Ransomware as a service

Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing. Additionally, it would allow operators to earn a more consistent income while reducing their own risk, as affiliates would be held accountable for any incidents that happen during the attack. Offering multiple payment options not only helps RaaS developers make their platforms accessible to a wider range of cybercriminals, but also brings more attraction to their audience and ultimately increases the scale and frequency of ransomware attacks. The RaaS market is considered to be highly competitive, with operators running marketing campaigns and developing websites that accurately mimic legitimate companies or businesses. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting how successful RaaS can be financially. In the first half of 2024, the average amount of ransomware claims per ransomware attack was more than $5.2 million, including a record victim payment of $75 million in March 2024. Microsoft Threat Intelligence Centre (MSTIC) highlights on the comparison of RaaS as different from previous forms of ransomware, showing it no longer has a tight link between tools, initial entry vector and payload choices. They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it. == History and emergence ==

"Ransomware as a service" traces its roots all the way back to early 2010s, when other services like SaaS started to gain much more popularity. With SaaS's implementation and increase in popularity, cybercriminals have seen its structure as a way to adopt it for illicit use, such use that caused the uprise of what RaaS has been for many years. This early success encouraged other ransomware developers to build similar systems, which quickly led to a growing underground market where ransomware could be easily bought, sold, or even customized, causing RaaS to rapidly grow in the years that followed. Over the years, the model of RaaS became more organized and efficient, leading to a growing number of other ransomware groups like Hive, DarkSide, REvil, Dharma, LockBit, and more. These groups conducted operations that has led to the expansion of the model worldwide, performing thousands of attacks against organizations and businesses in sectors they assume is profitable. == Extortion methods ==

Ransomware threat actors use different techniques to extort money from victims. Some of the main methods include: Double extortion In a double extortion ransomware attack, the threat actors first encrypt the victim's data. They then threaten to publicly release exfiltrated data if the ransom is not paid. This puts additional pressure on the victim to pay the ransom to avoid having sensitive data leaked. According to analysis from cybersecurity firm Zscaler, 19 ransomware families adopted double or multi-extortion approaches in 2021. By 2022, this number grew to 44 families using this technique. Groups like Babuk and SnapMC pioneered double extortion ransomware. Other actors like RansomHouse, BianLian, and Karakurt later adopted it as well. Multiple extortion Multiple extortion is a variant of double extortion. In addition to encrypting data and threatening to leak it, threat actors also launch DDoS attacks against the victim's website or infrastructure. This adds another element to pressure victims into paying. Pure extortion In a "pure extortion" or "encryption-less ransomware" attack, the threat actors exfiltrate sensitive data but do not encrypt any files. They threaten to publish the stolen data online if the ransom is not paid. This approach allows threat actors to skip the complex technical work of developing encryptors. Groups like LAPSUS$ and Clop have used pure extortion techniques in high-profile attacks. Since victims' systems are not locked, this method tends to cause less disruption and draws less attention from authorities. However, the financial impact on targeted organizations can still be severe. == Prevention ==

Organizations and individuals can take multiple precautions in order to help reduce the probability of being affected by cyber attacks, especially RaaS attacks. Some of the common precautions that everyone should practice to stay protected from RaaS are by utilizing a "multi-layered" defense strategy, including: • User Awareness • Signature Mapping • Behavioral and Heuristic-based Detention • Patching and Updates • Compliance • File Integrity Monitoring • Offline Backups The operation of RaaS leads to significantly reducing the barriers for entry into cybercrime, eventually allowing attackers of all skill levels to be able to launch their own cyber attacks and devastating campaigns. With RaaS being able to perform well-organized operations and affiliate networks and profit-sharing models, their evolution and growth will continue to thrive. == Notable groups ==

Several well-known examples have shaped the cybercrime ecosystem include: • Hive: This group was known for their double-extortion tactics before their end by the international law enforcement. • DarkSide: This group is known for their professional branding, PR statements, and even a code of conduct. • REvil (also known as Sodinokibi): This group often offered detailed dashboards for their affiliates and made negotiations of ransoms on their behalf right before they disbanded. • Dharma: This group has been long-running, typically known for their volume of attacks and widespread use of recruiting lower-skilled affiliates. • LockBit: This group is still currently active, known for their aggressive tactics and their leaking websites being publicly displayed. These operators continually evolve and create new iterations of ransomware to maximize their impact. Examples of RaaS kits include Locky, Goliath, Shark, Stampado, Jokeroo and Encryptor. Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The US Department of Justice seized two servers belonging to Hive, disrupting their operations. DarkSide primarily targeted Windows machines but has expanded to Linux systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate. REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million. == See also ==