Ransomware-as-a-service (RaaS) allows both skilled and unskilled attackers to rent ransomware tools and carry out attacks.
After reading this article you will be able to:
Copy article link
Ransomware-as-a-service (RaaS) is a business model for criminal enterprises that allows anyone to sign up and use tools for conducting ransomware attacks. Like other as-a-service models such as software-as-a-service (SaaS) or platform-as-a-service (PaaS), RaaS customers rent ransomware services, rather than owning them as in a traditional software distribution model.
Ransomware is malware that locks up a victim's system or files, usually via encryption. The victim is only able to regain access to their data once they pay a ransom to the parties behind the ransomware attack. Ransomware has become a major industry in the criminal underworld, worth billions of dollars a year.
While many imagine that the people behind cyber attacks like ransomware are highly skilled programmers, many attackers do not write their own code and may not even know how to do so. Cyber criminals with coding skills often sell or rent out the exploits they develop instead of using them themselves.
Ransomware is just one area of the cyber crime industry with an "as-a-service" model. Attackers can also rent DDoS tools, subscribe to lists of stolen credentials, hire botnets, or rent banking trojans, among other services.
RaaS services use a number of different revenue models. Providers may charge a flat-rate monthly subscription, take a percentage of their customers' profits, use a hybrid of these two models, or charge a one-time licensing fee. Once a RaaS customer creates an account and makes their first payment (usually in Bitcoin), they can select the type of malware they would like to use.
After payment has been completed, attackers begin their campaign of distributing the malware and infecting victims. Most often, ransomware attackers use phishing or social engineering campaigns to try to trick users into executing the malware. (These methods are fairly cheap compared to purchasing a zero-day exploit or access to a backdoor.) Once the malware executes, the victim's computer becomes encrypted and unusable, and the attacker displays a message with instructions on where to send the ransom.
RaaS providers often offer 24/7 customer support for attackers who get stuck or cannot get their malware to work properly. Most providers have community forums where customers can ask questions and exchange ideas. Many also offer step-by-step guides for how to execute a ransomware attack with their tools.
Some RaaS providers are fairly picky about to whom they sell their software. They may want highly skilled customers who will go after large targets, which is good advertising for their service. They may have other requirements, like speaking a certain language or the ability to start using the service and generating ransomware revenue right away.
Others will sell their services to pretty much anyone, as long as the customer is able to provide payment or produce revenue in the form of ransoms. This presents a slight risk for RaaS providers, as inevitably, some customers may be fairly unsophisticated and get caught.
In recent years, many RaaS providers have gotten more careful about which industries they allow their customers to target. For example, they may forbid attacks on critical infrastructure or medical facilities, as such attacks can negatively impact someone's health or even cause their death. These extreme occurrences draw undue attention to the RaaS market, and RaaS providers may have moral objections to impacting someone's physical health as well (as opposed to their bank account).
Attacks that use RaaS have become common in recent years. A few examples:
RaaS vastly lowers the barrier for entry for this profitable form of cyber crime — anyone with a computer and an Internet connection can carry out a ransomware attack. For this reason, RaaS attacks will likely continue to proliferate in the coming years.
Like any cloud service, RaaS services are purchased and accessed on the Internet. RaaS is usually distributed via malware forums on the dark web. (The "dark web" is a part of the Internet that can only be accessed using a Tor browser, which conceals a user's location and IP address.)
RaaS is just as competitive as any other industry, and many providers aggressively market their services. RaaS providers have Twitter accounts, websites, video content, and other marketing assets. They often run marketing campaigns to drive up business. Most RaaS tools have user reviews and community forums as well.
A number of security measures can help organizations defend themselves against both ransomware-as-a-service attacks and malware attacks in general:
To learn more about defense from RaaS attacks, see How to prevent ransomware.