Ransomware-as-a-service (RaaS) is a software-as-a-service business model for cybercrime that allows malware developers and cyberattackers to easily lease variants of their malware and services to aspiring cybercriminals on a subscription basis.
The brilliance of RaaS is how it enables even those with limited tech skills to use highly sophisticated ransomware to orchestrate attacks. Now, almost anyone can hop on the dark web and access a catalogue of existing or built-to-order malware services; the subscription model enabling wider access to an ever-growing menu of complex, sophisticated ransomware.
As technology evolves, the cybercrime model changes too. Digital weapons of mass destruction being industrialised and commodified for the masses is a big threat and macro trend that affects the entire cybersecurity industry. Let's take a look at how the ransomware ecosystem is evolving to become the dark mirror of legitimate SaaS services.
What is ransomware and how does it work?
Ransomware is a type of malware that steals and encrypts digital information, such as passwords, banking records, or operational data that could stop an organisation in its tracks. The cybercriminals involved can then demand a ransom for the decryption key. But for it to work, the ransomware has to first be deployed into the target’s IT systems.
Typically, cybercriminals use email or more invasive methods to deploy malware on a company’s network, which then propagates across other interconnected systems and encrypts the data within. The scary bit is the huge number of ways threat actors can sneak ransomware into a system. We’ve seen ransomware hidden in email attachments, fake ads, games, apps, websites, or even sent through links in text messages. All it takes is one careless employee downloading something dodgy on their phone or work computer, and the whole corporate network can be at risk.
From the perspective of the threat actor, it’s a rich vein of business opportunity—a highly lucrative attack vector that almost guarantees financial reward once deployed, with little to no risk of actually getting caught. Ransomware and the methods used to deploy it have become increasingly sophisticated as its creators get better at both the technical side and exploiting human behaviour.
In the past, a ransomware developer would use their own creations directly against a target for blackmail, or sell their product directly (including its source code and decryption key) for a lump sum of cash. But why sell ransomware when you can simply rent it out?
The Ransomware as a Service model incentivises skilled hackers to invest time and effort upfront to optimise ransomware packages, which can then be reused and sold to multiple clients over time as a feature of the subscription service.
The Rise of Ransomware as a Service
Just as ransomware became one of the biggest cyber threats in the world over the last decade, it seems that ransomware as a service is primed to be the next big driver of cybercrime.
The RaaS model gives threat actors the means to carry out their attacks without the need for any actual coding skills, or even any deep understanding of the malware itself. By removing the need for technical skill, suddenly almost anyone can become a cybercriminal. This type of turnkey malware service is spreading like wildfire and can be easily bought on darknet markets, or even the regular web in some cases.
Like some software developers in the Wild West days of the internet, the most successful ransomware developers build a pseudonymous reputation with customers on the back of their technical prowess and reliability. Amidst a shifting landscape of fly-by-night operators and grifters, more stable cybercrime enterprises can bootstrap, scaling up to become big fish in a dirty pond. The most reputable RaaS providers even offer catalogues that consistently feature their most popular products i.e. ransomware that has a high chance of success and low risk of discovery.
Understanding the RaaS experience
A customer of RaaS services will generally log into a portal, create an account, pay in Bitcoin, then select the type of malware they want to deploy or have built. Some RaaS kits might include 24/7 chat support, bundled offers or discounts, user reviews, forums, and other features you might expect to see from a legitimate developer.
Customers are provided with onboarding material with guides and a user-friendly dashboard UI that makes it disturbingly simple to launch attacks against even hardened organisations. Subscribers can also access support documentation, community discussion, feature updates and other benefits, again like any legitimate SaaS product.
More sophisticated RaaS platforms provide portals that allow their subscribers to view infection status, total payouts, total encrypted files, and other metrics about the profits extracted from target organisations.
Some RaaS platforms also aggregate a collection of cybercrime services, like job boards or menus of criminal disciplines, so that customers can build an attack to order, or recruit special skillsets or services. The customer doesn’t need to do anything more than select their malicious code, method of delivery, and target while their hired team of cyber mercenaries do the rest. In some cases, these service providers might even offer assistance, tech support and training.
The RaaS market continues to grow exponentially as cybercriminals look for more ways to profit from malware and their skills. Because RaaS platform operators have the successful blueprint of SaaS platforms to learn from, lead times are shortening and RaaS is branching out into novel verticals, creating an even greater profit incentive for bad actors.
How to protect your organisation from ransomware attacks
With the industrialisation of ransomware and its ease of access for the common man, ransomware attacks are growing more frequent and more sophisticated every day. The most effective attack mitigation approach is a blend of cyber awareness training, technical defences, and continuous monitoring of your network and systems for vulnerabilities.
While the cybersecurity measures will vary depending on your organisation, there are some recommended baseline best practices:
Have a robust and well-understood firewall in place to monitor all network traffic, with alerts configured for events outside of business-as-usual activity
Regularly educate employees on how to recognise phishing attempts or other common red flags around social engineering and onsite security
Set up DMARC protection to prevent cybercriminals leveraging your domain in phishing attempts
Backup often, on and offsite
Choose only reputable third-party cloud service providers to partner with
Monitor vendors and clients for vulnerabilities to prevent third-party breaches
Ensure all devices and software are patched and updated regularly
Restrict access to software and company data on the principle of least privilege (PoLP) and zero trust
To pay or not to pay the ransom
Sometimes, even despite the best measures, the best technology, and the best people, ransomware can and does sneak through. In a scenario where ransomware has been deployed on your network, only you can decide if it's worth the risk of paying the ransom to restore full service. To do so is trusting the word of a cybercriminal to deliver the promised decryption key.
Even if you decide to pay up, there's nothing stopping a malicious attacker from demanding more, and many have, to be simply refused the decryption keys. Even in cases where data has been decrypted, the threat of the attacker’s malware may linger somewhere in the data forever after. After all, the attacking party now knows that you are willing to pay ransoms, which makes you a tempting target for future attacks.
Ultimately, it comes down to the laws in your region and your company’s own policy for dealing with cyber incidents. Prevention is the only cure, and your best defence is to make sure you’re a difficult target. Cybercriminals are looking for easy (and lucrative) pickings, and will lose interest quickly if they deem you not worth the effort of hacking.
The future of RaaS
Unfortunately, all the signs point to RaaS accelerating across the world and becoming an increasingly dangerous menace to organisations of all sizes. This is the reality of the constantly evolving digital world we live in. All we can do is make sure we’ve done the groundwork to prepare for any possible cyber risks, and that includes the expected rise in RaaS attacks. But the good news is, combating ransomware doesn’t have to be overly technical or expensive. In fact, getting started with a sound awareness training program can do wonders for your defences, and help make your people and your organisations a much tougher, and much more resilient, target.