The Attacker’s Toolkit: Ransomware-As-A-Service

Share :

Security threats evolve just as fast as the technologies used to stop them. New and modified attack strategies are constantly in the works.

To make matters worse, the attack surface within corporate networks is expanding. The push to work from home increased vulnerable points of entry by introducing multitudes of new endpoint devices. The move to cloud-based services and infrastructure has further resulted in a broader and more challenging landscape to defend.

In recent years, threat actors have begun collaborating with each other in a ransomware-as-a-service (RaaS) model to infiltrate organizations. The RaaS model allows the developers of a ransomware variant to recruit affiliates that exclusively use their ransomware in targeted attacks on organizations. Any ransom payments extorted out of the victims are then divided up between the ransomware developers and affiliate who conducted the attack.

Use of RaaS is still skyrocketing. In fact, one report estimates that 64% of all ransomware attacks were conducted through the RaaS model in 2020.

RaaS: An Industry of its Own

RaaS comes in several forms. There are many pricing strategies used by ransomware providers and a variety of nefarious tools available for purchase. Many come bundled with instructions for how to carry out attacks, best practices, ransom strategies, and even an IT help desk. Basically, RaaS can provide the kind of documentation and architecture you’d expect with a popular business SaaS offering, a far cry from the stereotypical, hoodie-wearing rogue actor depicted in pop culture.

Like the SaaS industry, RaaS pricing strategies differ between providers. Some offer their attack services as a one-time purchase, some offer them on subscription plans, and others combine subscriptions with a cut of the ransom fee paid to the developer after a successful attack. Others are highly selective in customer selection, only accepting ‘reputable’ attackers with a proven track record.

The critical piece of technology enabling these varied strategies to succeed is cryptocurrency. Currently, bitcoin is the most popular crypto choice for RaaS payments and ransom demands. It’s difficult to trace and easy to launder into clean cash, so it’s an obvious choice for threat actors wanting a quick way to profit from RaaS.

Why Has RaaS succeeded?

Simply put, RaaS has gained traction because ransomware, in general, is a powerful tool in a hacker’s arsenal. Anytime data is stolen or locked, impacted organizations often don’t know what to do. They often feel paying the ransom is the only option, even though the FBI and other agencies strongly discourage organizations from doing so.

Not only is ransomware an effective attack strategy, but RaaS services are also relatively easy to access, use and adapt. Attackers often start with an existing ransomware platform and update to include new capabilities that can render the platform more destructive than before. Some ransomware developers will go so far as to combine the code of multiple ransomware.

Given the effectiveness of ransomware, attackers often strike repeatedly. One notorious ransomware variant, REvil, ran rampant from 2019 to 2021. The cybercriminals behind REvil were successful at infiltrating and extorting millions of dollars from businesses for almost three years. Then, they lost control of their servers and law enforcement agencies made arrests. This seems to have stamped out this variant, but a new one, called Yanluowang, is quickly gaining steam and available under the same RaaS model.

Other infamous RaaS operations include Ryuk, which has been around since 2018 and is responsible for some of the largest ransomware attacks in the past two years. DopplePaymer, another service, targets organizations in healthcare, emergency services, and education. Egregor is another ransomware service derived from Sekhmet and Maze, two earlier notorious programs. Egregor is probably best known for its use in the attacks on Barnes & Noble, Crytek, and Ubisoft.

All these factors make the prospect of defending against these attacks seem hopeless. Thankfully, it isn’t. Especially when considering how important preparation and training are to prevent a successful ransomware attack.

SaaS vs. RaaS: Defending Against the Attackers’ Toolkit

The most important factor in defending against cyber threats involves a proactive approach. Your defensive posture will not improve itself — taking steps to prepare for future attacks is the best way to reduce your risk. Run internal security audits (or hire an outside firm to run them), educate yourself and your staff (especially non-security professionals) on how to identify phishing scams and other red flags, and find ways to strengthen data security — for example, through more frequent backups. Keep backups offsite so they are not compromised along with your actively used data. This is known as an air-gapped solution.

Don’t forget that RaaS often exploits known vulnerabilities, which means that staying vigilant in patching your systems is important in strengthening your defenses. One place to start is referencing CISA’s known exploit catalog, and focusing on the most important vulnerabilities and to remain vigilant with patching your systems.

To thwart attacks like RaaS, security technology alone is not enough; it’s essential to cultivate a security-minded culture throughout your organization. Take a security operations approach that marries the technology with the human element of your organization, beginning with education on cyber hygiene and understanding that your security posture is an evolving process. As threats change, leverage threat intelligence to pivot defense strategies and the security information resources and training you provide for your employees. Rather than viewing employees as a ‘weak link’ in your organization, empower them to keep security top of mind, particularly as social engineering attacks become more personalized and target employees of every level and department.

Companies of all sizes should mind their security posture and take proactive steps to shore up defenses and create a culture of security that counters the attackers. By prioritizing security culture as part of security posture, leaders can foster a more resilient, secure future for their organizations.

This article originally appeared at

Picture of Mark Manglicmot

Mark Manglicmot

Mark Manglicmot leads the Security Services team at Arctic Wolf. A US Air Force Veteran and experienced consultant, his experience is concentrated in enterprise security strategy, APT incident response, adversary hunting tactics, security operation center (SOC) formation, Red Teaming and security analytics. Manglicmot’s USAF service of nine years included over five years in the Air Force Computer Emergency Response Team (AFCERT) where he was certified as a “Combat Mission Ready” Crew Commander and Assistant Director of Operations to direct real-time cyber-response actions across the DoD. He has taught USAF course lectures and college seminars on network warfare and is a published Author.
Share :
Table of Contents
Subscribe to our Monthly Newsletter