What is ransomware as a service (RaaS)?

5 September 2024

Authors

Matthew Kosinski

Enterprise Technology Writer

What is ransomware as a service (RaaS)?

Ransomware as a service (RaaS) is a cybercrime business model in which ransomware developers sell ransomware code or malware to other hackers, called “affiliates,” who then use the code to initiate their own ransomware attacks.

Ransomware-as-a-service arrangements are popular with cybercriminals. Ransomware remains a common cyberthreat, involved in 20% of all cybercrime incidents according to the IBM® X-Force® Threat Intelligence Index. Many of the most infamous and devastating ransomware strains—such as LockBit and BlackBasta—spread through RaaS sales.

It's easy to understand the proliferation of the RaaS model. By outsourcing some of their efforts to RaaS providers, would-be hackers have a faster and easier entry into cybercrime. Even threat actors with limited technical expertise can now initiate cyberattacks.

RaaS is mutually beneficial. Hackers can profit from extortion without developing their own malware. At the same time, ransomware developers can increase their profits without the effort of attacking networks and can profit from victims they might not otherwise have located.

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


How does ransomware as a service work?

RaaS works the same way legitimate software as a service (SaaS) business models do. Ransomware developers, also called RaaS operators or RaaS groups, take on the work of developing and maintaining ransomware tools and infrastructure. They package their tools and services into RaaS kits that they sell to other hackers, known as RaaS affiliates.

Most RaaS operators use 1 of these revenue models to sell their kits:

  • Monthly subscription
  • One-time fee
  • Affiliate programs
  • Profit sharing

Monthly subscription

RaaS affiliates pay a recurring fee—sometimes as little as USD 40 per month—for access to ransomware tools.

One-time fee

Affiliates pay a one-time fee to purchase the ransomware code outright.

Affiliate programs

Affiliates pay a monthly fee and share a small percentage of any ransom payments that they receive with the operators.

Profit sharing

The operators charge nothing up front, but take a significant cut of every ransom the affiliate receives, often 30–40%.

RaaS kits are advertised on dark web forums across the underground ecosystem‌, and some ransomware operators actively recruit new affiliates, pouring millions of US dollars into recruitment drives on the dark web.

Once they’ve purchased a RaaS kit, affiliates get more than just malware and decryption keys. They often receive a level of service and support on par with lawful SaaS vendors. Some of the most sophisticated RaaS operators offer such amenities as:

  • Ongoing technical support.
  • Access to private forums where hackers can exchange tips and information.
  • Payment processing portals—because most ransom payments are requested in untraceable cryptocurrencies such as Bitcoin.
  • Tools and support for writing custom ransom notes or negotiating ransom demands.
Mixture of Experts | 17 January, episode 38

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.

Cybersecurity challenges of RaaS attacks

All ransomware attacks can have serious consequences. According to the IBM® Cost of a Data Breach report, the average ransomware breach costs its victim USD 4.91 million. But attacks from RaaS affiliates pose additional challenges to cybersecurity professionals, including:

  • Fuzzy attribution of ransomware attacks
  • Specialization of cybercriminals
  • More resilient ransomware threats
  • New pressure tactics

Fuzzy attribution of ransomware attacks

Under the RaaS model, the people carrying out cyberattacks might not be the same people who developed the malware in use. Furthermore, different hacking groups might be using the same ransomware. Cybersecurity professionals might not be able to definitively attribute attacks to any specific group or groups, making it harder to profile and catch RaaS operators and affiliates.

Specialization of cybercriminals

Similar to the legitimate economy, the cybercrime economy has led to a division of labor. Threat actors can now specialize and refine their crafts. Developers can focus on writing increasingly powerful malware, and affiliates can focus on developing more effective attack methods.

A third class of cybercriminals called “access brokers” specializes in infiltrating networks and selling access points to attackers. Specialization enables hackers to move faster and make more attacks. According to the X-Force Threat Intelligence Index, the average time to prepare and start a ransomware attack has dropped from 60+ days in 2019 to 3.84 days today.

More resilient ransomware threats

RaaS enables operators and affiliates to share the risk, making each more resilient. Catching affiliates doesn’t shut down operators and affiliates can switch to another ransomware kit if an operator is caught. Hackers have also been known to reorganize and rebrand their activities to evade the authorities.

For example, after the US Office of Foreign Assets Control (OFAC) sanctioned the Evil Corp ransomware gang, victims stopped paying ransoms to avoid penalties from OFAC. In response, Evil Corp changed the name of its ransomware to keep the payments coming.

New pressure tactics

The cybercriminals who use RaaS attacks have found that they can often demand higher and faster ransom payments if they do not encrypt the victim’s data. The extra step of restoring systems can slow payments. In addition, more organizations have improved their backup and recovery strategies, rendering encryption less harmful to them.

Instead, cybercriminals attack organizations with large stores of sensitive personally identifiable information (PII)—such as healthcare providers—and threaten to leak that sensitive information. The victims often pay a ransom rather than suffer the embarrassment—and possible legal repercussions—of a leak.

