Ransomware-as-a-service (RaaS)

What is Ransomware-as-a-service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model where cybercriminals offer their ransomware capabilities to individuals or groups in exchange for a fee or a percentage of the ransom payments. Going from individual ransomware attacks to RaaS has made it easier for individuals with little technical expertise to launch sophisticated cyberattacks. RaaS platforms offer everything from ransomware tools to technical support and marketing services.

By leveraging exploit tools or kits, RaaS allows cybercriminals to conduct ransomware attacks on businesses without needing extensive technical skills or resources. As a result, the number and complexity of ransomware events has risen significantly, becoming a major risk for companies, no matter their size (Cyberint).

How does Ransomware-as-a-Service work?

Operators offer monthly subscriptions, one-time fees, affiliate programs, and profit sharing which makes RaaS lucrative for both operators and their affiliates. Palo Alto Networks reports that affiliates tend to take a substantial cut of a ransom — about 70-80%. 

The Ransomware-as-a-Service model streamlines the attack process, enabling affiliates to focus on execution of the ransomware without dealing with complex coding.

So, what you will discover is that Ransomware-as-a-Service operators, like REvil, create the ransomware while affiliates, like Scattered Spider, utilize the provided tools to launch the attacks. Ransomware-as-a-service costs vary from pay per malware use to monthly subscription fees and even profit sharing in some cases. The profit-sharing structure of RaaS allows operators to earn a percentage of every successful attack, reducing their direct risk exposure, if they partake in this model. 

Operators

RaaS operators are typically organized criminal groups or networks that specialize in developing and distributing ransomware. These groups often have a hierarchical structure, with leaders overseeing the development, marketing, and deployment of ransomware tools.

While the specific group behind many RaaS platforms remains anonymous, some notable examples include:

• Black Basta
  • Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group. This platform has been involved in numerous high-profile ransomware attacks against several industries that include healthcare, critical infrastructure, and education.
• DarkSide
  • Another well-known RaaS platform, DarkSide was responsible for the Colonial Pipeline attack in 2021, which caused widespread fuel shortages across the Eastern United States. DarkSide is run by the APT group FIN7. FIN7 is a financially motivated threat group that has been around since 2013. FIN17 took up big game hunting (BGH) in 2020, relying on REvil ransomware and their own RaaS platform, DarkSide.
• Gold Southfield
  • Started in 2018, Gold Southfield is a financially motivated APT group that operates the REvil ransomware family. REvil has been used for RaaS since April 2019 against organizations in the manufacturing, transportation, and electric sectors. It is highly configurable and shares code similarities with the GandCrab RaaS.

In addition to providing the ransomware tools, RaaS operators also offer technical support to their affiliates. They don’t do this to be nice. Tech support for the less tech-savvy affiliates ensures that the attacks are successful and maximizes profit. Additionally, operators maintain control over the ransomware’s functionality, allowing them to update the malware to avoid detection.

RaaS operators also run their ransomware site where they announce variants of their ransomware, provide technical support for affiliates, recruit new affiliates, and most importantly, collect payment.

Affiliates

Affiliates are the cybercriminals who subscribe to RaaS platforms, gaining access to ransomware tools and technical support provided by the operators. These affiliates use the ransomware to target victims and demand ransom payments.

The partnership between RaaS operators and affiliates creates a profit-sharing system, where a portion of the ransom payments is typically sent to the RaaS operators. This incentive structure encourages affiliates to conduct as many attacks as possible to maximize revenue for affiliates and operators.

High-Profile Affiliates

• FIN7
  • FIN7 is a RaaS operator and affiliate. They are a financially motivated APT group that focuses on big game hunting to target large organizations. Focusing on Windows and Linux machines, they target enterprise environments running unpatched VMware ESXi hypervisors or steal vCenter credentials (Crowdstrike).
• Indrik Spyder
  • Indrik Spider is a Russian cybercriminal group active since 2014. In 2017, Indrik Spider began running ransomware operations with BitPaymer, WastedLocker, and Hades. Indrik Spider changed its tactics and toolkit after being indicted and sanctioned by the U.S. in 2019.
• TA505
  • Active since 2014, TA505 is known for changing malware frequently. They use Clop for their ransomware campaigns which is a variant of the CryptoMix ransomware.

The Ransomware-as-a-Service model thrives because the operators offer affiliates easy access to ransomware tools and services, reducing the barriers of entry. Less experienced criminals can now execute more sophisticated attacks. These features include the following:

• Pre-built exploits: RaaS operators often provide pre-configured exploit kits, saving affiliates time and effort in compromising vulnerable systems.
• Targeted attack capabilities: Some RaaS platforms allow affiliates to target specific industries or organizations, maximizing their potential earnings.
• Tools for data exfiltration: RaaS platforms may provide tools for stealing sensitive data. 
• Anonymization and anti-forensics techniques: RaaS operators may offer techniques to help affiliates cover their tracks and evade detection.
• Tech support: RaaS operators often help affiliates troubleshoot issues and optimize their attacks.
• Infrastructure and payment handling: RaaS platforms may handle the underlying infrastructure, such as command-and-control servers, and facilitate the collection and laundering of ransom payments.

