What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service (RaaS) is a criminal business model that enables individuals to easily access and utilize tools for carrying out ransomware attacks. Similar to other as-a-service models like software-as-a-service (SaaS) or platform-as-a-service (PaaS), RaaS allows customers to rent ransomware services rather than owning them, deviating from the conventional software distribution approach.

Ransomware refers to malicious software that effectively locks a victim’s system or files through encryption. To regain access to their data, victims are compelled to pay a ransom to the perpetrators behind the ransomware attack. The ransomware industry has burgeoned into a significant sector within the criminal underworld, generating billions of dollars in annual revenue.

Contrary to popular belief, many perpetrators of cyber attacks, including ransomware, may not possess extensive programming skills. Instead, these attackers often refrain from writing their own code or lack the technical know-how altogether. Cybercriminals who possess coding expertise frequently opt to sell or rent out the exploits they develop instead of employing them personally.

Ransomware represents just one facet of the cybercrime industry that operates on an “as-a-service” model. Attackers can also lease DDoS (Distributed Denial-of-Service) tools, subscribe to databases of stolen credentials, employ botnets for hire, or rent banking trojans, among other illicit services.

How does ransomware-as-a-service work?

Ransomware-as-a-Service (RaaS) services employ various revenue models to generate income. These models can include a fixed monthly subscription fee, a percentage share of the customers’ profits, a combination of these approaches, or a one-time licensing fee. Once a customer signs up for a RaaS account and completes their initial payment, usually in Bitcoin, they gain the ability to choose the specific type of malware they wish to utilize.

Upon successful payment, the attackers initiate their campaign by distributing the malware and infecting unsuspecting victims. In most cases, ransomware attackers rely on phishing or social engineering tactics to deceive users into executing the malware. These methods are relatively inexpensive compared to purchasing zero-day exploits or backdoor access. Once the malware is executed, the victim’s computer is encrypted and rendered unusable, and the attacker presents a message detailing instructions on how to submit the ransom payment.

To assist attackers encountering difficulties or struggling with malware functionality, RaaS providers often offer round-the-clock customer support services. These providers typically maintain community forums where customers can seek assistance, ask questions, and share ideas. Additionally, many providers offer comprehensive guides that outline step-by-step instructions on executing a ransomware attack using their tools.

Who uses RaaS?

Different RaaS providers have different criteria for choosing their customers. Some are selective and only sell their software to skilled hackers who can target big and lucrative victims, which helps promote their service. Some have other demands, such as speaking a certain language or being able to use the service and make money from ransoms quickly.

Others are more open and will sell their services to anyone who can pay or share the ransom profits. This can be risky for RaaS providers, as some customers may be inexperienced and get caught by law enforcement.

Lately, many RaaS providers have become more cautious about which sectors they allow their customers to attack. For instance, they may ban attacks on vital infrastructure or healthcare facilities, as such attacks can harm someone’s health or even kill them. These extreme events attract unwanted attention to the RaaS market, and RaaS providers may also have ethical concerns about hurting someone’s physical health (instead of their wallet).

What are some examples of ransomware-as-a-service attacks?

RaaS attacks have become widespread in recent years. Some examples are:

• DarkSide is a ransomware group that offers RaaS. They were behind the 2021 Colonial Pipeline attack.
• REvil is a RaaS product. The 2021 ransomware attack on IT provider Kaseya used REvil ransomware.
• Dharma ransomware is a service that has been used in many attacks since 2016.

RaaS makes it easy for anyone to launch a ransomware attack, as all they need is a computer and an Internet connection. This makes ransomware a lucrative form of cyber crime. Therefore, RaaS attacks will likely keep growing in the future.

Where do criminals buy ransomware-as-a-service?

RaaS services are bought and used online, like any cloud service. RaaS is typically found on malware forums on the dark web. (The “dark web” is a hidden part of the Internet that requires a Tor browser to access, which hides a user’s location and IP address.)

How do ransomware-as-a-service providers market their services?

RaaS is a very competitive industry, and many providers actively advertise their services. RaaS providers use Twitter accounts, websites, video content, and other marketing tools. They often launch marketing campaigns to attract customers. Most RaaS tools also have user reviews and community forums.

How to defend against ransomware-as-a-service attacks

Organizations can protect themselves from ransomware-as-a-service attacks and other malware attacks by using some security measures:

• User security training: Teaching employees, contractors, and other users how to spot phishing attacks and social engineering attacks reduces the chances of a successful RaaS attack.
• Email security: Many ransomware attacks begin with a malicious email attachment. Checking emails for malware and blocking email attachments from unknown sources can help prevent this attack method.
• Regular data backups: Ransomware locks organizations out of their data. But in many cases, an organization can recover their data from a backup instead of paying the ransom to unlock it or rebuilding all of their IT systems from scratch.

To learn more about how to stop RaaS attacks, see How to prevent ransomware.