Notable ransomware as a service variants

It can be difficult to pin down which gangs are responsible for which ransomware or which operators started an attack. That said, cybersecurity professionals have identified a few major RaaS operators over the years, including:

  • Tox
  • LockBit
  • DarkSide
  • REvil/Sodinokibi
  • Ryuk
  • Hive
  • Black Basta
  • CL0P
  • Eldorado

Tox

First identified in 2015, Tox is considered by many to be the first RaaS.

LockBit

LockBit is one of the most pervasive RaaS variants, according to the X-Force Threat Intelligence Index. LockBit often spreads through phishing emails. Notably, the gang behind LockBit has tried to recruit affiliates employed by their target victims, making infiltration easier.

DarkSide

DarkSide’s ransomware variant was used in the 2021 attack on the US Colonial Pipeline, considered the worst cyberattack on critical US infrastructure to date. DarkSide shut down in 2021, but its developers released a successor RaaS kit named BlackMatter.

REvil/Sodinokibi

REvil, also known as Sodin or Sodinokibi, produced the ransomware behind the 2021 attacks against JBS USA and Kaseya Limited. At its height, REvil was one of the most widespread ransomware variants. The Russian Federal Security Service shut down REvil and charged several key members in early 2022.

Ryuk

Before shutting down in 2021, Ryuk was one of the largest RaaS operations. The developers behind Ryuk went on to release Conti, another major RaaS variant, which was used in an attack against the Costa Rican government in 2022.

Hive

Hive rose to prominence in 2022 after an attack on Microsoft Exchange Server. Hive affiliates were a significant threat to financial firms and healthcare organizations until the FBI took down the operator.

Black Basta

Arriving as a threat in 2022, Black Basta quickly claimed more than 100 victims across North America, Europe and Asia. Using targeted attacks, the hackers would demand a double extortion: both to decrypt the victim’s data and also with the threat of releasing sensitive information to the public.

CL0P

In 2023, the CL0P ransomware group exploited a vulnerability in the file transfer application MOVEit to expose information on millions of individuals.

Eldorado

Eldorado

The Eldorado RaaS was announced in early 2024 in an advertisement on a ransomware forum. Within three months, 16 victims had already been attacked in the US and Europe.1

Protecting against ransomware as a service

While RaaS has changed the threat landscape, many of the standard practices for ransomware protection can still be effective for combatting RaaS attacks.

Many RaaS affiliates are less technically adept than previous ransomware attackers. Placing enough obstacles between hackers and network assets might deter some RaaS attacks entirely. Some cybersecurity tactics that might be helpful:

  • Comprehensive incident response plans
  • Anomaly-based detection tools
  • Reducing the network attack surface
  • Cybersecurity training
  • Implementing access controls
  • Maintaining backups
  • Working with law enforcement

Comprehensive incident response plans

Incident response planning can be particularly helpful for RaaS attacks. Because attack attribution can be difficult to determine, incident response teams can’t count on ransomware attacks always using the same tactics, techniques and procedures (TTPs).

Furthermore, when incident responders kick out RaaS affiliates, access brokers might still be active on their networks. Proactive threat hunting and thorough incident investigations can help security teams eradicate these evasive threats.

Anomaly-based detection tools

To identify ransomware attacks in progress, organizations can use anomaly-based detection tools, such as some endpoint detection and response (EDR) and network detection and response (NDR) solutions. These tools use intelligent automation, artificial intelligence (AI) and machine learning (ML) functions to detect new and advanced threats in near real-time and provide greater endpoint protection.

A ransomware attack might be spotted at the earliest stages with an unusual backup deletion or encryption process that suddenly starts without warning. Even before an attack, anomalous events might be the “early warning signs” of an impending hack that the security team can prevent.

Reducing the network attack surface

Reducing the network attack surface

Organizations can help reduce their network attack surfaces by conducting frequent vulnerability assessments and regularly applying patches to close commonly exploited vulnerabilities.

Security tools such as antivirus software, security orchestration, automation and response (SOAR)security information and event management (SIEM) and extended detection and response (XDR) might also help security teams intercept ransomware faster.

Cybersecurity training

Show employees how to recognize and avoid common ransomware vectors including phishing, social engineering and malicious links.

Implementing access controls

Multifactor authenticationzero-trust architecture and network segmentation can help prevent ransomware from reaching sensitive data.

Maintaining backups

Maintaining backups

Organizations can regularly backup sensitive data and system images, ideally on hard disk drives or other devices that can be disconnected from the network.

Working with law enforcement

Organizations can sometimes save on the cost and time of containment with the help of law enforcement.

Ransomware victims that involved law enforcement lowered the cost of their breaches by an average of nearly USD 1 million, excluding the cost of any ransom paid, according to the IBM Cost of a Data Breach Report. Involving law enforcement also helped shorten the time required to identify and contain breaches from 297 days to 281 days.

Related solutions
Incident response services

Improve your organization’s incident response program, minimize the impact of a breach and experience rapid response to cybersecurity incidents.

Explore incident response services
Threat detection and response solutions

Use IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

Explore threat detection solutions
IBM QRadar SOAR Solutions

Optimize decision-making processes, improve SOC efficiency and accelerate incident response with an intelligent automation and orchestration solution.

Explore QRadar SOAR
Take the next step

Improve your organization’s incident response program, minimize the impact of a breach and experience rapid response to cybersecurity incidents.

Explore incident response services Learn more about IBM X-Force