Ransomware attacks are nothing new and they continue to be a growing threat for organizations globally. Ransomware is a type of malicious software (malware) that locks and encrypts the victim’s data and system, thereby blocking access. The attacker then demands a ransom in return to decrypt the data and restore access. In addition to blocking access to data, some ransomware attackers also threaten to publish the compromised data on to the dark web. This makes it a double-extortion ransomware attack.

Similar to Software as a Service (SaaS), Ransomware as a Service (RaaS) is a subscription-based business model. In this model, ransomware developers sell or lease their software to customers, also known as affiliates. These affiliates, typically cybercriminals, can now use this pre-developed ransomware malcode to launch their attacks. What’s even more dangerous about RaaS is that small-time hackers, even those without much technical expertise, can execute highly sophisticated cyberattacks. This is a win-win situation for both RaaS developers and affiliates alike.

RaaS decreases the risk factor for the developers, as they don’t have to carry out the attacks themselves, and it reduces the cost factor for the affiliates, as they don’t have to invest heavily on building their own ransomware. RaaS models are profitable to both parties—developers and affiliates—as they each get a share of the paid ransoms. The share of the ransoms each party gets mostly depends on the kind of subscription choice affiliates choose.

Key differences between regular ransomware attacks and RaaS

  • Ransomware is the actual payload or malware that is used to encrypt the victim’s data, while RaaS is the model wherein the ransomware is provided as a service for attackers.
  • In the case of ransomware attacks, adversaries need to have the technical expertise to develop the malcode and execute the attack themselves. RaaS, on the other hand, eliminates the need for having such technical expertise, because cybercriminals can now simply use the pre-developed ransomware to carry out the attacks with very little or no technical know-how required.

Revenue models for RaaS

Similar to any SaaS applications, RaaS uses different revenue models, the most common ones being:

  • Monthly subscription model: Users have to pay service providers on a monthly basis and the providers will get a percentage on each successful ransom.
  • One-time payment model: Users pay as one-time payment to the service providers.
  • Affiliate model: The RaaS operator or developer takes a predetermined percentage of the payout received from each attack.

How RaaS works

It starts off with skillful developers who write the malicious software. Well-coded ransomware offers high chances of penetration success along with low chances of discovery. The ransomware is then modified to enable a multi-end-user infrastructure so that it can be licensed or sold to multiple affiliates. These developers then look for affiliates who will sign up for the service. Typically, the developers post on different forums on the dark web looking to recruit affiliates. The recruited affiliates, once subscribed to their choice of RaaS model, can then launch

Covid-themed Netwalker phising email

Egrgor ransom note

Phishing is one of the most common ways of launching a ransomware attack. Typically, a seemingly harmless email including a link is sent to the victims, and once they click on that link, it launches a cyberattack, often without the user knowing. The attacker can then escalate privileges, move laterally, and finally gain access to the victim’s data before holding it hostage. The attackers then send a ransom note demanding payment in exchange for a decryption key that enables the victims to access their data again. The ransom payments are usually made with cryptocurrency and sometimes through dark web browsers, making it difficult to trace.

How RaaS works

Here are some of the most notorious RaaS providers

  • DarkSide – This group was responsible for the Colonial Pipeline attack in May 2021.
  • REvil – This group was responsible for the Kaseya Attack in July 2021 and the attack on insurance carrier CNA Financial in March 2021. It was also in the news for an alleged attack on the world’s biggest meat producer, JBS USA, in June 2021, in which the victim had to pay an $11 million ransom.

Preventing RaaS attacks

You can take these precautionary measures to combat RaaS attacks:

  • Regularly back up data.
  • Patch software with the latest updates.
  • Implement multi-factor authentication for critical logins.
  • Protect against phishing and keep employees aware of all latest phishing tactics.
  • Monitor user activities across the network.
  • Get in-depth visibility into processes running in your network, and get notified about unusual or malicious process or services.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.