paint-brush
How Does Ransomware-as-a-Service Work?by@zacamos
719 reads
719 reads

How Does Ransomware-as-a-Service Work?

by Zac AmosApril 14th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Cybercriminals are treating ransomware, a common cybersecurity threat, as a business – it's now an underground industry. An emerging business model in the cybercriminal community is ransomware-as-a-service (RaaS). RaaS is a subscription-based model that allows malicious users to use existing ransomware tools. As ransomware becomes easier and easier to access, it's now more important than ever to follow cybersecurity best practices and educate and train yourself and your employees.

People Mentioned

Mention Thumbnail
Mention Thumbnail

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How Does Ransomware-as-a-Service Work?
Zac Amos HackerNoon profile picture

Cybersecurity is a top concern for businesses and individuals alike in the digital era. No company or person wants any of their sensitive data stolen by malicious hackers. Cybersecurity attacks are on the rise and can be costly for companies, customers, and individuals.


Cybercriminals will use whatever resources they can to launch cyberattacks. Reports of hackers leveraging artificial intelligence (AI) to execute cybersecurity attacks are especially concerning. Additionally, cybercriminals are now treating ransomware, a common cybersecurity threat, as a business – it's now an underground industry.


Below is more about ransomware-as-a-service (RaaS), how it started, how it works, common RaaS kits, and tips to prevent experiencing a ransomware attack.

What Is Ransomware-as-a-Service (RaaS)?

First and foremost, it's critical to understand what ransomware is before learning about ransomware-as-a-service.


Ransomware is a type of malware that invades a user's device and encrypts data. Encryption is a process that scrambles data until a company or individual pays a ransom, often an expensive one. Once a ransom is paid, the hacker may or may not choose to release the encrypted data.


Ransomware attacks are typically executed with social engineering tactics, such as a phishing email scam. Ransomware often spreads from the first infected device to any other devices connected to the same network, such as servers or databases on a corporate network.


An emerging business model in the cybercriminal community is ransomware-as-a-service (RaaS). Rather than threat actors creating their own ransomware to execute an attack, they'll sell it on the Dark Web using the software-as-a-service (SaaS) model.


In other words, RaaS is a subscription-based model that allows malicious users to use existing ransomware tools. The actor responsible for creating the tool earns a percentage of the payments made through a ransomware attack.


RaaS is a variation of SaaS business models, the difference being that the "software" is used for malicious attacks.

A Brief History of RaaS

Ransomware has evolved in recent years. What started as basic denial-of-data attacks on small companies quickly transformed into more sophisticated attacks targeting large corporations with more financial resources and highly sensitive information. For example, health care companies, financial services organizations, and government agencies are some industries often targeted by malicious actors.


Additionally, hackers began demanding higher ransoms. Initially, they would require a couple of hundred dollars or a few thousand. Now, it's common for hackers to demand hundreds of thousands or millions of dollars from their victims.


Eventually, cybercriminals realized that instead of creating their own malware and executing attacks, they could market their ransomware tools to other threat actors for profit.


Criminals who lack knowledge of ransomware creation and development now benefit from RaaS because these ransomware tools are so easily accessible. As more hackers access ransomware tools through a RaaS model, the more vulnerable organizations and individuals will be.

How RaaS Works

There are a few steps involved in the RaaS business model:


  • Step 1: A developer creates a specific ransomware code.
  • Step 2: The ransomware code is sold to affiliates and developers include instructions for the affiliate to follow for attack execution.
  • Step 3: Affiliates select a type of malware, pay for it with cryptocurrency (typically Bitcoin), and launch the attack.
  • Step 4: Once the ransom money is paid, the affiliate and the developer divide the profits.


Most RaaS arrangements fall into one of the following categories:


  • Affiliate programs: A small percentage of profits is paid to the RaaS operator who wants to run an efficient RaaS model and increase earnings from ransoms.
  • Monthly subscription: Users pay a flat monthly fee to earn a percentage of every successful ransom attack.
  • Pure profit sharing: Predetermined percentages of profits are shared between users and operators through a license purchase.
  • One-time license fee: Users make one-time payments without sharing profit, and affiliates have continuous access.


RaaS operators need to be highly skilled to create expertly coded ransomware to appear attractive to potential affiliates. A reputable RaaS developer will have a high chance of attack success and a low probability of discovery. Some RaaS models do not require affiliates to pay, and affiliates can sign up on a commission basis.


RaaS will market to affiliates on the Dark Web and, sometimes, even provide the affiliate with a dashboard so they can monitor whether any of their attacks succeed. It's also common for ransomware gangs, such as Circus Spider, to only recruit advanced affiliates with specific technical expertise to ensure successful attacks.


Here are some examples of popular RaaS kits:


  • Encryptor
  • Locky
  • Shark
  • Goliath
  • Jokeroo
  • Stampado


While this is a shortlist, more RaaS kits are emerging and more malicious actors want to get in on the action.


As a result of the increasing number of attacks originating from RaaS, the U.S. Department of Justice (DOJ) created the Ransomware and Digital Extortion Task Force in 2021.


The ultimate goal of this task force is to use the DOJ's authority and resources to respond to these cybersecurity concerns and bring cybercriminals to justice. An article from The Verge details some recent and impressive prosecutions the task force has made in the months since its introduction.

Tips for Preventing RaaS Attacks

The majority of ransomware victims would agree that choosing whether to pay the ransom or not is a challenging decision to make. Experts argue that paying a ransom encourages this type of malicious behavior. In contrast, others suggest paying ransoms to prevent data leaks, protect clients, or return to normal operations.


It is worth noting that the Federal Bureau of Investigation (FBI) strongly discourages paying a ransom, especially because hackers may never grant access to the encrypted data stolen from a company.


Below are some important tips for RaaS attack prevention:


  • Routinely back up sensitive data as a preventive measure.
  • Keep all software and applications updated with the latest version for enhanced security.
  • Implement a strong cybersecurity infrastructure to fend off hackers.
  • Install antivirus software and secure all endpoints connected to a network.
  • Educate all employees on best cybersecurity practices and hold training sessions to bolster employee knowledge surrounding RaaS and ransomware attacks.
  • Create a culture of data protection.
  • Invest in advanced cybersecurity technologies, consult with a cybersecurity firm to run an audit, and identify areas of improvement in cybersecurity.


Companies should consider using the suggestions above to protect their digital assets. With more RaaS models emerging, it's expected that ransomware attacks will grow more frequent and sophisticated.

Understand RaaS for Ransomware Prevention

Many organizations understand that cybersecurity is no walk in the park. However, it must be a top priority for all companies, regardless of industry.


While ransomware is not a new threat, RaaS models are. RaaS is causing the cybersecurity threat landscape to expand. Use the best cybersecurity practices, educate and train employees, and ensure strong security measures are in place to prevent ransomware attacks.