Select Page

What ransomware as a service (RaaS) means for security teams

CYBSAFE-SebDB Webinar-preblog-221011MS-36

16 March 2023

Are your people ready for ransomware’s latest moves?

You know as well as we do that ransomware isn’t anything new. We’ve even accused it of being a bit boring in the past. But the thing is, ransomware is a very real danger to organizations today.

You’d think after 40 years of causing misery it’d have the decency to peter out and sod off. But actually, the opposite seems to be happening. That’s why we’re doing everything to help you prevent it.

Ransomware prevention guide link

We’re living through a ransomware as a service (RaaS) revolution

Ransomware is being industrialized, and it’s happening right now. 

And there’s something about the headline-topping ransomware variants like the WannaCry NHS attack in the UK, and the Colonial Pipeline attack in the US that reveal the direction of travel.

Naturally, making money is top of nearly every cybercriminal’s list, especially ransomware gangs. And extortion via ransomware is a very effective method.

But it takes, to quote Mr. Neeson, “A very particular set of skills.” Ransomware developers spend a lot of time building sophisticated malware, and then pivoting to a new mode of attack when vulnerabilities are patched.

Not just anybody can make ransomware. Ransomware can make you rich. And when you can make a hard-to-make thing that can make you rich, you can sell that thing to others for a tidy sum.

Enter ransomware as a service (RaaS). It’s a business model used by ransomware groups that allows people to buy into malware or attacks from RaaS operators (i.e., those who created the malware), in exchange for a cut of the ransom payment.

RaaS marks the commodification of ransomware. It’s plain to see in the evolution to a gig economy, even clearer in the fact that RaaS buy-in often comes with customer support.

The RaaS ransomware model lowers the barrier for entry, so it’s expanding the ransomware sectorin terms of ransomware actors, ransomware investment, and attack volume. But that’s not the worst of it.


What is Ransomware as a Service (RaaS)?

In short, it’s less complicated than it sounds. It’s essentially a subscription-based model that means you can use existing ransomware tools to execute ransomware attacks. Every successful ransom payment earns each affiliate commission.

Defining RaaS – a deeper dive

When we talk about Ransomware as a Service (RaaS), we are referring to a business model in the underbelly of the internet, where nefarious developers lease their ransomware software to affiliate criminals.

Movies, wine, cheese, underwear—you can get everything on subscription these days. And ransomware is no exception. In essence, the ransomware provider sells cybercriminals a ransomware kit, the cybercriminals use it for their criminal endeavors, and split their profits with the RaaS provider.

What truly separates RaaS from generic ransomware is its franchising capability. It enables even those with minimal technical know-how to launch sophisticated ransomware attacks. And that means organizations face more attacks from more threat actors than ever before.

The evolution of RaaS – a tale as dark as the web itself

It’s tempting to just lump RaaS into the general history of ransomware. But it has its own unique trajectory.

RaaS was born out of the growth of the software as a service (SaaS) model. It emerged as a profitable venture for cybercriminals around 2016, with the launch of the notorious Cerber ransomware.

It presented a new business model in the cybercrime world. Gleefully, tech-savvy developers and less-skilled operators realized that they could symbiotically profit from the misery of ransomware victims.

How the RaaS model works

Another way of putting this is that RaaS uses the SaaS business model, so the hackers no longer have to learn coding erudition. Lucky them.

In fact, RaaS users don’t have to be experienced or skilled at all, so they can be total novices and still rake it in using sophisticated cyberattacks.

Examples of RaaS

Where to start. Famous (or infamous) examples include Locky, Goliath, Shark, Stampado, Encryptor, and Jokeroo. 

Let’s not be ambiguous about this. Each RaaS variant carries its own brand of malicious innovation.

The infamous Locky, for instance, is known for its ability to encrypt a wide array of file types. It renames them with the .locky extension, thereby denying victims access to their files until a ransom is paid.

Goliath, on the other hand, made its mark by catering specifically to amateurs. It offers an easy-to-use interface and a detailed user guide. (We know what you’re thinking: Aww, how thoughtful.)

Shark, albeit less well-known, has the unique feature of offering customization to its clients. Clients can choose their victims by country and even decide on the ransom amount.

But RaaS variants pop up all the time, twenty-four hours a day, every day of the year, in new, better, ingenious forms.

RaaS Colonial Pipeline case study – learning from the front lines

Let’s consider the Colonial Pipeline attack, which unfolded in 2021. DarkSide, an organized RaaS group, breached Colonial Pipeline’s network, crippling fuel supply on the U.S. East Coast.

