What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service (RaaS) allows both skilled and unskilled attackers to rent ransomware tools and carry out attacks.

Learning Objectives

After reading this article you will be able to:

  • Define ransomware-as-a-service (RaaS)
  • Understand the RaaS business model
  • Learn how to defend against RaaS attacks

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service (RaaS) is a business model for criminal enterprises that allows anyone to sign up and use tools for conducting ransomware attacks. Like other as-a-service models such as software-as-a-service (SaaS) or platform-as-a-service (PaaS), RaaS customers rent ransomware services, rather than owning them as in a traditional software distribution model.

Ransomware is malware that locks up a victim's system or files, usually via encryption. The victim is only able to regain access to their data once they pay a ransom to the parties behind the ransomware attack. Ransomware has become a major industry in the criminal underworld, worth billions of dollars a year.

While many imagine that the people behind cyber attacks like ransomware are highly skilled programmers, many attackers do not write their own code and may not even know how to do so. Cyber criminals with coding skills often sell or rent out the exploits they develop instead of using them themselves.

Ransomware is just one area of the cyber crime industry with an "as-a-service" model. Attackers can also rent DDoS tools, subscribe to lists of stolen credentials, hire botnets, or rent banking trojans, among other services.

How does ransomware-as-a-service work?

RaaS services use a number of different revenue models. Providers may charge a flat-rate monthly subscription, take a percentage of their customers' profits, use a hybrid of these two models, or charge a one-time licensing fee. Once a RaaS customer creates an account and makes their first payment (usually in Bitcoin), they can select the type of malware they would like to use.

After payment has been completed, attackers begin their campaign of distributing the malware and infecting victims. Most often, ransomware attackers use phishing or social engineering campaigns to try to trick users into executing the malware. (These methods are fairly cheap compared to purchasing a zero-day exploit or access to a backdoor.) Once the malware executes, the victim's computer becomes encrypted and unusable, and the attacker displays a message with instructions on where to send the ransom.

RaaS providers often offer 24/7 customer support for attackers who get stuck or cannot get their malware to work properly. Most providers have community forums where customers can ask questions and exchange ideas. Many also offer step-by-step guides for how to execute a ransomware attack with their tools.

Who uses RaaS?

Some RaaS providers are fairly picky about to whom they sell their software. They may want highly skilled customers who will go after large targets, which is good advertising for their service. They may have other requirements, like speaking a certain language or the ability to start using the service and generating ransomware revenue right away.

Others will sell their services to pretty much anyone, as long as the customer is able to provide payment or produce revenue in the form of ransoms. This presents a slight risk for RaaS providers, as inevitably, some customers may be fairly unsophisticated and get caught.

In recent years, many RaaS providers have gotten more careful about which industries they allow their customers to target. For example, they may forbid attacks on critical infrastructure or medical facilities, as such attacks can negatively impact someone's health or even cause their death. These extreme occurrences draw undue attention to the RaaS market, and RaaS providers may have moral objections to impacting someone's physical health as well (as opposed to their bank account).

What are some examples of ransomware-as-a-service attacks?

Attacks that use RaaS have become common in recent years. A few examples:

  • DarkSide is a ransomware group that sells RaaS. The 2021 Colonial Pipeline attack was attributed to DarkSide.
  • REvil is sold as RaaS. The 2021 ransomware attack on IT provider Kaseya used REvil ransomware.
  • Dharma ransomware is sold as a service and has been used in dozens, if not hundreds, of attacks since 2016.

RaaS vastly lowers the barrier for entry for this profitable form of cyber crime — anyone with a computer and an Internet connection can carry out a ransomware attack. For this reason, RaaS attacks will likely continue to proliferate in the coming years.

Where do criminals buy ransomware-as-a-service?

Like any cloud service, RaaS services are purchased and accessed on the Internet. RaaS is usually distributed via malware forums on the dark web. (The "dark web" is a part of the Internet that can only be accessed using a Tor browser, which conceals a user's location and IP address.)

How do ransomware-as-a-service providers market their services?

RaaS is just as competitive as any other industry, and many providers aggressively market their services. RaaS providers have Twitter accounts, websites, video content, and other marketing assets. They often run marketing campaigns to drive up business. Most RaaS tools have user reviews and community forums as well.

How to defend against ransomware-as-a-service attacks

A number of security measures can help organizations defend themselves against both ransomware-as-a-service attacks and malware attacks in general:

  • User security training: Training employees, contractors, and other users to recognize phishing attacks and social engineering attacks lessens the likelihood of a successful RaaS attack.
  • Email security: Many ransomware attacks start with an infected email attachment. Scanning emails for malware and blocking email attachments from untrusted sources can help eliminate this attack vector.
  • Frequent data backups: Ransomware makes organizations unable to access or use their data. But in many cases, an organization can restore their data from a backup instead of paying the ransom to decrypt it or rebuilding all of their IT infrastructure from scratch.

To learn more about defense from RaaS attacks, see How to prevent ransomware.