What is ransomware-as-a-service (RaaS)?

About Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a cybercriminal business model in which threat actors provide ransomware tools and infrastructure to other individuals or groups, known as affiliates, who want to conduct ransomware attacks for profit. Typically, RaaS is delivered via a subscription-based service, much like a legitimate software-as-a-service (SaaS) platform. RaaS enables non-technical cyber attackers to quickly and easily launch ransomware campaigns for profit.

How is RaaS Different from Traditional Ransomware?

As opposed to traditional ransomware, RaaS involves the distribution of out-of-the-box software packages designed to launch a ransomware attack. These packages are available to subscribers who pay to be an affiliate of the program and receive updated versions of the ransomware. The transition to a service model has transformed ransomware, giving its developers the ability to focus on features, and leaving the messier part of gaining access and deploying the malware to its customers, the affiliates. These threat actors can employ a wide range of attack styles, software, and expertise to the task.

While carrying out a RaaS attack only requires a little technical skill from the affiliate, the ransomware tools available today are increasingly sophisticated. Many of them are designed and used by Initial Access Brokers, or IABs, who have spent years honing their cybercriminal techniques. And now, thanks to the dark web, anyone with a credit card can purchase one.

Here are a few ways that RaaS is different from traditional ransomware:

1. Perpetrator Model

In traditional ransomware attacks, the attackers themselves develop and distribute the ransomware to infect systems and demand ransoms. The RaaS model, on the other hand, allows highly skilled cybercriminals to distribute their tools to less qualified, financially resourceful bad actors, so they can conduct ransomware attacks without creating the malware themselves. Today, it’s easier and cheaper than ever for bad actors to obtain ransomware packages from RaaS providers and initiate attacks. To these affiliates, it's simply the cost of doing business when running a successful ransomware scheme.

2. Accessibility

Ransomware requires technical expertise to develop, maintain, and distribute. RaaS, however, lowers the barrier to entry for cybercriminals, as it offers pre-built, user-friendly ransomware packages. Some providers will even offer customer support for their affiliates, just like a legitimate SaaS operation.

3. Distribution and Reach

Traditional ransomware authors have their limitations when it comes to infecting systems. However, RaaS providers can attract multiple affiliates to distribute their ransomware more widely. This distributed model translates to a more far-reaching, widespread attack campaign.

4. Revenue Sharing Business Model

RaaS providers typically offer a revenue-sharing model with their affiliates, taking a percentage of the ransom payments obtained by the affiliates. Promising a share of the profits is a powerful incentivize to RaaS providers, whose sole job is to develop more effective and evasive ransomware to maximize the shared profits. After all, they have their affiliates to execute the campaigns.

5. Innovation and Variants

With a broader base of attackers using their ransomware, RaaS providers often receive feedback from affiliates about the malware's efficacy and any glitches or detection issues. Just like a legitimate software company, this feedback leads to quicker innovation and the development of new ransomware variants that improve on the last version.

6. Anonymity

RaaS can provide a level of anonymity for the actual authors of the ransomware. Affiliates are responsible for distributing the malware and interacting with the victims directly, putting them at greater risk of being identified.

It's crucial to stay informed about the latest developments in RaaS variants and make sure that your cybersecurity defenses are modern enough to protect against these threats.

How does Ransomware-as-a-Service Work?

RaaS operators create and maintain the ransomware software, managing its deployment infrastructure, encryption mechanisms, and payment processing. Affiliates sign up for the software service and, in return for a portion of the profits, gain access to the ransomware toolkit and control panel. These affiliates are then responsible for distributing the ransomware through various attack vectors, such as phishing emails or exploit kits. Sometimes, the affiliates will also work through an Initial Access Broker (IAB) to gain unsanctioned access to a compromised company or individual. Essentially, every major aspect of a ransomware attack is outsourced, so the affiliate simply has to execute.

What is an Initial Access Broker (IAB)?

Initial Access Brokers (IABs) are cybercriminals who market access to compromised corporate networks and data. IABs have highly technical training and bring to the table a very specialized set of nefarious cybersecurity skills, usually developed through years of black hat hacking. These skills help IABs gain unsanctioned access to secure networks.

Common attack vectors of an IAB include social engineering, phishing attacks, vulnerabilities and exploits, and account takeovers. Once IABs gain access, the next step is to sell that access to other criminals in underground online forums on the dark web. Their buyers: targeted ransomware groups seeking access to breached networks and systems for their ransomware schemes.

Who Are the Primary Targets of RaaS Attacks?

RaaS attacks typically target a wide range of victims, including individuals, small and large businesses, government organizations, and other entities with valuable data. Cybercriminals aim to maximize profits by infecting as many vulnerable systems as possible.

Here's how these attackers typically choose their victims:

