What is Ransomware as a Service (RaaS)?
Trend Micro: Cutting Ransomware risk with proactive Attack Surface Management
Ransomware as a Service (RaaS)
Ransomware as a service (RaaS) is a business model for cybercrime that involves selling or renting ransomware to buyers, called affiliates. RaaS can be credited as one of the primary reasons for the rapid proliferation of ransomware attacks, as it has made it easier for a variety of threat actors — even those who have little technical skills and knowledge with the ammunition to deploy ransomware against their targets.
How does RaaS work?
Ransomware-as-a-Service (RaaS) operates like the Software-as-a-Service (SaaS) model in which software can be accessed online on a subscription basis. However, the RaaS model also continues to evolve in its own ways, and this fully functional and independent ecosystem thrives in the underground. One of the key players in this business model are called operators, that develop and distribute ransomware, often working in structured groups with and have designated roles like leaders, developers, and system administrators. More advanced groups may also have other roles, such as penetration testers, victim analysts, and negotiators to refine their attacks.
Some tasks are outsourced or obtained via affiliate programs, such as Access-as-a-Service (AaaS), which provides entry points into target organizations. Skilled penetration testers may lack ransomware tools and instead operate as affiliates, using RaaS infrastructure to execute attacks.
A RaaS criminal group first develops or acquires ransomware software, then recruits affiliates via forums, Telegram, or personal networks, sometimes investing up to $1 million in recruitment. Once onboard, affiliates conduct attacks independently.
RaaS benefits both parties—operators profit from affiliate payments, while affiliates gain access to ransomware without development costs. Revenue models vary, including subscriptions, one-time fees, profit-sharing, or affiliate marketing. This allows operators to focus on improving ransomware while affiliates handle execution, making RaaS a highly specialized and profitable cybercrime model.
This model is also being adopted by the cybercrime community, and the most prominent example of this is “RaaS - Ransomware as a Service”. In the past, ransomware attacks were mainly carried out by the ransomware developers themselves. In contrast, with RaaS, the ransomware developers do not carry out the attacks themselves but instead gather up so-called “affiliates” to carry out the attacks and provide them with the ransomware. If the attack by the affiliate is successful and the ransom is paid, the proceeds are split between the ransomware developer and the affiliate as a success fee.
Examples of RaaS
LockBit
LockBit is the most active ransomware group worldwide. From 2022-2023 it was responsible for around 20-30% of all ransomware detections. In a recent prominent attack, ransom demand went up as high as US$50 million.
LockBit 2.0 claims to have one of the fastest encryption techniques among other ransomware. It also shows similarities with prominent ransomware families, Ryuk [link to what-is page] and Egregor.
Akira
Akira is an emerging ransomware group that appeared in March 2023. It is believed to be related to Conti (which is now inactive), which was once one of the two major ransomware groups along with LockBit.
According to a Trend Micro survey, Akira has caused 107 incidents in the five months since April 1, 2023, with 85.9% of these incidents occurring in North America.
BlackCat
By March 2022, BlackCat had successfully compromised at least 60 organizations. In 2023, BlackCat’s high-profile victims included Reddit and NextGen Healthcare. It gained initial notoriety for being the first professional ransomware family created in the Rust programming language, which is notoriously secure and capable of concurrent processing.
Now, they are known for their triple-extortion technique. Aside from exposing exfiltrated data, ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDos) attacks on their victims’ infrastructure to coerce them to pay the ransom.
Infection chain of BlackCat ransomware observed in 2022
Black Basta
Black Basta is a ransomware group that was first identified in April 2022, and like Akira, it is suspected to be related to Conti. In addition to RaaS, Black Basta is actively developing the division of labor in attacks, such as soliciting authentication information for corporate network access on underground forums in exchange for a share of the profits from ransomware attacks. In addition, Black Basta has been developing builds for Linux, and it can be seen that they are trying to expand the scope of encryption.
Black Basta’s infection chain
How does RaaS attract affiliates? - A case study of LockBit
Why has LockBit, the largest ransomware group, been able to attract so many affiliates and build a large-scale RaaS? The main reasons are the high profit-sharing ratio and usability.
High profit-sharing ratio
LockBit offered affiliates a very attractive revenue share, returning 80% of the ransom money they acquired. According to a statement from EUROPOL, the total amount of damage caused by LockBit is equivalent to several billion euros, so we can imagine that the earnings of the affiliates involved in LockBit were also enormous. In the past, there have been cases where LockBit has demanded ransoms of up to $70 million, and if even one such attack is successful, the affiliate will be able to obtain money that ordinary people cannot obtain.
Usability
LockBit was popular with affiliates because it was designed with RaaS in mind. For example, it even developed and maintained a “user-friendly interface” that made it easy to choose from a variety of options when assembling the final attack program, lowering the technical hurdles for RaaS users to commit crimes.
Armed with these elements, LockBit actively recruited affiliates and expanded its influence, but it has now reached a challenge that is unique to RaaS. For example, we have confirmed that LockBit's infrastructure is unstable and that it is not possible to use the data on the leak site, and in such cases, it becomes difficult for affiliates to carry out the blackmailing necessary for a successful attack. In addition, in February 2024, some members of LockBit were arrested and their servers and other infrastructure were taken down, and incidents like this can also be a factor in affiliates leaving. In other words, the key to the success of RaaS is to gain the trust and confidence of affiliates, but if something happens to damage that, RaaS will no longer be viable.
LockBit’s timeline of notable activities
How to defend systems against ransomware
For enterprises to protect themselves from ransomware attacks, it would help to establish ransomware defense plans. These can be based on security frameworks, such as those from the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST). These guidelines can help with prioritization and resource management for prevention, defense, and recovery from ransomware
Some of the best practices from these frameworks are as follows:
Audit events and take inventory
Available assets and data
Authorized and unauthorized devices and software
Security events and incidents
Manage and keep track of the following
Hardware and software configurations
Admin privileges and access
Activity in network ports, protocols, and services
Network infrastructure devices, such as firewalls and routers, and their security configurations
Patch and update, regularly perform the following for software and applications
Vulnerability assessments
Patching or virtual patching
Version update
Protect systems and recover data by implementing the following
Data protection, backup, and recovery measures
Multifactor authentication (MFA)
Secure and defend layers
The defense in depth (DiD) principle. This is done by creating multiple layers of defense against potential threats. One example of this is by blocking unused services not just on a firewall but also on actual servers.
Network segmentation and the least-privilege principle. It is paramount to follow these when granting permissions to system users, services, and roles.
Email static and dynamic analysis. Both of these works to examine and block malicious emails.
The latest version of security solutions to all layers of the system. These layers include email, endpoint, web, and network.
Monitoring for early signs of an attack. Identifying the questionable presence of various tools in the system can save organizations much time and effort in staving off possible attacks.
Advanced detection technologies. Technologies powered with AI and machine learning offer fortified protection.
Train and test
Security skills assessment and training
Red team exercises and penetration tests
Trend Micro Ransomware Protection
Last year, 83% of organizations faced multiple breaches costing $4.4 million each, while reducing risk exposure led to average savings of $1.3 million.
Trend Vision One™ – Attack Surface Risk Management (ASRM) dramatically reduces cyber risk with continuous discovery, real-time assessments, and automated mitigation across cloud, hybrid or on-premises environments.