Home / Definitions / Ransomware-as-a-Service


Jenna Phipps
Last Updated March 18, 2022 1:52 am

Ransomware as a service (RaaS) is a business model similar to SaaS, in which individuals or organizations pay ransomware developers to deploy their software to infiltrate a company’s IT infrastructure. The ransomware encrypts the company’s data, and those who deployed it require that a ransom be paid through cryptocurrency

RaaS enables both ransomware code providers and the people who attack computer systems and networks to profit from a ransom, which requires victims to pay in exchange for stolen data. Attackers using ransomware as a service demand thousands to millions of dollars in ransom money for returning the data they have encrypted on their victims’ servers and systems.

RaaS is a particularly lucrative operation because so many major enterprises, which make millions of dollars in revenue each year, transitioned rapidly to remote work environments during the COVID-19 pandemic. The IT requirements they suddenly had to meet often lacked the security needed for an interconnected network of devices and storage systems, and experienced hackers were able to take advantage of that weakness. 

Jump to:

What is ransomware as a service?

Ransomware as a service is a business model in which people or organizations pay ransomware gangs to manage all aspects of ransomware creation and benefit from the proceeds of the ransoms.

One of the first business ransomware attacks was recorded in 1989; the virus came through floppy disks and encrypted computer users’ files. Victims were required to mail $189 to an address in Panama have their files decrypted

Also read: How Does Cryptocurrency Work?

Ransomware gained traction in the 2010s with variants such as Reveton and CryptoLocker. Groups began implementing a managed service method, RaaS, similar to any other software-as-a-service (SaaS) method, allowing individuals or organizations who aren’t experienced programmers to benefit from the criminal activity.

Ransomware as a service gained widespread attention from the world, not just the cybersecurity industry or large enterprises, in 2021 with the Colonial Pipeline attack, which affected gasoline in the United States. Other major attacks followed in 2021, including the Kaseya breach and the JBS Foods attack. In the Colonial Pipeline attack, hackers gained access to the company’s infrastructure and encrypted its data, demanding millions of dollars. Colonial Pipeline’s ransom was $4.4 million; JBS paid $11 million. Kaseya stated that it did not pay the ransom demanded by REvil. 

Ransomware attacks cost global businesses $20 billion in 2021. Security provider Sophos found that 37% of businesses surveyed were hit by a ransomware attack in 2021. Today, demanding ransom payments in cryptocurrency enables the ransomers to remain anonymous: no longer can their payments be easily traced by authorities.

Also read: Ransomware as a Service is the Latest Evolution in Ransomware Threats

How does RaaS work?

RaaS providers develop code that organizations or individuals, called affiliates, can purchase from them and install within their own websites or malicious software downloads. There are multiple types of RaaS revenue models, but providers often use a subscription-based model—affiliates pay monthly fees as a company would for any IT service. RaaS vendors may also expect a one-time payment, rather than a monthly subscription.

Both the vendor and the affiliate then receive money from a paid ransom. Affiliates benefit from RaaS because it doesn’t require them to build their own code or develop their own strain of malware. Affiliates that plan to ransom someone’s data don’t have to know very much code to successfully initiate a ransomware attack.

RaaS marketing strategies

RaaS providers attract affiliates through their websites and marketing campaigns that showcase their skilled developers.

Ransomware as a service providers may hire new developers, but they often expect their developers to be reputable. RaaS developers or software engineers must write solid, reliable code to keep the ransomware business running.

RaaS companies also advertise on the dark web for hackers who have access to organizations’ IT infrastructures. They’ll pay thousands of dollars to someone who can provide access to these enterprises.

RaaS code of conduct

RaaS groups choose the organizations they attack strategically. They want enterprises that can logistically afford to pay the ransom; even if handing over the money is a financial stretch for the business, a RaaS group will want to target an organization whose value or assets are sufficient to support the desired ransom. Some groups even study enterprises’ revenue to ensure the company can comfortably pay the ransom.

Some RaaS groups, like DarkSide, have claimed in the past that their code of ethics dictates that they will not attack companies like hospitals. It’s unclear whether all RaaS groups stick to their publicly proclaimed codes of conduct. 

Some groups behave sporadically, too. For example, after launching an attack on Ireland’s national health system, ransomware group Conti provided the decryption keys to the encrypted computer systems without disclosing their motives after the government refused to pay the ransom.

