Select Page

What ransomware as a service (RaaS) means for security teams

CYBSAFE-SebDB Webinar-preblog-221011MS-36

16 March 2023

Are your people ready for ransomware’s latest moves?

You know as well as we do that ransomware isn’t anything new. We’ve even accused it of being a bit boring in the past. But the thing is, ransomware is a very real danger to organizations today.

You’d think after 40 years of causing misery it’d have the decency to peter out and sod off. But actually, the opposite seems to be happening. That’s why we’re doing everything to help you prevent it.

Ransomware prevention guide link

We’re living through a ransomware revolution

Ransomware is being industrialized, and it’s happening right now. 

And there’s something about the headline-topping ransomware variants like the WannaCry NHS attack in the UK, and the Colonial Pipeline attack in the US that reveal the direction of travel.

Naturally, making money is top of nearly every cybercriminal’s list. And extortion via ransomware is a very effective method.

But it takes, to quote Mr. Neeson, “A very particular set of skills.” Ransomware developers spend a lot of time building sophisticated malware, and then pivoting to a new mode of attack when vulnerabilities are patched.

Not just anybody can make ransomware. Ransomware can make you rich. And when you can make a hard-to-make thing that can make you rich, you can sell that thing to others for a tidy sum.

Enter ransomware as a service (RaaS). It’s a business model used by ransomware groups that allows people to buy into malware or attacks from RaaS operators (i.e., those who created the malware), in exchange for a cut of the ransom payment.

RaaS marks the commodification of ransomware. It’s plain to see in the evolution to a gig economy, even clearer in the fact that RaaS buy-in often comes with customer support.

The RaaS ransomware model lowers the barrier for entry, so it’s expanding the ransomware sectorin terms of ransomware actors, ransomware investment, and attack volume. But that’s not the worst of it.


What is Ransomware as a Service (RaaS)?

In short, it’s less complicated than it sounds. It’s essentially a subscription-based model that means you can use existing ransomware tools to execute ransomware attacks. Every successful ransom payment earns each affiliate commission.

Defining RaaS – A Deeper Dive

When we talk about Ransomware as a Service (RaaS), we are referring to a business model in the underbelly of the internet, where nefarious developers lease their ransomware software to affiliate criminals.

In essence, it’s a subscription-based model where cybercriminals purchase a ransomware kit, use it for their criminal endeavors, and split their profits with the RaaS provider.

What truly separates RaaS from generic ransomware is its franchising capability. It enables even those with minimal technical know-how to launch sophisticated ransomware attacks.

The Evolution of RaaS – A Tale as Dark as the Web Itself

While it’s tempting to just lump RaaS into the general history of ransomware, it has a unique trajectory.

Born out of the growth of the Software as a Service (SaaS) model, RaaS emerged as a profitable venture for cybercriminals around 2016, with the launch of the notorious Cerber ransomware.

It presented a new business model in the cybercrime world where tech-savvy developers and less-skilled operators could symbiotically profit from the misery of ransomware victims.

How the RaaS model works

Another way of putting this is that RaaS uses the SaaS business model, so the hackers no longer have to learn coding erudition. Lucky them. 

In fact, RaaS users don’t have to be experienced or skilled at all, so they can be total novices and still rake it in using sophisticated cyberattacks.

Examples of RaaS

Where to start. Famous (or infamous) examples include Locky, Goliath, Shark, Stampado, Encryptor, and Jokeroo. 

Let’s not be ambiguous about this; each RaaS variant carries its own brand of malicious innovation.

The infamous Locky, for instance, is known for its ability to encrypt a wide array of file types and rename them with the .locky extension, thereby denying victims access to their files until a ransom is paid.

Goliath, on the other hand, made its mark by catering specifically to amateurs, offering an easy-to-use interface and a detailed user guide.

Shark, albeit less well-known, has the unique feature of offering customization to its clients. You could choose your victims by country and even decide on the ransom amount.

But RaaS variants pop up all the time, 24-hours a day, every day of the year, in new, better, ingenious forms. 

RaaS Colonial Pipeline Case Study – Learning from the Front Lines

Let’s consider the Colonial Pipeline attack, which unfolded in 2021. DarkSide, an organized RaaS group, breached Colonial Pipeline’s network, crippling fuel supply on the U.S. East Coast.

