The Rise of Ransomware-as-a-Service: What It Means, and What We Can Do

Shadowy rooms and blinking server racks. Rows of laptops and hyper-focused coders in hoodies. Devious actors with an encyclopedic knowledge of data networks and system vulnerabilities.

When we think about cybercrime, we tend to imagine highly skilled programmers behind the attacks that paralyze our schools, healthcare systems, and gas pipelines. But a growing trend, Ransomware-as-a-Service (RaaS), is allowing even those with limited technical expertise to carry out cyberattacks.

Today, you no longer need an advanced degree or years of expertise to execute devastating attacks on businesses and organizations. You just need a subscription.

Below, we’ll explore what RaaS is, why it’s on the rise, and, most crucially, what you can do about it.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model where tech-savvy malware developers create the software to carry out ransomware attacks and criminals pay them to use that software. Essentially, it’s an illegal version of the Software as a Service (SaaS) business model. RaaS usually involves either a subscription, which can range in price from just $39 to over $2000 a month, or a profit-sharing model.

Much like legitimate SaaS products, RaaS kit subscriptions may include technical support, bundled offers, dashboards, user reviews, onboarding guides, and more. They may be just a bare-bones source code, or they may come with add-ons like tools for writing customized ransom notes. The RaaS providers may also create victim payment portals, negotiate ransoms, and even maintain dedicated leak sites to publish sensitive data for double extortion attacks.

Some well-known examples of RaaS kits in the last few years include DarkSide, REvil (a.k.a. Sodinokibi), Dharma, Shark, Stampado, Encryptor, LockBit 2.0 and Jokeroo. But the RaaS industry is constantly in flux, with old operators regularly disappearing and reappearing as new ones with updated or improved variants.

Why is Ransomware-as-a-Service on the rise?

At its most basic level, Ransomware-as-a-Service lowers the barrier to entry for cybercrime. As the UK’s National Cyber Security Centre Annual Review 2022 notes, the existence of RaaS means that “less-skilled affiliates… can launch cyber attacks without building the ransomware themselves. This opens the ransomware attack vector to a wider range of criminal actors where previously it was restricted to those with the requisite technical expertise.”

In the same report, the NCSC projects a major rise in both off-the-shelf and bespoke cyberattack services that allow less sophisticated actors to successfully extort organizations. And a report by Carnegie Mellon University noted that four of the top 10 ransomware variants were already RaaS products in 2020.

A thriving RaaS ecosystem

Another reason for the surge in Ransomware-as-a-Service offerings is the broader cybercriminal economy it belongs to. Today, RaaS kits are advertised with professional marketing campaigns on websites that resemble legitimate business sites. Operators produce content like white papers, videos, and social media posts to further the resemblance to regular SaaS products.

For customers (also known as RaaS affiliates), RaaS looks familiar and is easy to purchase. There’s no meeting in dark alleys or shady back rooms, just a few clicks on the dark web.

For RaaS operators, there are plenty of supporting players to keep producing new variants of ransomware. As Trend Micro notes, “this fully functional and independent ecosystem thrives in the underground with its key players… Operators are usually organized in a group and have designated roles such as leader, developers, and infrastructure and system administrators.”

Other analysts take it further, pointing out that the global cloud has allowed cybercriminal enterprises to proliferate in the last few years. As a 2021 Forbes article states, “the availability of international cloud infrastructure has grown exponentially, providing crime gangs from across the globe with scalable and standardized environments that can be accessed from anywhere.”

Much like other malware operations, RaaS is not a here-today-gone-tomorrow kind of threat. With a strong resemblance to the world of legitimate SaaS products and a massive, decentralized infrastructure to support it, RaaS is here to stay.

High payouts

Crime pays — and RaaS products are no exception. According to a new report by UpGuard, RaaS purchasers in a commission model can earn up to 80% of each ransom payment they collect. Although not every victim pays, the average ransom payment is up to $812,000 this year. That’s no small sum.

And those four RaaS products on the top ten ransomware list in 2020? They raked in over $39 million in ransom payments — that the FBI knows of. The real profits from their attacks are likely underreported.

Neutralizing RaaS attacks with ShardSecure

Whether they’re a programming genius or a bargain-basement criminal with a subscription, ransomware attackers do have one weakness: they can be thwarted with the right security solution.

The ShardSecure platform uses self-healing to protect data against the impact of ransomware attacks, including RaaS. Our technology automatically reconstructs affected data whenever it's tampered with, deleted, or lost in an attack. It also makes confidential information unintelligible to third parties, stopping RaaS attackers from accessing sensitive data in double extortion attacks. With no way to reconstruct your data, criminals have nothing of value to threaten to publish.

Interested in finding out more about how ShardSecure can help neutralize the threat of RaaS in the cloud? Take a look at our white paper and our solutions page.