What is Ransomware-As-A-Service (RaaS)

Estimated read time 11 min read

Today, we’re diving into the world of Ransomware-as-a-Service (RaaS). It’s as ominous as it sounds, a cybercrime model where tech miscreants provide ransomware to their affiliates, enabling even the less skilled to launch devastating cyber-attacks.

Ransomware-As-A-Service (RaaS)

RaaS borrows its model from our legitimate Software-as-a-Service (SaaS) counterparts. However, instead of offering productive software solutions, RaaS peddlers sell ‘do-it-yourself’ ransomware kits on the dark web. It’s a ‘pay-as-you-go’ cybercrime model, a diabolically simple way for even novice hackers to dive headfirst into the world of ransomware.

Affiliates who buy these kits aren’t just purchasing code. They’re buying an entire ransomware business, complete with customer service, tutorials, and dashboards that track the chaos they cause.

Simplified steps in a Ransomware-As-A-Service (Raas) operation
Simplified steps in a Ransomware-As-A-Service (Raas) operation

This simplified diagram represents the following steps in a Ransomware-as-a-Service operation:

  1. Service Provider: Develops Ransomware: The service provider develops the ransomware software.
  2. Provides Ransomware to Affiliates: The service provider then provides the ransomware to affiliates, who are typically other cybercriminals.
  3. Affiliates: Cybercriminals: These affiliates launch ransomware attacks on targets.
  4. Collect Ransom Payments: When victims pay the ransom, the affiliates collect the payments.
  5. Share Profits with Service Provider: The affiliates share a portion of the profits with the service provider.
  6. Keep a Portion of Profits: The affiliates keep the remaining portion of the profits.

RaaS Operators vs Affiliates

The Puppet Masters: Roles of RaaS Operators

When it comes to Ransomware-as-a-Service (RaaS), the RaaS Operators are the puppet masters. They are the architects behind the scenes, developing and selling the ransomware kits that enable affiliates to conduct their malicious activities.

Creating and selling ransomware kits isn’t a simple task. It involves intricate knowledge of programming and an understanding of security systems to develop ransomware capable of bypassing detection and encrypting data. These kits are designed to be user-friendly, enabling even those with little to no hacking skills to deploy ransomware attacks.

Beyond the creation and sale of kits, RaaS Operators take on the heavy-duty aspects of ransomware deployment, such as managing victim payment portals. This involves setting up and securing a platform where victims can pay their ransoms, usually in Bitcoin or another cryptocurrency. The anonymity of such payments is critical to keeping the operators out of law enforcement’s reach.

RaaS Operators manage decryption keys. When a victim pays a ransom, they’re provided a decryption key to unlock their encrypted data. These keys are unique and must be securely managed to ensure that they work correctly when delivered to a victim.

Puppets on a String: Roles of RaaS Affiliates

Roles of RaaS Affiliates
Roles of RaaS Affiliates

On the other side of the coin are the RaaS Affiliates, the foot soldiers who put the ransomware into action. They purchase the ransomware kits from the operators and initiate the attacks.

To start, affiliates target victims, usually selecting businesses or individuals they believe will pay large sums to retrieve their encrypted data. They then deploy the ransomware, often through phishing emails or exploiting security vulnerabilities.

Once inside a system, the affiliates’ work isn’t done. They need to compromise the assets, spreading the ransomware throughout the network to maximize damage and potential payout. .

This means bypassing security measures and moving laterally through the network to infect as many systems as possible.

When the ransomware has done its job encrypting the victim’s files, the affiliates then execute the ransom note.

This is typically a message on the victim’s computer screen, informing them of the encryption and instructing them on how to pay the ransom to retrieve their files.

The affiliates negotiate with the victims. Negotiation can be a delicate process. Price it too high, and the victim may opt not to pay. Price it too low, and the affiliates miss out on potential profits.

The negotiation process also includes managing the communication channels to ensure they remain anonymous and untraceable by law enforcement.