While the company’s swift shutdown of systems and contact with law enforcement limited the overall damage, they ended up paying a ransom of $4.4 million.

This incident demonstrated the power of RaaS groups and the importance of robust cybersecurity measures.

Phishing and ransomware victims

What is ransomware as a service’s deadliest trend in 2024?

Ask anyone who’s tried to achieve a professional result with a DIY off-the-shelf kit, and they’ll appreciate the true value of hiring a skilled person to do a professional job from start to finish.

The same goes for ransomware. Off-the-shelf malicious software is available—but the discerning affiliate opts to buy into the actual human skills of a ransomware operator, or someone on their team.

Ransomware threat intelligence reports warn that ransomware affiliates are increasingly seeing the value in human-operated ransomware. And it’s a very dangerous trend as far as cybersecurity professionals are concerned.

That’s because it lends a ransomware attack more agility by using human intelligence at every step of the kill chain. That means actions carried out pre-ransom can be unique to each incident because they are guided by what the attackers identify as the attack progresses.

This agility gives the intruder a better foothold in the ransomware victim’s environment. They can hole up in an undetected location to test various attack tools. Even if the first few fail, they can reach for a new one. Meanwhile, your antivirus product blocks them, and creates a false sense of security, as well as a bit of a smokescreen. All seems well, until the ransom demand lands.

By the time an active attack is detected, self-respecting ransomware attackers will have used their skill and judgment to delete backups and exfiltrate sensitive data.

Other emerging trends in the RaaS field are also a cause for concern. Double extortion schemes are becoming common, where attackers exfiltrate data before encrypting systems, threatening to leak the stolen data if the ransom isn’t paid. Sectors like healthcare and education, already grappling with the aftermath of the pandemic, are being increasingly targeted due to their critical need for operational continuity.

Looking ahead, it’s fair to expect that the RaaS landscape will evolve with new technologies. The rise of cryptocurrencies has already facilitated anonymous transactions for ransom payments. The proliferation of Internet of Things (IoT) devices could provide more avenues for attacks. On the brighter side, increased focus on cybersecurity and stricter regulatory environments could potentially drive the development of more advanced defense measures.

Of course, that’s not all you need to look out for in 2023. We’ve got a ton of more insight to share in our predictions report.

Ransomware defences

What’s missing from your defenses?

So, how can organizations survive this burgeoning revolution and avoid falling victim to a successful ransomware attack?

Sure, you’ve got your data protection policy, your security software on every device, your ransomware incident response plan, and you know which law enforcement group to report it to. Maybe you’ve even scrolled through some ransomware recovery services and ransomware negotiation services.

Prevention of RaaS attacks goes beyond general ransomware defenses. It involves ensuring robust system security, up-to-date patches, and backups. A multi-layered security approach is essential. So are intrusion detection systems, which can catch a communication between a RaaS-infected system and the Command and Control server.

Legal and regulatory aspects of RaaS – an uphill battle

The legal aspect of tackling RaaS is complex. The global nature of these attacks means it’s vital to have cooperation between law enforcement worldwide. But even then, tracking and prosecuting perpetrators is challenging due to the anonymity of the dark web and cryptocurrencies.

Another key component of mitigating RaaS risks is regulatory measures, for instance the EU’s GDPR. in other words, regulations that enforces strict data protection measures.

But what if you could squash that ransomware infection risk at the very start?

It comes down to people

The thing is, threat actors have amassed a plethora of tools, knowledge, and skills to make the right decisions when it counts the most. And they know about social engineering, and how it works.

To stand a chance, you need to equip your people to do the same. Since RaaS relies heavily on phishing attacks, training people to recognize and report these attempts is invaluable. Clue: there’s more to it than  a bad phishing email.

True, maybe the eradication of all chances of cyber attacks is a way off yet. But you can give people the support, knowledge and tools to respond and make decisions in a way that transforms your ransomware protection levels, and protects their own personal data too.

The key to this is giving human behavior its dues and fostering a human-centric cybersecurity approach alongside. That’s how to prevent ransomware attacks in 2024.

And we would know, because helping security professionals in the art of human risk management is, of course, what makes us happiest.

The ransomware war in 2024 is all about human decision-making, on both sides.

So, are your people ready?

Looking for a little more guidance on preventing ransomware? Look no further than our ransomware report. It’s free. And it’s good.

Ransomware prevention guide link

Ransomware as a service FAQs

Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter

You may also like