Ransomware as a service (RaaS) is a cybercrime business model in which a ransomware group or gang sells its ransomware code or malware to other hackers, who then use it to carry out their own ransomware attacks.
According to IBM’s X-Force Threat Intelligence Index, ransomware was the second most common type of cyber attack in 2022. Many experts believe the rise of RaaS has played a role in keeping ransomware so prevalent. A 2022 report from Zscaler (link resides outside ibm.com) found that 8 of the 11 most active ransomware variants were RaaS variants.
It's easy to understand why the RaaS model is so popular with cybercriminals. RaaS lowers the bar for entry into cybercrime, allowing even threat actors with limited technical skills to carry out cyberattacks. Furthermore, RaaS is mutually beneficial: Hackers can profit from extortion without developing their own malware, and ransomware developers can increase their profits without manually attacking networks.
The X-Force team of hackers, responders, researchers and intelligence analysts can help you prepare for, respond to and recover from incidents so you can build true cyber resiliency.
Register for the X-Force Threat Intelligence Index
RaaS works the same way legitimate software-as-a-service (SaaS) business models do. Ransomware developers, also called RaaS operators, take on the work of developing and maintaining ransomware tools and infrastructure. They package their tools and services into RaaS kits that they sell to other hackers, called RaaS affiliates.
Most operators use one of the following revenue models to sell their kits:
RaaS kits are advertised on dark web forums, and some ransomware operators actively recruit new affiliates. The REvil group, for example, spent USD 1 million as part of a major recruitment drive in October 2020 (link resides outside ibm.com).
Once they’ve purchased a kit, affiliates get more than just malware and decryption keys — they often receive a level of service and support on par with lawful SaaS vendors. Some of the most sophisticated RaaS operators may offer such amenities as ongoing technical support, access to private forums where hackers can exchange tips and information, payment processing portals (since most ransom payments are requested in untraceable cryptocurrencies like Bitcoin), and even tools and support for writing custom ransom notes or negotiating ransom demands.
While the profit potential is a major factor in the proliferation of RaaS, affiliate programs also provide hackers and ransomware developers with additional benefits — and they present additional challenges to cybersecurity professionals.
Fuzzy attribution of ransomware incidents. Under the RaaS model, the people carrying out cyberattacks may not be the same people who developed the malware in use. Furthermore, different hacking groups may be using the same ransomware. Cybersecurity professionals may not be able to definitively attribute attacks to specific groups, making it harder to profile and catch RaaS operators and affiliates.
Specialization of cybercriminals. Much like the legitimate economy, the cybercrime economy has led to a division of labor. Threat actors can now specialize and refine their crafts. Developers can focus on making more and more powerful malware, and affiliates can focus on developing more effective attack methods. A third class of cybercriminals, called “access brokers,” specializes in infiltrating networks and selling access points to attackers. Specialization allows hackers to move faster and carry out more attacks. According to the X-Force Threat Intelligence Index, the average time to execute a ransomware attack dropped from 60+ days in 2019 to 3.85 days in 2022.
More resilient ransomware threats. RaaS allows operators and affiliates to share the risk, making each more resilient. Catching affiliates doesn’t shut down operators, and affiliates can switch to another ransomware kit if an operator is caught. Hackers have also been known to reorganize and rebrand their activities to evade the authorities. For example, after the U.S. Office of Foreign Assets Control (OFAC) sanctioned the Evil Corp ransomware gang, victims stopped paying ransoms to avoid penalties from OFAC. In response, Evil Corp changed the name of its ransomware multiple times (link resides outside ibm.com) to keep the payments coming.
It can be difficult to pin down which gangs are responsible for which ransomware or which operators are officially active at a given time. That said, cybersecurity professionals have identified a few major RaaS operators over the years, including:
While RaaS has changed the threat landscape, many of the standard practices for ransomware protection can still be effective for combatting RaaS attacks. Many RaaS affiliates are less technically adept than the ransomware attackers of yesterday. Placing enough obstacles between hackers and network assets may deter some RaaS attacks entirely. Additional cybersecurity tactics might include:
Proactively manage your cybersecurity risks in near real-time to detect, respond to and minimize the impact of ransomware attacks.
FlashSystem uses machine learning models to detect anomalies like ransomware in less than a minute, ensuring your business is protected before a cyber-attack.
IBM® Storage Defender detects threats early and helps you safely and quickly recover your operations in the event of an attack.
Learn the critical steps to protect your business before a ransomware attack can penetrate your defenses, and to achieve optimal recovery if adversaries breach the perimeter.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs.
Work with senior IBM security architects and consultants to prioritize your cybersecurity initiatives in a no-cost, virtual or in-person, 3-hour design thinking session.