RaaS works the same way legitimate software-as-a-service (SaaS) business models do. Ransomware developers, also called RaaS operators, take on the work of developing and maintaining ransomware tools and infrastructure. They package their tools and services into RaaS kits that they sell to other hackers, called RaaS affiliates. 

Most operators use one of the following revenue models to sell their kits:

• Monthly subscription: RaaS affiliates pay a recurring fee—sometimes as little as USD 40 per month—for access to ransomware tools.
  
  
• One-time fee: Affiliates pay a one-time fee to purchase ransomware code outright.
  
  
• Affiliate models: Affiliates pay a monthly fee and share a small percentage of any ransom payments they receive with the operators.
  
  
• Profit sharing: The operators charge nothing up front but take a significant cut of every ransom the affiliate receives, often 30-40%. 

RaaS kits are advertised on dark web forums‌, and some ransomware operators actively recruit new affiliates. The REvil group, for example, spent USD 1 million as part of a major recruitment drive in October 2020 (link resides outside ibm.com).

Once they’ve purchased a kit, affiliates get more than just malware and decryption keys — they often receive a level of service and support on par with lawful SaaS vendors. Some of the most sophisticated RaaS operators may offer such amenities as ongoing technical support, access to private forums where hackers can exchange tips and information, payment processing portals (since most ransom payments are requested in untraceable cryptocurrencies like Bitcoin), and even tools and support for writing custom ransom notes or negotiating ransom demands.

While the profit potential is a major factor in the proliferation of RaaS, affiliate programs also provide hackers and ransomware developers with additional benefits — and they present additional challenges to cybersecurity professionals. 

Fuzzy attribution of ransomware incidents. Under the RaaS model, the people carrying out cyberattacks may not be the same people who developed the malware in use. Furthermore, different hacking groups may be using the same ransomware. Cybersecurity professionals may not be able to definitively attribute attacks to specific groups, making it harder to profile and catch RaaS operators and affiliates. 

Specialization of cybercriminals. Much like the legitimate economy, the cybercrime economy has led to a division of labor. Threat actors can now specialize and refine their crafts. Developers can focus on making more and more powerful malware, and affiliates can focus on developing more effective attack methods. A third class of cybercriminals, called “access brokers,” specializes in infiltrating networks and selling access points to attackers. Specialization allows hackers to move faster and carry out more attacks. According to the X-Force Threat Intelligence Index, the average time to execute a ransomware attack dropped from 60+ days in 2019 to 3.85 days in 2022. 

More resilient ransomware threats. RaaS allows operators and affiliates to share the risk, making each more resilient. Catching affiliates doesn’t shut down operators, and affiliates can switch to another ransomware kit if an operator is caught. Hackers have also been known to reorganize and rebrand their activities to evade the authorities. For example, after the U.S. Office of Foreign Assets Control (OFAC) sanctioned the Evil Corp ransomware gang, victims stopped paying ransoms to avoid penalties from OFAC. In response, Evil Corp changed the name of its ransomware multiple times (link resides outside ibm.com) to keep the payments coming. 

It can be difficult to pin down which gangs are responsible for which ransomware or which operators are officially active at a given time. That said, cybersecurity professionals have identified a few major RaaS operators over the years, including:

• Tox: First identified in 2015, Tox is considered by many to be the first RaaS.

• LockBit: LockBit is one of the most pervasive RaaS variants today, accounting for 17% of ransomware incidents observed in 2022, more than any other strain. LockBit often spreads through phishing emails. Notably, the gang behind LockBit has tried to recruit affiliates who work for their target victims, making infiltration easier. 

• DarkSide: DarkSide’s ransomware variant was used in the 2021 attack on the U.S. Colonial Pipeline, considered the worst cyberattack on critical U.S. infrastructure to date. DarkSide shut down in 2021, but its developers released a successor RaaS kit called BlackMatter.

• REvil/Sodinokibi: REvil, also known as Sodin or Sodinokibi, produced the ransomware behind the 2021 attacks against JBS USA and Kaseya Limited. At its height, REvil was one of the most widespread ransomware variants, accounting for 37% of ransomware attacks in 2021. The Russian Federal Security Service shut down REvil and charged several key members in early 2022, but the gang’s RaaS infrastructure resurfaced again in April 2022 (link resides outside ibm.com)

• Ryuk: Before shutting down in 2021, Ryuk was one of the largest RaaS operations. The developers behind Ryuk went on to release Conti, another major RaaS variant, which was used in an attack against the Costa Rican government in 2022 (link resides outside ibm.com).

• Hive: Hive rose to prominence in 2022 after an attack on Microsoft Exchange Server. Hive affiliates were a significant threat to financial firms and healthcare organizations until the FBI took down the operator in 2023 (link resides outside ibm.com). 

While RaaS has changed the threat landscape, many of the standard practices for ransomware protection can still be effective for combatting RaaS attacks. Many RaaS affiliates are less technically adept than the ransomware attackers of yesterday. Placing enough obstacles between hackers and network assets may deter some RaaS attacks entirely. Additional cybersecurity tactics might include: 

• Maintaining backups of sensitive data and system images, ideally on hard drives or other devices that can be disconnected from the network.
  
  
• Reducing the network attack surface by regularly applying patches to close commonly exploited vulnerabilities. Security tools like antivirus software, security orchestration, automation and response (SOAR), endpoint detection and response (EDR), security information and event management (SIEM), and extended detection and response (XDR) can also help security teams intercept ransomware faster.
  
  
• Cybersecurity training can help employees recognize and avoid common ransomware vectors like phishing, social engineering, and malicious links.
  
  
• Implementing access controls such as multi-factor authentication, zero-trust architecture, and network segmentation can prevent ransomware from reaching particularly sensitive data.
  
  
• Comprehensive incident response plans can help security teams address most cyber threats, but they can be particularly helpful for RaaS attacks. Because attack attribution can be fuzzy, incident response teams can’t count on ransomware attacks always using the same tactics, techniques, and procedures (TTPs). Furthermore, when incident responders kick out RaaS affiliates, access brokers may still be active on their networks. Proactive threat hunting and thorough incident investigations can help security teams eradicate these evasive threats.