While the company’s swift shutdown of systems and contact with law enforcement limited the overall damage, they ended up paying a ransom of $4.4 million.

This incident demonstrated the power of RaaS groups and the importance of robust cybersecurity measures.

Phishing and ransomware victims

What is ransomware as a service’s deadliest trend in 2023?

Ask anyone who’s tried to achieve a professional result with a DIY off-the-shelf kit, and they’ll appreciate the true value of hiring a skilled person to do a professional job from start to finish.

The same goes for ransomware. Off-the-shelf malicious software is available—but the discerning affiliate opts to buy into the actual human skills of a ransomware operator, or someone on their team.

Ransomware threat intelligence reports warn that ransomware affiliates are increasingly seeing the value in human-operated ransomware. And it’s a very dangerous trend as far as cybersecurity professionals are concerned.

That’s because it lends a ransomware attack more agility by using human intelligence at every step of the kill chain. That means actions carried out pre-ransom can be unique to each incident because they are guided by what the attackers identify as the attack progresses.

This agility gives the intruder a better foothold in the ransomware victim’s environment. They can hole up in an undetected location to test various attack tools. Even if the first few fail, they can reach for a new one. Meanwhile, your antivirus product blocks them, and creates a false sense of security, as well as a bit of a smokescreen. All seems well, until the ransom demand lands.

By the time an active attack is detected, self-respecting ransomware attackers will have used their skill and judgment to delete backups and exfiltrate sensitive data.

Other emerging trends in the RaaS field are also a cause for concern. Double extortion schemes are becoming common, where attackers exfiltrate data before encrypting systems, threatening to leak the stolen data if the ransom isn’t paid. Sectors like healthcare and education, already grappling with the aftermath of the pandemic, are being increasingly targeted due to their critical need for operational continuity.

Looking ahead, it’s fair to expect that the RaaS landscape will evolve with new technologies. The rise of cryptocurrencies has already facilitated anonymous transactions for ransom payments. The proliferation of Internet of Things (IoT) devices could provide more avenues for attacks. On the brighter side, increased focus on cybersecurity and stricter regulatory environments could potentially drive the development of more advanced defense measures.

Of course, that’s not all you need to look out for in 2023. We’ve got a ton of more insight to share in our predictions report.

Ransomware defences

What’s missing from your defenses?

So, how can organizations survive this burgeoning revolution and avoid falling victim to a successful ransomware attack?

Sure, you’ve got your data protection policy, your security software on every device, your ransomware incident response plan, and you know which law enforcement group to report it to. Maybe you’ve even scrolled through some ransomware recovery services and ransomware negotiation services.

Prevention of RaaS attacks goes beyond general ransomware defenses. It involves ensuring robust system security, up-to-date patches, and backups. A multi-layered security approach is essential. Along with that, it’s crucial to have intrusion detection systems in place, which could catch the communication between a RaaS-infected system and its Command and Control server.

Legal and Regulatory Aspects of RaaS – An Uphill Battle

The legal aspect of tackling RaaS is complex. International law enforcement cooperation is necessary due to the global nature of these attacks. Despite this, tracking and prosecuting perpetrators is challenging due to the anonymity of the dark web and cryptocurrencies.

Regulatory measures, like the EU’s GDPR, which mandates strict data protection measures, are an essential part of mitigating the risks associated with RaaS attacks.

But what if you could squash that ransomware infection risk at the very start?

It comes down to people

The thing is, threat actors have amassed a plethora of tools, knowledge, and skills to make the right decisions when it counts the most. And they know about social engineering, and how it works.

To stand a chance, you need to equip your people to do the same. Since RaaS relies heavily on phishing attacks, training employees to recognize and report these attempts is invaluable. Clue: there’s more to it than a bad phishing email.

True, maybe the eradication of all chances of cyber attacks is a way off yet. But you can give people the support, knowledge and tools to respond and make decisions in a way that transforms your ransomware protection levels, and protects their own personal data too.

The key to this is giving human behavior its dues and fostering a human-centric cybersecurity approach alongside. That’s how to prevent ransomware attacks in 2023.

And we would know, because helping security professionals in the art of human risk management is, of course, what makes us happiest.

The ransomware war in 2023 is all about human decision-making, on both sides.

So, are your people ready?

Looking for a little more guidance on preventing ransomware? Look no further than our ransomware report. It’s free. And it’s good.

Ransomware prevention guide link

You May Also Like