  • Targeted Industries: RaaS attackers often focus on industries that are more likely to pay a ransom to regain access to critical data or systems. Sectors like healthcare, finance, government, and large, multinational corporations are frequently targeted due to the potential for higher payouts and the sensitive nature of their data. RaaS affiliates might also have insights into specific industries or access to compromised networks, which they use to select their targets.
  • Geography: Attackers may prefer targeting victims in specific geographic regions based on various factors. Some regions may have a higher concentration of vulnerable systems or valuable data, while others may have a lower level of cybersecurity awareness and readiness.
  • Vulnerability Scanning: Cybercriminals use automated tools to scan the internet for vulnerable systems with weaknesses in software, unpatched applications, or misconfigurations. They exploit these vulnerabilities to gain unauthorized access and deploy ransomware.
  • Data from IABs: Cybercriminals may purchase data from black-market sources like IABs that contain information about potential victims. This data might include email lists, employee details, or information about the targeted organizations' vulnerabilities.
  • Profit Potential: Attackers assess the potential for a successful attack and the likelihood that the victim will pay the ransom. High-value targets with a greater ability to pay are more attractive to RaaS operators.
  • Socioeconomic and Political Factors: In some cases, attackers might be motivated by economic or political reasons. They may target organizations or institutions that could cause significant disruption or embarrassment to governments or corporations. It’s important to note that these RaaS variants have been employed by nation-state cybercriminals to create instability and panic. For example, the DarkSide RaaS variant has been traced to a significant cyberattack against Georgia-based Colonial Pipeline. The attack resulted in a fuel supply disruption along the East Coast of the U.S.
  • Prior History: Sometimes, RaaS operators keep records of successful victims who have paid the ransom in the past. They might attempt to target these organizations again, believing they may be willing to pay again to avoid public disclosure of their previous attack.

What are the Most Popular RaaS Variants?

As the threat landscape evolves constantly, various RaaS variants come and go. Some well-known RaaS examples include REvil (Sodinokibi), DarkSide, Ryuk, and GandCrab. New RaaS variants tend to emerge over time. One variant known as Dharma or CrySis, has many variants due to the continued sale and modification of its source code to multiple malware developers. In March 2020, a collection of source code for one variant of Dharma was offered for sale on Russian-language crime forums for $2,000 through an intermediary.

How Can Managed Detection and Response Help Protect My Organization from RaaS Attacks?

It's important to note that the tactics and techniques used by cybercriminals are constantly evolving. To ensure that your organization is using the latest technology to defend against ransomware attacks, a cybersecurity-as-a-service model is highly recommended. After all, the attackers are leveraging this same service delivery model to deliver malware to their targets. Shouldn’t your organization use the same method to defend against these attacks?

Managed Detection and Response (MDR) is the most effective strategy against ransomware as a service attack. It gives you instant access to a world-class security operations center (SOC) populated by some of the most experienced cybersecurity analysts, data scientists and threat intelligence experts. MDR is a comprehensive cybersecurity service provided by a third-party partner to help organizations with ransomware mitigation.

Here's how MDR can safeguard you from RaaS attacks:

1. Real-Time Threat Monitoring

MDR continuously monitors your network and endpoints in real time for suspicious activities and potential indicators of ransomware attacks. Advanced threat detection tools and techniques are employed within the SOC to identify any unusual patterns or behaviors that might be indicative of ransomware activity.

2. Expert-Led Threat Hunting

MDR teams are skilled at proactive threat hunting. They search for traces of ransomware activity that might have bypassed traditional security measures. This involves analyzing logs, network traffic, and other data to uncover hidden threats before they cause significant damage.

3. Rapid Incident Response

In case of a ransomware attack, time is critical. MDR providers have experienced incident response teams that can quickly assess the situation, contain the spread of ransomware, and develop a strategy to effectively eradicate the threat from your systems.

4. User Behavior Analysis

Ransomware-as-a-service attacks often leverage sophisticated techniques to evade detection. MDR employs behavior analysis and anomaly detection to identify malicious behavior, even if the ransomware is new or previously unknown.

5. Endpoint Security

MDR includes advanced endpoint protection beyond traditional antivirus software. It utilizes next-generation endpoint security tools to detect and block ransomware before executing on endpoints.

6. Threat Intelligence Sharing

MDR providers have access to extensive threat intelligence sources, which allow them to stay up-to-date with the latest ransomware trends and tactics. This information helps them proactively defend against emerging threats.

7. Patch Management

MDR helps ensure your systems are updated with the most recent security patches and updates. Outdated software can be vulnerable to ransomware attacks, and proper patch management minimizes these risks.

8. User Awareness and Training

MDR services often include training employees about ransomware risks and best practices to avoid falling victim to phishing and other social engineering techniques commonly used in ransomware campaigns. Phishing simulation training is one example of what an MDR provider can offer to strengthen your weakest link in RaaS attacks: your end users.

9. Data Backup and Recovery

MDR providers often emphasize the importance of regular data backups and help establish robust backup and recovery processes. In case of a successful ransomware attack, having reliable backups can minimize the impact and eliminate the need to pay the ransom.

10. Post-Incident Analysis

MDR providers conduct thorough post-incident analyses following a ransomware attack to identify vulnerabilities and weaknesses in your security infrastructure. This helps in improving future resilience against similar attacks.

By combining these elements, Managed Detection and Response can significantly enhance your organization's ability to defend against ransomware as a service attack and mitigate potential damage in the event of an incident. It provides a proactive and comprehensive approach to cybersecurity that complements traditional security measures and empowers organizations to stay one step ahead of cyber threats.

Sophos on Ransomware-as-a-Service

Today’s Ransomware-as-a-Service attacks combine multiple advanced techniques with real-time hacking. To minimize your risk of falling victim to these schemes, you need advanced cybersecurity measures with the power to monitor and secure your entire attack surface. Sophos Managed Detection and Response (MDR) experts monitor, detect, and neutralize RaaS threats faster than anyone else. To read more about how our team has detected multiple RaaS variants over the years, visit our Ransomware Intelligence Center. Or, get in touch with a Sophos MDR expert.


Sophos 2024 State of Ransomware Report

How likely are you to be hit by ransomware? How many of your computers would be affected? Find these answers and much more in the Sophos 2024 State of Ransomware Report.

Download Now



Related security topic: What is business email compromise (BEC)?