Lockbit Ransomware
Lockbit Ransomware

The Different Flavors of RaaS: An Exploration of Business Models

In the shadowy world of Ransomware-as-a-Service (RaaS), variety isn’t just the spice of life – it’s a strategic choice. Different RaaS business models cater to different needs and risk profiles, expanding the reach of these malicious services and facilitating their proliferation.

RaaS Business Models overview

RaaS Business ModelDescription
Monthly Subscription: Ransomware on RetainerAffiliates pay a flat monthly fee to use a specific ransomware kit, similar to a subscription for a streaming service. This model is straightforward and predictable, but the affiliate bears all the risk if their ransomware campaign is unsuccessful.
Affiliate Programs: A Profitable PartnershipThe operator takes a percentage (usually 20-30%) of the affiliate’s earnings. This model introduces a shared risk and reward scenario, fostering a partnership between the operator and the affiliate, with the operator often providing more support and resources for successful ransomware campaigns.
One-Time License Fee: The Upfront ApproachAffiliates pay a one-time license fee to use the ransomware kit indefinitely. There’s no profit sharing in this model – all gains go to the affiliate. This approach minimizes ongoing costs but the upfront costs are usually higher, making it risky for less experienced affiliates.
Pure Profit Sharing: The Equitable ApproachThe operator takes a percentage of all profits the affiliate earns, ranging from 20% to 80%. This model aligns the interests of both parties, sharing both the rewards of success and the risks of failure. It encourages long-term relationships, with consistent profits benefiting both parties.
RaaS Business Model overview

1. Monthly Subscription: Ransomware on Retainer

In the monthly subscription model, affiliates pay a flat fee each month to access and use a specific ransomware kit. This model is akin to the way one might subscribe to a music or video streaming service. The crucial difference is that, instead of accessing a library of songs or movies, the affiliates gain access to the tools necessary for cybercrime.

This model is appealing for its simplicity and predictability. Affiliates know precisely how much they’re spending each month, and there are no surprise costs. However, it also means they bear all the risk. If their ransomware campaigns are unsuccessful, they could end up losing money.

2. Affiliate Programs: A Profitable Partnership

The affiliate model introduces a shared risk and reward dynamic. Here, the RaaS operator takes a cut from the affiliates’ earnings, typically 20-30%. This means that if an affiliate’s ransomware campaign is successful, the operator gets a share of the spoils. Conversely, if the affiliate doesn’t earn anything, the operator doesn’t either.

This shared risk and reward scenario create a partnership between the operator and the affiliate. The operator has a vested interest in the affiliate’s success and is often more willing to provide support and resources to ensure a successful ransomware campaign.

Earnings Distribution in RaaS affiliate models
Earnings Distribution in RaaS affiliate models

3. One-Time License Fee: The Upfront Approach

A simpler and less common model is the one-time license fee. Here, affiliates pay a flat fee to use the ransomware kit indefinitely. There’s no profit sharing involved – all the gains from the ransomware campaign go straight into the affiliate’s pocket.

This model is appealing because it minimizes ongoing costs. However, the upfront costs are often higher, and there’s no guarantee of success. This makes it a risky choice, particularly for less experienced affiliates.

4. Pure Profit Sharing: The Equitable Approach

The pure profit-sharing model is arguably the most equitable. Rather than charging a flat fee, the operator takes a percentage of all profits the affiliate earns. This could range anywhere from 20% to 80%, depending on the specifics of the agreement.

This model aligns the interests of the operator and the affiliate. Both parties benefit directly from successful ransomware campaigns, and both share the risks of failure. It also encourages long-term relationships, as consistent profits will benefit both parties.

Well-Known RaaS Kits

Among the plethora of RaaS kits, several have gained notoriety for their widespread use, innovative tactics, or the severity of their attacks. Here’s an exploration of some well-known RaaS kits:

1. Hive: The Widespread Aggressor

Active since April 2022, Hive has made its mark in the RaaS landscape by targeting a broad spectrum of organizations. From financial firms to non-profits and healthcare organizations, no industry seems safe from Hive’s expansive reach.

