Ransomware as a Service (RaaS)
What Does Ransomware as a Service (RaaS) Mean?
Ransomware as a Service (RaaS) is a low code, software-as-a-service attack vector that allows criminals to purchase ransomware software on the dark web and conduct ransomware exploits without needing to know how to code.
Phishing email scams are a popular attack vector for RaaS exploits. Once a victim clicks on a malicious link in the attacker’s email, the ransomware will download and move laterally through the infected system to disable firewalls and antivirus software.
After the victim’s perimeter defenses have been compromised, the RaaS software can look for ways to escalate privileges -- and eventually hold the entire organization hostage by encrypting files to the point where they are inaccessible. The software will then notify the victim they have been attacked and provide instructions for how to pay the ransom and (hopefully) receive the correct cryptographic key for decryption.
Although RaaS and ransomware exploits are illegal, criminals who conduct this type of attack can be very difficult to catch because they use Tor browsers (Onion Routers) to reach their victims and require ransom payments to be made in cryptocurrency.
According to the FBI, an increasing number of malware developers have begun giving away their malicious LCNC (low code/no code) applications in exchange for a percentage of the extortion profits.
Techopedia Explains Ransomware as a Service (RaaS)
RaaS attacks are only going to increase moving forward. The ease of use and the fact that no technical skill are required means they have broad appeal.
How does RaaS work?
A skilled ransomware developer will first create malware that has a low chance of being discovered and high chance of being successful -- and purposely build their malware with a cloud-native architecture in mind that can support a multi-end user structure and licensing scheme.
The revenue model for the cloud delivery model essentially mirrors legitimate SaaS products, and purchases typically include step-by-step instructions for how to launch successful a ransomware attack. Users can either make a one-time purchase, or buy a monthly subscription that puts the burden of updating and maintaining the malware back on the developer.
Why is RaaS dangerous?
RaaS has essentially lowered the bar for cybercriminals by making it as easy as possible for ordinary criminals to successfully carry out this type of cyberattack. This has lead to the rise of ‘ransomware gangs’ who spend a lot of time recruiting users to distribute malware in mass.
Since the ransomware is already coded, threat actors no longer need any type of technical background to execute a ransomware attack, and this makes it easy for gangs to find willing participants by promising lucrative rewards for little effort. The sheer number of ransomware attacks has increased exponentially due to this non-technical approach has significantly changed the threat landscape.
Examples of RaaS Exploits
Ransomware has been used to encrypt data and interrupt business continuity in nearly every industry. Examples of ransomware attacks supported by a RaaS delivery model include:
- DarkSide is reported to be responsible for the Colonial Pipeline attack in May 2021.
- Dharma first emerged in 2016 and moved to an RaaS delivery model in 2020.
- LockBit is infamous for its ability to escalate privileges once inside the target network.
- Maze is known for threatening to shame victims by sharing data publicly.
- REvil was in the news during the pandemic after it was used to launch a successful $11 million attack on the world's biggest meat processor in June 2021.
Because ransom demands are illegal, RaaS operators have to conduct their business in stealth and distribution kit names are changed often. Well-known RaaS kits that law enforcement has seen shut down, only to find them pop up under a different name include:
How to Prevent RaaS Exploits
RaaS cybercriminals most often deliver malware in sophisticated spear phishing emails that are cleverly designed to look legitimate. Safeguarding against RaaS exploits requires a strong risk management strategy that supports security awareness training for end-users on a regular basis.
Building a company culture that educates end users about the latest phishing tactics -- as well as the financial and reputational risks posed by ransomware attacks -- is the first and best defense. This includes initiatives to:
Teach employees about the latest phishing tactics
Every employee should know how to spot a phishing email and how to report a malicious message. Remind employees that if an email communication is from an unknown sender, they should not click on embedded links.
Consistently back up data.
RaaS attackers often use spear phishing tactics to gain access to targets that will garner the biggest ransom possible. When systems and data are backed up, a ransomware attack won’t have the same impact.
Maintain a rigorous patch program and automate updates as much as possible.
Keeping software up to date, including anti-virus programs, is essential to preventing an RaaS attack.
Follow best practices for network segmentation to limit the size of attack surfaces.
Network segmentation plays an important role in zero trust architectures.
Consider using a risk management platform.
Risk management platforms allow IT administrators can analyze behavioral data to identify which employees, applications or data are most likely considered to be easy targets for an RaaS exploit.