What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security

Ransomware attacks are on a steep upward trend and the gradient isn't softening its progression.

In Q3 2020, ransomware attacks have increased globally by 40% to 199.7 million cases. In the U.S. alone, attacks have increased by 139% year-over-year, totaling 145.2 million cases in Q3 2020.

The impetus to the sudden recent spike in ransomware attacks, was the dramatic shift from a linear attack model, to an insidious multi-dimensional Ransomware as a Service model.

To learn how this new ransomware model operates, and how your business can best defend itself, read on.

What is Ransomware as a Service (RaaS)?

Ransomware as a service (RaaS) is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.

Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.

in the past, coding erudition was a requirement for all successful hackers. But now, with the introduction of the RaaS model, this technical prerequisite has been completely diluted.

Like all SaaS solutions, RaaS users don't need to be skilled or even experienced, to proficiently use the tool. RaaS solutions, therefore, empower even the most novel hackers to execute highly sophisticated cyberattacks.

RaaS solutions pay their affiliates very high dividends. The average ransom demand increased by 33% since Q3 2019 to $111,605, with some affiliates earning up to 80% of each ransom payment.

The low technical barrier of entry, and prodigious affiliate earning potential, makes RaaS solutions specifically engineered for victim proliferation.

How Does the RaaS Model Work?

For the RaaS model to work, you need to start with expertly coded ransomware developed by skillful ransomware operators. The ransomware developers need to be reputable to compel affiliates to sign up and distribute their malware.

Reputable RaaS developers create software with a high chance of penetration success and a low chance of discovery.

Once the ransomware is developed, it's modified to a multi-end user infrastructure. The software is then ready to be licensed to multiple affiliates. The revenue model for RaaS solutions mirrors SaaS products, affiliates can either sign up with a one-time fee or a monthly subscription.

Some RaaS solutions, don't have monetary entry requirements and affiliates can sign up on a commission basis.

Ransomware affiliates are supported with onboarding documentation containing a step-by-step guide for launching ransomware attacks with the software. Some RaaS distributors even provide affiliates with a dashboard solution to help them monitor the status of each ransomware infection attempt.

To recruit affiliates, RaaS post affiliate opening on forums on the dark web. Some ransomware gangs, like Circus Spider, only recruit affiliates with specific technical skills, due to their higher chances of claiming prestigious victims.

Circus spider affiliate requirements
Circus spider affiliate requirements - source: twitter.com (@campuscodi)


Other ransomware gangs are purely interested in rapid distribution and have very soft affiliate requirements.  

Each new affiliate is given a custom exploit code to for their unique ransomware attacks. This custom code is then submitted to the website hosting the RaaS software for the affiliate.

With the affiliate hosting site updated, RaaS users are poised to launch their ransomware attacks.

How Do RaaS Attacks Work?

Most ransomware victims are breached through phishing attacks. Phishing is a method of stealing sensitive data, such as passwords and payment details, through a seemingly innocuous source.

Phishing emails is the most common category of phishing attacks. Victims are presented with an email that seems legitimate, but when they click on a link, they're unknowingly activating a cyber threat.

RaaS affiliates present victims with a very convincing phishing email. When a link is clicked, victims are directed to the exploit site where the ransomware is clandestinely downloaded.

Since the pandemic, Covid-19 themed phishing emails have been flooding inboxes. These emails seem very convincing, especially to a panic-stricken victim with fragile reservations.

Covid-themed Netwalker phishing email
Covid-themed Netwalker phishing email - source: ncsc.org

Track supply chain risks with this free pandemic questionnaire template >

Once downloaded, the ransomware moves throughout the infected system, disabling firewalls and all antivirus software. After these defenses are comprised, the ransomware may trigger the autonomous download of additional remote access components.

If a vulnerable endpoint is discovered, such as a desktop, laptop, or even IoT device, it could serve as a gateway to the complete internal network of business. Ransomware that surpasses this depth of penetration is capable of holding an entire business hostage.

With the ransomware now free to progress without detection, the victim's files are encrypted to the point of being inaccessible. Most ransomware operates beneath authorized processes, so victims are unaware of any data breaches occurring.

After the attack is complete, the extortion game begins.

A ransom note written in a TXT file is deposited on the victim's computer. This note instructs victims to pay a ransom price in exchange for a decryption key.

Egregor ransom note
Egregor ransom note - source: bleepingcomputer.com

Some ransomware gangs, such as cybercrime group Maze, operate on a double-extortion model. They demand a ransom payment in exchange for a decryption key and also threaten to published the breached data on the dark web if payment isn't made before the deadline.

The dark web is a criminal-infested network, so any leaked information on the platform will give multiple cybercriminal groups free access to your sensitive data and those of your customers. The fear of further exploitation compels many ransomware victims to comply with cybercriminal demands.

To make the ransom payment, victims are instructed to download a dark web browser and pay through a dedicated payment gateway. Most ransomware payments are made with cryptocurrency, usually Bitcoin, due to their untraceable nature.

Sodinokibi ransom note with dark browser download instructions
Sodinokibi ransom note with dark browser download instructions - source: bankinfosecurity.com


Each ransom payment is sent to a money launderer that obfuscates the trajectory of the funds so that it cannot be traced to the ransomware developer or the RaaS affiliate.

RaaS workflow

The Biggest Ransomware Threats

Some of the biggest RaaS ransomware variant threats are:

  • Satan
  • Netwalker
  • Cerber
  • Egregor
  • Hostman
  • WannaCry
  • Philadelphia
  • MacRansom
  • Atom
  • FLUX
  • Tox
  • REvil
  • Ryuk
  • Encryptor
  • Fakben
  • ORX Locker
  • Alpha Locker
  • Hidden Tear
  • Janus
  • Ransom3

Ransomware: Should You Pay the Ransom?

Whether or not you should pay for a ransomware price is a difficult decision to make. If you make a payment, you are trusting that the cybercriminals will deliver on their promise of supplying you with a decryption key.

Cybercriminal operations are inherently immoral, you cannot trust criminals to uphold a fragment of morality and follow through with their promises. In fact, many RaaS affiliates don't waste time providing decryption keys to all paying victims, time is better spent seeking out new paying victims.

Because a ransom payment never guarantees the decryption of seized data, the FBI strongly discourages paying for ransoms.

Learn more how to decrypt ransomware >

How to Protect Yourself from Ransomware Attacks

The most effective ransomware attack mitigation strategy is a combination of educating staff, establishing defenses, and continuously monitoring your ecosystem for vulnerabilities.

Here are some suggested defense tactics:

  • Monitor all endpoints connection requests and establish validation processes
  • Educate staff on how to identify phishing attacks
  • Set up DKIM and DMARC to prevent attackers from using your domain for phishing attacks.
  • Monitor and remediate all vulnerabilities exposing your business to threats
  • Monitor the security posture of all your vendors to prevent third-party breaches
  • Set up regular data backup sessions
  • Do not solely rely on cloud storage, backup your data on external hard drives
  • Avoid clicking on questionable links. Phishing scams do not only occur via email, malicious links could lurk on web pages and even Google documents.
  • Use antivirus and anti-malware solutions
  • Ensure all your devices and software are patched and updated.
  • Provide your staff and end-users with comprehensive social engineering training
  • Introduce Software Restriction Policies (RSP) to prevent programs from running in common ransomware environments, i.e. the temp folder location
  • Apply the Principles of Least Privilege to protect your sensitive data.

Learn a strategy for obfuscating ransomware attack attempts >

Ready to see
UpGuard in action?