Ransomware-as-a-Service (RaaS) is a growing phenomenon in the world of cybercrime, one that has fundamentally shifted the way cyberattacks are carried out. It operates in the same way as legitimate software-as-a-service businesses.
RaaS providers create and maintain ransomware tools, then offer them to criminal affiliates for a cut of the profits. What this model has done is lower the barrier to entry for cybercriminals, meaning that individuals with little technical knowledge can still execute sophisticated attacks. In short, RaaS has turned ransomware from something only the most skilled hackers could deploy, into something accessible to nearly anyone with an internet connection and a willingness to cause harm.
How RaaS works
The RaaS model operates as a kind of subscription service, where affiliates purchase access to ransomware tools, use them to infect victims, and then split the ransom payments with the provider.
One notorious case is the REvil ransomware group, which has been linked to multiple high-profile attacks, including the 2021 Kaseya attacks. REvil’s success is partially due to its RaaS model. The group was able to recruit affiliates who would use the ransomware to infect clients, with the group taking a cut of the ransom payments. The Kaseya attack affected more than 1,500 businesses, illustrating just how widespread the impact of these attacks can be.
The rise of these platforms means that even low-level criminals are now able to target organisations with limited cybersecurity defenses. Small and medium-sized businesses (SMBs) have become prime targets because they often lack the resources and robust defenses that large corporations have. But it is not just SMBs that are at risk. RaaS attacks have extended to critical sectors like healthcare, government, and infrastructure.
Double extortion
One of the most disturbing trends seen with modern ransomware is the use of double extortion tactics. In the past, the victim of a ransomware attack would pay the ransom in exchange for decryption keys. Today, many ransomware operators also steal sensitive data before encrypting it, then threaten to release or sell the data if the ransom is not paid. This decision to pay the ransom is even more complicated for organisations, as the consequences of not paying could include a massive data breach.
A clear example of double extortion occurred with the Conti ransomware group, which has been behind multiple attacks on critical infrastructure, including health organisations. In one case, Conti attacked a healthcare provider, stealing sensitive patient data before encrypting systems. When the company refused to pay, Conti began releasing data online.
RaaS and cryptocurrency
Another significant aspect of RaaS is its reliance on cryptocurrency for ransom payments. Cryptocurrencies like Bitcoin and Monero provide a layer of anonymity for both cyber criminals and the victims. This makes it far harder for law enforcement agencies to track down the criminals behind these attacks.
The use of cryptocurrency has also raised concerns about its role in facilitating illegal activities, as cybercriminals can use it to launder ransom payments. The rise of cryptocurrency has essentially given ransomware groups the financial tools to operate globally without the same level of oversight or accountability.
Defending against RaaS attacks
Businesses can no longer afford to be complacent. The threats are only growing, and the criminals behind these attacks are getting more organised and sophisticated. Organisations must carry out regular backups against ransomware, since many ransomware attacks start with phishing emails, regular employee training is also crucial.
Having a clear, actionable incident response plan can help reduce the impact of an attack and cybercriminals often exploit unpatched vulnerabilities to deploy ransomware. Ensuring that software is up-to-date vulnerable are patched as soon as they’re discovered is essential in reducing risk.
