What Is Ransomware-as-a-Service (RaaS)?
In recent years, threat actors have begun collaborating with each other in a ransomware-as-a-service (RaaS) model to infiltrate organizations. The RaaS model allows the developers of a ransomware variant to recruit affiliates that exclusively use their ransomware in targeted attacks on organizations. Any ransom payments extorted out of the victims are then divided up between the ransomware developers and the affiliate who conducted the attack.
Why the Raas Model Is Gaining in Popularity
Use of RaaS is skyrocketing, with industry estimates stating that 11% of all cyber attacks are now using the RaaS model. Why? Because it allows cybercriminals who don’t have the skills or time to develop their own ransomware variant to simply plug-and-play a RaaS kit that works into their attack.
How RaaS Works
On the attack front RaaS is simply ransomware, where an attacker encrypts data on a device or network and demands payment to restore access.
Financially, however, RaaS is based on the software-as-a-service (SaaS) model, with a variety of payment options available to purchasers, known as “affiliates.” The purchase can include not just the actual RaaS kit, but also instructions on how to carry out attacks, best practices for success, strategies to extort the largest ransom, and even customer service for both attacker and victim.
Basically, RaaS operates like a legitimate business, which is a scary proposition.
Three Major RaaS Pricing Models
- One-time purchase: Pay once to license the ransomware kit for a single attack
- Subscription service: A monthly fee grants you perpetual access to the ransomware
- Profit Sharing: No up-front cost, but the purchaser shares any ransom with the RaaS creator
The RaaS industry can also be highly selective, with some providers choosing only to engage with cybercriminals who have a “good” reputation and proven track record of attack success.
As with traditional ransomware, payment is made through cryptocurrency, which is difficult to trace and easy to launder back into traditional currency.
Major RaaS Groups
Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems. Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico.
Conti is one of the most prolific ransomware groups tracked by Arctic Wolf Labs over the past 21 months, often ranking in the top 5 of ‘most posted victims’ on their dark web site, where victims who don’t pay up are exposed and shamed. In a wonderful karmic twist, Conti had their own data stolen and leaked in 2022, which hastened their disbanding.
REvil, the ransomware gang behind the notorious Kaseya attack, ran rampant from 2019 to 2021. The cybercriminals behind the collective were successful at infiltrating and extorting millions of dollars from businesses for almost three years. Then, they lost control of their servers and law enforcement agencies made arrests.
The Hive should be a familiar name to anyone with an eye on the cybersecurity world, having had a hand in roughly 1,300 ransomware attacks over the past few years. The FBI report estimates that the group has taken in around $100 million in ransom payments in that time. The Hive is also known to saddle victims who don’t pay up with additional ransomware that reinfects their systems.
It should be noted that, while these groups often disguise themselves well enough to avoid individual identification, it’s quite common for cybersecurity researchers to be able to follow enough breadcrumbs back to the gang’s nation of origin. This has grave implications for nation-state attacks, as these experienced cybercriminals may not only be hacking for money. They might also be launching larger, more dangerous attacks at the orders of their governments.
How to Defend Your Organization from RaaS
The most important factor in defending against cyber threats involves a proactive approach. Your defensive posture will not improve itself and taking steps to prepare for future attacks is the best way to reduce your risk.
Run internal security audits (or hire an outside firm to run them), educate yourself and your staff (especially non-security professionals) on how to identify phishing scams and other red flags, and find ways to strengthen data security — for example, through more frequent backups. Keep backups offsite so they are not compromised along with your actively used data. This is known as an air-gapped solution.
Don’t forget that RaaS often exploits known vulnerabilities, which means that staying vigilant in patching your systems is important in strengthening your defenses. One place to start is referencing CISA’s known exploit catalog and focusing on the most important vulnerabilities while remaining vigilant with patching your systems.
To thwart attacks like RaaS, security technology alone is not enough; it’s essential to cultivate a security-minded culture throughout your organization. Take a security operations approach that marries the technology with the human element of your organization, beginning with education on cyber hygiene and understanding that your security posture is an evolving process.
As threats change, leverage threat intelligence to pivot defense strategies and the security information resources and training you provide for your employees. Rather than viewing employees as a ‘weak link’ in your organization, empower them to keep security top of mind, particularly as social engineering attacks become more personalized and target employees of every level and department.
Companies of all sizes should mind their security posture and take proactive steps to shore up defenses and create a culture of security that counters the attackers. By prioritizing security culture as part of security posture, leaders can foster a more resilient, secure future for their organizations and stay safe from the dangers of RaaS.