Ransomware as a Service (RaaS)

According to the Federal Bureau of Investigation’s (FBI) 2023 Internet Crime Complaint Center (IC3) report, the federal agency received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million in 2022. Of those complaints, 870 belonged to an organization falling into an industry classified as a critical infrastructure sector.

Subscription-based applications have changed the software market  — including the illicit software market. Similar to how legitimate companies can leverage SaaS applications to streamline business operations, threat actors now offer subscription-based ransomware models that enable criminals to deploy attacks easily. Ransomware as a Service, or RaaS, means that threat actors don’t have to code their own ransomware; they can simply buy it from another cybercriminal. This means that any threat actor who wants to can launch a ransomware attack, no matter their technological skills.

In addition, modern ransomware attacks no longer simply encrypt data. Over the past few years, attackers have been focusing on double and triple extortion attacks that also include stealing data, holding it hostage until the victim pays the requested ransom. 

The evolving Ransomware-as-a-Service (RaaS) business model has democratized these attacks, enabling sophisticated actors to deploy them.

How Does Flare Address Ransomware Readiness? 

RaaS gangs gain access to your environments by taking advantage of data leaks, looking through sensitive information in stealer logs sold on Genesis Market, Russian Market, and both public and private Telegram groups. 

Flare provides continuous monitoring of any stolen information with automated monitoring across the clear & dark web, prioritized alerts, and autonomous remediation. This includes monitoring for stealer logs, especially those that contain access to RDP, VPN, and SSO credentials that could lead to a compromise of your data.

What are the key benefits of ransomware monitoring and readiness with Flare?

  • Flare automatically monitors for external threat exposures, allowing for significantly reduced time in remediating any risks.
  • Flare is able to quickly contextualize and summarize threat actor activity so that your security team can act as soon as possible.
  • Flare notifies you about any risks that need to be mitigated, allowing your security team to spend their time and resources on more complex tasks. 

Ransomware as a Service: An Overview

What is Ransomware as a Service? 

RaaS is a cybercrime business model in which threat actors who develop ransomware sell their malware to other threat actors who then distribute it. RaaS lowers the criminal barrier to entry since sophisticated threat groups offer pre-developed ransomware tools and infrastructure, including ransomware variants and campaign management technologies. 

It’s a variation of the broader Malware as a Service (MaaS) market. In fact, it’s a sizable chunk of that market; ransomware made up 58% of the MaaS sold between 2015 and 2022.

How does the RaaS business model work? 

There are a range of RaaS revenue models: 

  • Affiliate programs: Users pay a monthly flat fee for access to the ransomware. The RaaS takes a cut of every successful ransom.
  • Profit-sharing: The user purchases a license and the proceeds are split between all users and operators. 
  • One-time license: Users make one payment for access to the RaaS. They do not have to share profits. 
  • Percentage split: Rather than paying for a license, the user splits the profits with the RaaS operators after an attack.

Typically, RaaS operates on an affiliate model with ransomware developers/operators and the affiliates sharing the ransom payment revenue.:

  • Operators: develop and manage the ransomware platform, and provide the affiliates resources such as encryption keys and customer support
  • Affiliates: execute the ransomware attacks taking advantage of the resources and tools purchased from operators

Threat actors sell RaaS models on dark web forums, marketplaces, and Telegram channels in an effort to stay anonymous and avoid law enforcement.

What are the types of RaaS business models?

A few general business models exist:

  • Monthly Subscriptions: Affiliates pay a recurring monthly fee to access the platform and use its resources, keeping the entirety of the ransom paid.
  • License fees: Affiliates pay a one-time licensing fee to access the ransomware tools, keeping the entirety of the ransom paid.
  • Affiliate program: Affiliates receive a percentage of the ransoms that the victims pay.

In return for payment, the affiliates receive:

  • Technologies necessary to deploy attacks
  • Customer support services
  • Online communities for sharing knowledge and experiences
  • Access to documentation and tutorials for how to deploy the ransomware
  • Feature updates

What is the history of the RaaS model? 

RaaS isn’t new. The first recorded instance of Ransomware as a Service is from 2012, when Reveton — also called the FBI virus— locked victims out of their computers with a message claiming to be from the FBI or local law enforcement, and demanding a fine. Reveton was the first to offer its ransomware as a product, and it operated as a business, offering updates and options for customization. Since then, RaaS gangs have exploded, as have the number of ransomware attacks. Ransomware continues to evolve as threat actors innovate on the model.

Why is it Important to Understand Ransomware as a Service Right Now? 

How prevalent is ransomware?

The RaaS model might not be new, but the growth of the RaaS industry has certainly contributed to the dramatic rise in ransomware attacks. According to Verizon’s 2023 Data Breach Investigation Report (DBIR) ransomware is now the second most used atack vector and is present in a quarter of all data breaches. In 2023, ransomware was the second-most prevalent attack method in data compromises as well. With sophisticated ransomware at the fingertips of almost anyone who wants it, increasing numbers of organizations will find themselves the target of ransomware attacks.

How is ransomware delivered? 

Most ransomware is delivered as part of a phishing attack; a bad actor uses a fake message to trick an insider into clicking a suspicious link or downloading the ransomware in an innocent-seeming file. However, ransomware can be inserted into a network by a threat actor who has hacked into a system. 

What is the impact of RaaS? 

Because RaaS makes ransomware available to a larger group of criminals, it enlarges your attack surface. Businesses are then exposed to several risks, financial and reputational. Some of the financial costs may include the following: 

  • Disruption of operations
  • Regulatory fines
  • Litigation costs
  • Expenses associated with remediation efforts
  • The ransom fee, or fees, if the organization chooses to pay

How can you protect yourself from RaaS gangs? 

Countering RaaS gangs and ransomware in general, it’s important that organization adopt a proactive cybersecurity stance. This means using a multifaceted strategy that includes technology, threat intelligence, education, and good cyber hygiene practices.

RaaS Readiness and Flare

Flare provides the leading Threat Exposure Management (TEM) solution for organizations. Our technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Ransomware as a Service (RaaS) puts ransomware, one of the most disruptive types of malware, into the hands of anyone willing to pay for it. 

With Flare Supply Chain Ransomware Exposure Monitoring, gain unique visibility and proactive security across your extended supply chain to efficiently mitigate threat exposures that exist within ransomware data leaks. Learn more by signing up for our free trial.

Share This Article

Related Content