HOME

TheInfoList



Click Here for Items Related To - Ransomware-as-a-service
OR:
Ransomware-as-a-service on:   [Wikipedia]   [Google]   [Amazon]

Ransomware as a service (RaaS) is a
cybercrime Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or Computer network, networks. It has been variously defined as "a crime committed on a computer network, especially the Internet"; Cyberc ...
business model where
ransomware Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...
operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The "ransomware as a service" model is a criminal variation of the "
software as a service Software as a service (SaaS ) is a cloud computing service model where the provider offers use of application software to a client and manages all needed physical and software resources. SaaS is usually accessed via a web application. Unlike o ...
" business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.


Revenue models

Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing. The most advanced RaaS operators provide portals that allow their subscribers to track the status of infections, payments, and encrypted files. This level of support and functionality is similar to legitimate
SaaS Software as a service (SaaS ) is a cloud computing service model where the provider offers use of application software to a client and manages all needed physical and software resources. SaaS is usually accessed via a web application. Unlike oth ...
products. A common profit sharing scheme is where the developer gets 20% and the affiliate gets the other 80%. The RaaS market is highly competitive, with operators running marketing campaigns and developing websites that mimic legitimate companies. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting the significant financial success of RaaS. In the first half of 2024, the average amount of ransomware claims per ransomware attack was more than $5.2 million, including a record victim payment of $75 million in March 2024.
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
Threat Intelligence Centre (MSTIC) regards RaaS as different from previous forms of ransomware as it no longer has a tight link between tools, initial entry vector and payload choices. They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it.


Extortion methods

Ransomware threat actors use different techniques to extort money from victims. Some of the main methods include:


Double extortion

In a double extortion ransomware attack, the threat actors first encrypt the victim's data. They then threaten to publicly release exfiltrated data if the ransom is not paid. This puts additional pressure on the victim to pay the ransom to avoid having sensitive data leaked. According to analysis from cybersecurity firm
Zscaler Zscaler, Inc. () is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data. History Zscaler was founded in 2007 by Jay Chaudhry and K. Kailash. The com ...
, 19 ransomware families adopted double or multi-extortion approaches in 2021. By 2022, this number grew to 44 families using this technique. Groups like Babuk and SnapMC pioneered double extortion ransomware. Other actors like RansomHouse, BianLian, and Karakurt later adopted it as well.


Multiple extortion

Multiple extortion is a variant of double extortion. In addition to encrypting data and threatening to leak it, threat actors also launch DDoS attacks against the victim's website or infrastructure. This adds another element to pressure victims into paying.


Pure extortion

In a "pure extortion" or "encryption-less ransomware" attack, the threat actors exfiltrate sensitive data but do not encrypt any files. They threaten to publish the stolen data online if the ransom is not paid. This approach allows threat actors to skip the complex technical work of developing encryptors. Groups like LAPSUS$ and Clop have used pure extortion techniques in high-profile attacks. Since victims' systems are not locked, this method tends to cause less disruption and draws less attention from authorities. However, the financial impact on targeted organizations can still be severe.


Main actors

Several well-known examples of RaaS kits include Hive, DarkSide,
REvil REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page ''Happy Blog'' unless the ra ...
(also known as Sodinokibi), Dharma, and
LockBit LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not o ...
. These operators continually evolve and create new iterations of ransomware to maximize their impact. Examples of RaaS kits include
Locky Locky is Ransomware, ransomware malware released in 2016. It is delivered by email (that is allegedly an invoice requiring payment) with an attached Microsoft Word document that contains Macro virus, malicious macros. When the user opens the docu ...
, Goliath, Shark, Stampado, Jokeroo and Encryptor. Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The
US Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a federal executive department of the U.S. government that oversees the domestic enforcement of federal laws and the administration of justice. It is equ ...
seized two servers belonging to Hive, disrupting their operations. DarkSide primarily targeted
Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
machines but has expanded to
Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate. REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million.


See also

*
as a service " as a service" (rendered as *aaS in acronyms) is a phrasal template for any business model in which a product use is offered as a subscription-based service rather than as an artifact owned and maintained by the customer. The converse of conduc ...
*
Initial access broker Initial access brokers (or IABs) are cyber threat actors who specialize in gaining unauthorized access to computer networks and systems and then selling that access to other threat actors such as ransomware. IABs are parts of ransomware as a serv ...


References

{{reflist As a service Ransomware Cybercrime