multi-billion dollar full-service business model that’s often run by gangs of cybercriminals.
FAQs
What is ransomware as a service (RaaS) in simple terms?
What are the top ransomware as a service?
Is ransomware as a service legal?
What are the threats of ransomware as a service?
References
- 2024 Data Breach Investigations Report (Verizon)
- #StopRansomware: RansomHub Ransomware (Cisa)
- #StopRansomware: LockBit 3.0 | CISA (Cisa)
- #StopRansomware: ALPHV Blackcat | CISA (Cisa)
- FBI Shuts Down Dispossessor Ransomware Group’s Servers Across U.S., U.K., and Germany (Thehackernews)
- Backup Strategies: Why the 3-2-1 Backup Strategy is the Best (Backblaze)