RaaS marketplaces

RaaS marketplaces flourish on the dark web platforms like Tor,Telegram and Invisible Internet Project (I2P), and rchan. Cybercriminals can market RaaS kits, exploit tools, and even attain stolen data. Some forums operate as closed communities, requiring invitations or proof of cybercriminal activity to gain access.

One prominent marketplace, RAMP, which stands for Ransomware and Advanced Malware Protection, is still active today. Other marketplaces, like ALPHV and LockBit, were taken down by law enforcement. The takedowns only caused a temporary disruption. Cybercriminal communities adapt quickly and often return with either a new site or a mirror site to continue selling their stolen data. 

RaaS tactics for deployment

Ransomware is only a tool used to execute an attack. RaaS is the business model of selling or renting ransomware which enables cybercriminals to execute more complex and effective attacks. 

As the RaaS marketplaces evolve, so do the threats. Phobos is a prime example of an evolving RaaS threat. Back when it was created, Phobos was originally built as an encryption tool, but recent variations focus on data exfiltration and extortion tactics which demonstrates the dynamic nature of modern ransomware threats. 

Defending against Ransomware-as-a-Service

Before cybercriminals developed RaaS, threat actors needed to know C++, Python, or Rust, cryptography, and network programming to carry out a ransomware attack. It was a particularly advanced skillset which RaaS made redundant. Now, the ransomware affiliate only needs basic computer skills and the ability to follow directions, which should be fairly easy. 

But now, with the proliferation of Ransomware-as-a-Service, it’s easier to recruit cybercriminals and conduct ransomware attacks. 

To effectively defend against these threats, businesses must understand how to prevent Ransomware attacks through proactive strategies such as employee training, routine backups, and dark web monitoring.

Extortion vs. ransomware

According to Verizon’s 2024 Data Breach Investigations Report (DBIR), approximately 33% of all data breaches involved ransomware or some other extortion technique. 

Ransomware encrypts data and demands payment for the decryption key, while extortion adds the threat of leaking stolen data. Not all ransomware attacks involve double extortion (where data is also stolen and threatened to be leaked) or triple extortion (where attackers also target third parties like customers or partners). In triple extortion, cybercriminals may extort their victims multiple times, i.e., using Distributed Denial-of-Service (DDoS) attacks to disrupt the victim’s operations, intensifying the pressure to pay​.

Why should businesses care about the rise of RaaS?

Cybercriminals have enhanced their capabilities by leveraging advancements in AI and Machine Learning. The proliferation of Ransomware-as-a-Service affects businesses’ bottom line. More businesses are being targeted by ransomware attacks now that the barrier has been lowered. The more attempts made, the more likely one of them is going to get through and cause serious damage.

So, how do you defend against RaaS? By implementing these strategies, businesses can significantly reduce the risk of becoming a victim of RaaS.

1. Monitor the dark web 

Stay one step ahead of cybercriminals using dark web monitoring solutions like Lunar. Using Lunar you can set alerts for your company and domain to track any mention on a ransomware site, blog, or really  anything related to ransomware and RaaS. If your alert is activated, it’s a clear signal thatyour company is or was being targeted. 

It’s also a good practice to set alerts for ransomware and breaches in association with software and suppliers that are connected to your company which will allow you to be targeted through your supply chain. 

In general, RaaS groups are elusive and evade detection by using mirror sites. Setting alerts on Lunar helps you keep track of potential ransomware threats no matter where they are on the dark web. 

2. Regular and secure backups 

Make sure your backups are isolated from shared drives, Network Attached Storage (NAS), any other machine, and cloud-accessible storage. All of these are areas of potential infestation that could also target the backup. 

Implement a backup strategy that includes three separate copies of data with an offsite backup and one air-gapped or immutable copy. 

3. Zero trust policy

In a zero trust environment, organizations must continuously monitor and validate users’ privileges and attributes to ensure secure access. Controls are established to define what resources a user can access and where they can connect, particularly when it comes to sensitive or privileged accounts. One-time validation is no longer sufficient, as both threats and user attributes can change over time, requiring constant re-evaluation of access permissions.

4. Robust network security

Network segmentation, firewalls, and intrusion detection systems can help prevent unauthorized access. Network segmentation breaks down the entire attack surface into many sections. Each section acts as its own network with a perimeter that can be reinforced, reducing the potential attack surface and limits unauthorized access.