Their usage of advanced techniques, such as pass-the-hash, has helped them infiltrate robust defenses and left over 1,500 victims worldwide in their wake. In a significant blow to their operations, the U.S. Department of Justice managed to seize two of Hive’s backend servers in Los Angeles, CA, in January 2023.

2. DarkSide: The eCrime Enthusiast

DarkSide, an operation associated with the eCrime group known as CARBON SPIDER, is another notorious player in the RaaS landscape. Initially focusing on Windows machines, DarkSide has recently expanded its repertoire to target enterprise environments running unpatched VMware ESXi hypervisors or possessing stolen vCenter credentials.

Its most infamous operation involved the Colonial Pipeline incident, leading to the theft of approximately 100GB of data and an alleged ransom payment of almost $5 million USD.

3. REvil/Sodinokibi: The High Roller

Sold by the criminal group PINCHY SPIDER, REvil, also known as Sodinokibi, is infamous for demanding one of the highest ransom amounts on record: a staggering $10 million. Operating under the affiliate model, REvil is not only a tool but a whole business strategy, with the operators taking 40% of the affiliates’ profits.

Its notable feature is the detailed countdown timer provided to victims, escalating the psychological pressure to pay the ransom.

4. Dharma: The Remote Specialist

Run by a financially motivated Iranian threat group, Dharma has been a persistent player in the RaaS ecosystem since 2016. Its primary modus operandi involves remote desktop protocol (RDP) attacks, and it has targeted a wide range of industries.

Not centrally controlled like REvil, Dharma’s variants stem from multiple sources, making attribution and mitigation more challenging.

RaaS portals

A particularly innovative approach adopted by Ransomware-as-a-Service (RaaS) operators is the creation of dedicated RaaS portals.

RaaS portals are sophisticated platforms that offer affiliates a comprehensive suite of tools and information to manage their ransomware campaigns effectively.

They offer real-time data about the status of infections, total payments received, the number of files encrypted, and other pertinent information.

This data helps affiliates monitor their operations, evaluate their success, and strategize their next moves.

RaaS portals
RaaS portals

Preventing RaaS Attacks: Building a Culture of Security

Prevention is undoubtedly better than cure, especially when dealing with ransomware. Recovering from a ransomware attack can be a difficult and costly endeavor.

Ransomware-as-a-Service (RaaS) attacks, in particular, pose a significant threat due to their accessibility to ill-intended individuals regardless of their technical prowess. But how do you guard against these RaaS attacks? Here are some key measures you can take:

Preventing RaaS Attacks: Building a Culture of Security
Preventing RaaS Attacks: Building a Culture of Security

1. Modernize and Enhance Endpoint Protection

With the ever-evolving threat landscape, it’s vital to implement modern endpoint protection. Such protection systems should leverage advanced algorithms and work automatically around the clock, identifying and nullifying threats before they can cause damage.

2. Regular and Frequent Backups

Data backups are a vital line of defense against ransomware. Regular and frequent backups minimize the potential loss of data during an attack. But remember, if backups are only performed every weekend, a ransomware attack on a Friday could cost an entire week’s work product.

3. Diversify Backup Storage

Don’t just make one backup – make multiple. And importantly, store them on separate devices in different locations. This diversity protects your data from being completely lost due to a localized incident or synchronized attack.

4. Test Your Backups

Having backups is good; knowing they work is better. Regular testing of backups ensures that data can be retrieved when needed.

5. Maintain Rigorous Patch Management

Keeping your software and systems updated is crucial in the fight against ransomware. Regular patching can protect your environment from known and unknown vulnerabilities that ransomware may exploit.

6. Network Segmentation

Segmenting your network can limit the damage from a ransomware attack. By isolating systems and data, you hinder the proliferation of ransomware across the entire environment.

7. Advanced Anti-Phishing Protection

Phishing is a common tactic used to distribute ransomware. Implementing advanced anti-phishing protection can shield your organization from deceptive emails that harbor hidden threats.

8. Invest in User Training

Ultimately, the human element is often the weakest link in cybersecurity. Invest in user training and foster a culture of security in your organization. By teaching employees to identify and avoid potential threats, you greatly reduce the likelihood of a successful attack.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author