What is Ransomware as a Service?

??? pgHead ???
 
  • What is Ransomware as a Service?
  • Origin and evolution
  • How RaaS works?
  • RaaS models
  • Notable examples
  • Protecting against RaaS
  • Related solutions
 

Ransomware as a Service (RaaS) is a business model leveraged by cybercriminals to execute ransomware attacks. It operates as a profitable revenue model between RaaS operators, who are skilled developers of sophisticated ransomware, and affiliates, who have the resources to execute attacks. RaaS operators, though proficient with code, may lack the resources to deploy attacks. Similarly, affiliates, while holding the necessary resources to execute attacks, may lack the expertise to develop complex ransomware themselves. As this business model benefits both parties, RaaS has gained popularity among ransomware actors, giving rise to various RaaS operators such as REvil, Dharma, and LockBit.

The origin and evolution of Ransomware as a Service

RaaS was inspired by the SaaS model, which offers subscription-based software services and applications. The first ransomware group alleged to adopt this model was the Reveton group in 2012. It is claimed that the Reveton group formed alliances with illegal websites to propagate malware to the sites' visitors. The group posed as the FBI and threatened victims with a false ransom demand, asking for fines in Bitcoin for allegedly visiting illegal websites.

Cryptocurrency, introduced in 2009, has also aided the evolution of RaaS by helping attackers mask their identities when receiving ransom payments. Since then, RaaS has evolved prolifically, with notable attacks including Tox (2015), REvil (2019), DarkSide (2020), Hive (2021), and Eldorado (2024).

How Ransomware as a Service works

The RaaS model primarily involves two key players: the RaaS operator and the affiliate, as well as the infrastructure needed to execute the attack. This infrastructure includes command and control domains, phishing emails, botnets, malware scripts, encryption and decryption tools. A typical RaaS kit, as referred to by the operators, also includes features such as a 24/7 support desk, user forums, review panels, and other offerings based on the type of subscription. Here is an outline of how conventional RaaS operates.

  1. The RaaS operator recruits affiliates via the dark web or illegal forums after thorough background checks.
  2. Once both parties reach an agreement on the subscription type and profit-sharing percentage, the affiliate is onboarded.
  3. The affiliate is then given access to the RaaS kit and is set up with the command and control dashboard.
  4. After setup is complete, the affiliate can launch an attack on the target organization.
  5. The RaaS operator supports the affiliate in ransom negotiations and establishes a victim payment portal to receive the ransom.
  6. Given that RaaS attacks often involve double extortion, the operator also maintains a dedicated leak site where the affiliate can sell the stolen data.

Modern RaaS operators are equipped with advanced technological capabilities, allowing them to host their own RaaS portals. Affiliates can easily create an account on these portals, select the required malware and other components, choose the subscription, and complete payment using cryptocurrency.

Moreover, with the rise of new operators and advanced malware, competition in the RaaS market is intensifying. To attract more affiliates, operators conduct marketing campaigns and promotions featuring exclusive deals and offers. They also engage in forming profitable partnerships, scale operations, and undertake rebranding and renovation efforts, much like traditional businesses, to maintain their foothold in the RaaS industry. As a result, RaaS, which was once a niche business model, has evolved into one of the most profitable businesses among cybercriminals.

Ransomware as a Service models

Today's RaaS operations predominantly use one of the following four revenue models:

1. Affiliate program

This is a traditional RaaS model where an affiliate pays a monthly subscription fee to an operator and also shares a set percentage of the profit from each successful ransom extortion.

2. Profit sharing program

In this RaaS model, an operator provides a RaaS kit to an affiliate without any upfront charges. Instead, the affiliate agrees to share a portion of the profits from each attack. The operator typically receives around 30–40% of the profit, which is significantly higher than in the affiliate program, but this revenue is only realized from successful attacks.

3. One-time payment

Here, an affiliate pays a one-time fee to a RaaS operator to either acquire unlimited access to a RaaS kit or to purchase the ransomware source code outright. Unlike the affiliate and profit-sharing programs, there is no profit sharing with the RaaS operator in this RaaS model.