RaaS rebranding strategies

Ransomware companies often rebrand, seeming to disappear but then emerging with a different name a couple of months later. It can be difficult for RaaS groups to continue operating once they have a very high profile, especially if a national government has put a bounty on its members and if security researchers are trying to track the group through cryptocurrency. Although security researchers can rarely be sure that an old ransomware group is responsible for new attacks, there are ways to detect similarities. For example, the strain of ransomware that paralyzes a system might have the same code used by a former notorious group.

Patterns and habits from ransomware groups indicate to security experts that a provider has not disappeared but has just renamed themselves. It can be difficult for RaaS groups to continue operating once they have a very high profile, especially if a national government has put a bounty on its members.

Also read: Ransomware as a Service: How It Works & How to Prevent It 

How is the ransom collected and spent?

To pay a ransom, businesses must obtain the dollar amount in bitcoin, which often requires an approval process — it takes processing time and work to trade thousands or millions of dollars for bitcoin. A business must send bitcoin to the address provided by the ransomware group, who will then hopefully send files, a decryption key, and usage instructions to them.

Ransomware money is typically distributed among the people involved in the business: the affiliate who pays for RaaS, the members of the RaaS group, and the head of the group. RaaS groups sometimes pay freelancers to hack systems, too.

Not all ransomware providers distribute their funds immediately. Though their reasons are unknown, one possibility is that these groups are trying to stay under the radar while government agencies and companies fighting cyber crime attempt to trace the cryptocurrency with which the ransom was paid.

Pam Clegg, the VP of financial investigations at cybersecurity research company CipherTrace, said money is not traceable if it doesn’t create a trail through cryptocurrency, according to Forbes. It’s possible that ransomware groups are waiting to transfer their money until they have a lower profile.

In one case, the ransomware group DarkSide donated $10,000 dollars to two charities, Children International and the Water Project. To provide these donations and remain anonymous, they used a middle-man organization that allows people to make donations through cryptocurrency.

However, it was soon discovered that a ransomware group was responsible, and no United States charity is permitted to accept donations received through crime. One security analyst noted that this was more likely a publicity stunt than an attempt to truly help. 

Past and present RaaS providers

Netwalker leaked over a hundred organizations’ data in 2020 and 2021 and helped popularize the ransomware tactic of double extortion. If a group uses double extortion, they not only encrypt the data but also take it and threaten to publish it online if the victim doesn’t pay the ransom.

DarkSide, the group responsible for the Colonial Pipeline attack, was an RaaS business that allegedly operated out of Russia or eastern Europe. Although the U.S. government laid down a hefty $10 million bounty for members of the group in November 2021, DarkSide dropped off the radar before then, claiming to have disbanded.

REvil, a Russian-based ransomware group, was responsible for the JBS and Kaseya attacks in 2021. Though it fell quiet for a couple months in summer 2021, REvil became active again later in the year.

Also read: US amps up war on ransomware with charges against REvil attackers

LockBit is a ransomware group that attacked managed services provider Accenture in 2021, a failed attempt that Accenture was able to shut down. LockBit also uses double extortion against victims. LockBit is not just a group but also a specific strain of ransomware, a program that runs on victims’ systems and encrypts files on their network. LockBit is known for encrypting files particularly quickly

Conti is a ransomware organization that, unlike some ransomware groups, doesn’t appear to care about its reputation for returning data to paying customers, according to security provider Palo Alto Networks. Conti doesn’t always return the data in full once the ransom is paid. Conti also uses double extortion, publishing victims’ data on the dark web if they don’t pay the ransom.

How does a company protect itself from ransomware as a service?

To prevent RaaS attacks, organizations must do more than install firewalls and set password protections. Ransomware groups are able to slip into a company network through unpatched vulnerabilities, misconfigurations, or remote setups.

The Remote Desktop Protocol (RDP) is a particularly exploited pathway. Used by geographically separated teams that access each other’s systems or devices remotely, those systems or endpoints, if left open, can be accessed by ransomware operatives.

Methods of protecting systems include:

  • Installing software that identifies where the Remote Desktop Protocol is active and shutting it down where needed
  • Enabling multi-factor authentication (MFA) for all user accounts on all platforms
  • Setting Windows to always show executable files (.exe) as the full file name, rather than leaving off .exe, so employees are less likely to click malicious programs
  • Using patch management tools that automatically alert your IT team when a new vulnerability is revealed or discovered and promptly making the update so that ransomware doesn’t get there first 
  • Setting policies for every application to decrease lateral movement, which ransomware groups use to move throughout a business’s infrastructure
  • Managing all personal devices used as endpoints, particularly through mobile device management (MDM) software that separates all personal data from corporate data on the device

To learn more about protecting your enterprise from ransomware, read How to Prevent Ransomware Attacks: 20 Best Practices.