The rise of Ransomware-as-a-Service: How cybercrime has become a business

Ransomware-as-a-Service (RaaS) has emerged as a game-changing business model in which hackers combine capabilities of traditional ransomware with the accessibility of cloud-based services. This move helped them transform sophisticated digital extortion into a subscription-based economy available to nearly anyone with malicious intent.

Historically, ransomware attacks were primarily carried out by technically skilled threat actors who wrote their own malware, distributed it through phishing or through exploit kits, and negotiated with the victim directly. But in this traditional model, there were limitations, such as limited scalability, risk exposure, and the need for a wide skill set. 

Then the RaaS model came into the picture. In this model, ransomware developers create robust malware tools and lease them out to their customers or affiliates who carry out the actual attacks. The developers receive 20% to 40% of the profits, while the affiliates take the remaining share.

This has made cybercrime more accessible, enabling people with limited skillsets to carry out powerful attacks using advanced tools. 

RaaS is a cybercrime business model where professional hackers called developers create and sell or lease ready-made ransomware tools to affiliates (other criminals) who use them to carry out attacks. There are multiple stages as explained below.

The developer or operator designs the ransomware payload. Features usually include:

• Encryption algorithms to lock victim data
  
• Self-deletion techniques
• Evasion methods to bypass antivirus and EDR
  
• Built-in communication channels (such as TOR-based command-and-control)

Some sophisticated families even include modular features, such as worm-like spreading, sandbox evasion, and multithreading encryption. 

Once the malware is created, it is packed and made it available via darknet marketplaces or private forums. These platforms resemble legitimate SaaS sites, and their features include:

• User dashboards to track infections
• Payment portal and decryption key management 
• Support forums
• Updates and feature rollouts 
• Marketing materials for their affiliates

Some RaaS groups even have customer service portals to help affiliates troubleshoot deployment.

As per Crowdstrike, RaaS kits are advertised on dark web marketplaces and include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers.

Affiliates are typically other cybercriminals who are not as talented as the developers of Ransomware, but these criminals can spread ransomware through their access to real networks.  

In large RaaS operations, recruitment is usually handled by affiliate managers or recruiters. A dedicated person or a small team finds, vets and onboards affiliates. In small or newly launched RaaS operations, recruitment is usually done by developer or operator themselves.

Recruitment often takes place through multiple sources, including private messaging platforms like Telegram or Jabber, dark web forums, or invitations to join private groups.

Developers may carefully evaluate affiliates before allowing them to join the group. In return, affiliates get access to the ransomware, documentation, and tools. Sometimes they target reputation-based recruitment. On rare occasions, attackers may use fake IT job ads or freelance platforms to recruit people unknowingly or to test their skills.

Affiliates handle the distribution of ransomware using multiple sources, including:

• Phishing emails with malicious attachments 
• Malicious advertising 
• Compromised websites  
• Exploiting unpatched software or vulnerabilities 
• Initial access brokers (IABs) or initial intruders (these criminals sell compromised entry points into networks)

In some cases, affiliates also deploy double extortion techniques where they first steal data before encrypting it, then they threaten to publish it if the victim doesn’t pay the ransom.  

Once systems are encrypted, the ransomware displays a message with payment instructions. These criminals usually demand cryptocurrency such as Bitcoin. They provide detailed steps including how to use Tor and crypto wallets in the ransom note itself.

The victim is provided with the links of negotiation portals. These portals are typically hosted on TOR. Some RaaS groups automate these conversations using chatbots, while some groups offer human operators to handle price negotiation. 

These groups divide their responsibilities clearly. Affiliates are responsible for deploying ransomware, delivering the ransom note, establishing initial communication, and handling negotiation. The core developer or developer team provides the backend by hosting portals, verifying payments, and distributing decryption keys.

When these groups get any success to extort the money from the victim, they divide the fund as per their agreement. The agreed amount goes to the developer and the rest of the amount will be kept by the affiliate. 

There are several models under which RaaS operates. They include the following:

• Affiliate/Profit Share: Affiliates do not pay any upfront cost, but developers take a share from each ransom. This is the most common model.
• Subscription-based: Affiliates pay a monthly fee for access to the ransomware kit and support. 
• One-time license: A flat fee buys unlimited access to the malware, but no ongoing support.
• Custom-build: Tailored ransomware sold to a single buyer, often for high-profile or targeted attacks.

A few of the most popular ransomware gangs that are working under RaaS model include:

• REvil: This group had offered detailed dashboards for affiliates and often negotiated ransoms on their behalf before disbanding.
• DarkSide: This group is known for professional branding, PR statements, and even a code of conduct.
• Conti: This group worked like a corporate entity, with payroll, managers, and performance reviews before disbanding.
• LockBit: This group is still active, known for aggressive tactics and public leak sites.

To stay protected from RaaS, businesses should choose a multi-layered defense strategy, including:

1. User Awareness: Phishing is the most common entry point. Regular training can make users aware of cyber-attacks. 
2. Behavioral and heuristic-based detection: Every day Raas launches new services.   Indicators of Compromise(IOCs) can detect the presence of malicious activity or evidence of a security breach within a network, system or endpoint. When every second counts during a ransomware attack, EDR/XDR tools can detect, contain and respond in real time
3. Signature mapping: Each ransomware family has distinct behavioural signatures and payload characteristics. Mapping those signatures helps create more targeted defenses. Businesses can regularly update threat intelligence feeds and integrate them with SIEM or SOAR platforms. MITRE ATT&CK framework or Threat Fox are very good for this purpose. Users can opt for Any.run malware trends subscription for regular and detailed reports on top malware types, IOCs or TTPs. Users can also leverage their dashboard to see detailed information about malware families.
   
4. File integrity monitoring: If users perform file integrity monitoring, they can easily detect unauthorized changes to files and directories on a system. They will be alerted when critical files (such as system configs or executable files) are modified, deleted, or added. This helps identify signs of malware, backdoors, or even insider threats early.
5. Patching & Updates: Regular patching plays a key role in defending against RaaS because many RaaS affiliates look for unpatched software to gain access.
6. Endpoint Detection and Response (EDR): Deployment of EDR protects against RaaS. EDR performs behavioural analysis to catch ransomware in early execution phases.
7. Zero Trust Architecture: By employing zero-trust architecture, lateral movement will be limited, even if a system is compromised.
   
8. Segmentation: Segmenting the network helps in prevent full network encryption by isolating critical systems into different segments.
9. Offline Backups: Offline backups are immune to infection, so if online backups are compromised, users can safely restore it from offline copies.
10. Compliance: Maintaining endpoint compliance significantly reduces the risk posed by Ransomware-as-a-Service (RaaS). Businesses must make sure systems are hardened with no vulnerabilities and are updated with latest antimalware definitions.

Ransomware-as-a-Service has lowered the barriers for entry into cybercrime, enabling even low-skilled attackers to launch devastating campaigns. With well-organized operations, affiliate networks and profit-sharing models, RaaS continues to evolve rapidly. 

To counter this threat, organizations must adopt a layered defense strategy which includes user education, regular backup, use of EDR/XDR, threat intelligence and quick incident response.