4. Subscription-based

In this RaaS model, an affiliate pays a monthly subscription fee the an operator to access a RaaS kit. While similar to the affiliate program, there is no profit sharing with the operator under this model.

RaaS models

Figure 1: RaaS Models

Ransomware as a Service examples

Here are some notable examples of RaaS operators:

  • Dharma

    Dharma, first spotted in 2016, was alleged to be operated by an Iranian RaaS group. It used the one-time payment RaaS model and was among the most profitable RaaS operators. Its affiliates continuously modified Dharma's source code to launch various attacks that followed different techniques. Its activity continued until 2020, after which its frequency gradually declined.

  • REvil

    Ransomware Evil (REvil), also known as Sodinokibi, was created in 2019 by a Russian-speaking RaaS group. It is well known for its large extortions and devastating damages. The group is alleged to have received around 40% of the profits from affiliates under its affiliate program. REvil targeted JBS USA and Kaseya Limited in 2021 before being shut down by the Russian Federal Security Service in 2022.

  • DarkSide

    DarkSide, which originated in 2020, was claimed to be operated by a Russian group. It became infamous for its massive ransomware attack on the Colonial Pipeline in 2021, after which it was completely shut down. Some reports claim that the DarkSide operators released BlackMatter as its successor.

  • BlackCat

    Founded in 2020, BlackCat was operated by ALPHV, a Russian-speaking group of cybercriminals. It is well-known among affiliates for its profit-sharing program, which allows them to retain 80–90% of the profits. Additionally, it was the first RaaS operator to launch a data leak site on the public internet. Some researchers suggest that BlackCat is the rebranded version of DarkSide.

  • LockBit

    LockBit was launched in September 2019 by a Russian-based APT group. It is known for continuously upgrading its ransomware strains and exists in multiple variants, including LockBit Red, LockBit Black, and LockBit Green. It remains active even today, with the FBI reporting approximately 1,700 LockBit attacks in the United States since 2020.

  • Hive

    Hive was first observed in 2021 and was believed to be operated by a Russian group. The group adopted an affiliate program and maintained a dedicated leak site to expose stolen data on the dark web. It rose to prominence in 2022 after its attack on Microsoft Exchange servers and was eventually shut down by the FBI.

Protecting against Ransomware as a Service

  • Raise awareness among users and stakeholders about the various signs of RaaS attacks.
  • Stay vigilant against phishing emails by using email filtering and spam blocking tools.
  • Continuously audit endpoints and network devices for vulnerabilities, and perform regular patch updates.
  • Use network monitoring solutions to analyze incoming and outgoing traffic to block suspicious data packets.
  • Back up files with sensitive data and ensure the safety of the original files and their backups.
  • Scan and test third-party software and tools in a controlled environment before deploying them to your network.
  • Implement MFA for all user accounts, and enforce strong password policies.
  • Integrate all security solutions and centralize network monitoring on a single console. This can be done by employing a SIEM tool that provides complete visibility across the network.

To find out more about protecting your business from ransomware attacks, check out this page.

Related solutions

ManageEngine Log360, a comprehensive SIEM solution with advanced DLP and UEBA capabilities, helps you proactively protect your network against RaaS attacks. Log360's predefined correlation rules, alert profiles, and audit reports on ransomware activities assist in identifying potential signs of ransomware. With prebuilt incident response workflows, Log360 not only detects ransomware but also aids in responding to the attack and mitigating its consequences. To explore more, sign up for a personalized demo of Log360. Or, you can discover on your own with a fully functional, 30-day, free trial software download.

Related pages

What is ransomware detection? What is ransomware incident response? Ransomware in healthcare: The cyberattack targeting hospitals
Download ManageEngine Log360, a unified SIEM solution  

Detect, investigate, and respond to threats, while meeting compliance requirements.

Download Live demo

Awards & recognition

ManageEngine named in 2022 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link