Ransomware as a service (RaaS) is a malicious adaptation of the software as a service (SaaS) business model. It is a subscription-based model that sells or rents predeveloped ransomware tools to buyers, called ransomware affiliates, to execute ransomware attacks.
Before introducing the RaaS model, threat actors needed some proficiency in writing or accessing code before attempting a ransomware attack. Ransomware as a service opens these attacks to criminals who lack coding knowledge; however, many RaaS organizations are specific about who is given access. Some high-profile groups even interview potential affiliates or check their background and digital footprint.
The RaaS operations model makes it easy for anyone to execute a ransom campaign, providing threat actors with expert-level software to encrypt and decrypt files as well as 24/7 software support. Once they have access to the ransomware, it is the affiliates’ job to launch a successful attack through phishing or software exploits, for example.
Through its recent success, RaaS has identified itself as a significant cybersecurity threat. Understanding what it is, how it works, and how to safeguard your organization against it is crucial for protecting your valuable data.
According to the 2022 Unit 42 Ransomware Threat Report, ransomware is seeing significant growth as a cyberthreat:
Figure 1: Average ransom demand per industry as seen by Unit 42 over the course of 2022
In addition, the FBI's Internet Crime Complaint Center (ICCC) reported 2,084 ransomware complaints from January to July 31, 2021. This represents a 62% year-over-year increase. More recently, the Cybersecurity and Infrastructure Security Agency (CISA) reported in February 2022 that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors. Ransomware and the groups that design it are expected to continue growing, especially since their business model is both easy and profitable.
A vital component of RaaS-style attacks is that the affiliates have predesigned playbooks and tip sheets for executing a successful attack. As a part of this, they can quickly and effectively scope out victim environments, deploy malware, use tools to harvest credentials, steal sensitive data, and subsequently encrypt files en masse.
Figure 2: Types of attacks that occurred once ransomware entered an environment
In addition to the ransomware, RaaS organizations provide quality-of-life features to their affiliates. These include infrastructure and services for negotiation communications as well as platforms for publishing stolen data, like leak sites or Telegram channels, if victims don’t pay the ransom demand. Profits from a successful ransom are divided between the RaaS and the affiliate based on a specific revenue model.
Business occurs on the dark web, and payments are made through different cryptocurrencies. While the exact payment details vary depending on the RaaS revenue model, affiliates tend to take the significant cut of a ransom — about 70-80%. There are four ways profits can be split:
The more advanced RaaS operators will build a portal for subscribers to see the status of all infections, ransom payments and other sensitive information about their targets. Quality-of-life efforts are worth it, as ransomware remains one of the most financially devastating attacks in the current threat landscape.
Developers focus on creating and supplying the necessary RaaS tools to interested affiliates. Affiliates identify network intrusion opportunities and deploy the actual ransomware.
Click here for more information on specific ransomware attacks.
If an attack is successful, the ransomware sends an extortion message to the victim demanding a ransom. This can include threats like posting the organization’s data on the dark web or deleting it entirely if the victim does not pay by a specified deadline. Some groups prefer to threaten in specific ways, while others let affiliates do as they would prefer.
There is an abundance of ransomware as a service in circulation, and while cyber professionals are aware of and tracking many different groups, it’s important to be on guard and prepared for anything. Unit 42 has done a lot of research on different RaaS groups to prepare SOCs for potential attacks. Here are some groups that Unit 42 has observed who are active as of November 2022.
This ransomware emerged in June 2021 and exploits SMB and PowerShell to spread malware through a compromised network. It claims to have the fastest market encryption and has compromised over 50 organizations across different industries.
Also known as ALPHV, BlackCat is coded in the Rust programming language and is easy to compile against different operating architectures. This ransomware is dangerous as it’s highly customizable and easy to individualize.
First observed in June 2021, the Hive RaaS group pressures victims to pay by releasing details of the attack on different leak sites and even social media, including the date and time of attacks and a countdown to information leaks.
First identified in 2016, Dharma targets victims through malware attachments in phishing emails. Several other ransomware groups have used Dharma as source code.
While these are some of the most infamous groups, unfortunately, there are many more RaaS groups. You can learn about other groups and affiliate programs that Unit 42 has investigated here. Unit 42 continues to observe and reveal the illegal tactics of these groups to prepare organizations and keep them safe.
RaaS is an illegal industry developed by organized crime syndicates, and involvement in any ransomware campaign is unlawful. This includes buying RaaS kits on the dark web with the intent of causing damage or transmitting unwanted code to victims as well as breaching networks, stealing, encrypting and downloading system data and files, and extorting ransom from victims.
Ransomware cases are investigated by the FBI and prosecuted under the Computer Fraud and Abuse Act, and more information is discovered and made public by threat intelligence groups like Unit 42. An organization can prepare for RaaS attacks by being familiar with how the programs operate and taking preventive measures in their environment.
There are several effective ways to safeguard against a RaaS attack. Methods to minimize damage and prevent these attacks from happening include:
Click here to dive deeper into deploying security architecture capabilities and structuring for ransomware attacks.
Implementing these best practices will reinforce both your SOC and your organization against RaaS. For a deeper dive into understanding and testing your environment, many SOCs choose to undergo a ransomware readiness assessment.
Knowing exactly how an environment will react to an attack is the best way to prepare for one. Unit 42 offers a Ransomware Readiness Assessment to help develop a comprehensive understanding of your ability to prevent and respond to these types of threats. Let a threat researcher test your system in a non-disruptive way with tabletop exercises, purple teaming and more.
Figure 3: Graphic outlining the Unit 42 Ransomware Readiness Assessment
Our team is here to help you prepare for and respond to the most challenging cyberthreats. If you are experiencing an active breach or think you may have been impacted by a cyber incident, contact Unit 42.