Understanding Ransomware as a Service: How it Works and Why it's Dangerous

Ransomware has evolved significantly since its first discovery in the late 1980s. Since the first ransomware incident, when the AIDS Trojan was spread via floppy disks in 1989, ransomware has become a profitable business model for cybercriminals, particularly with the emergence of Ransomware as a Service (RaaS).

RaaS is a business model that allows cybercriminals to create and distribute ransomware on a rental or revenue-sharing basis, allowing both criminals to profit from these types of ransomware. This has made it easier for less technologically skilled criminals to carry out ransomware attacks.   As a result, RaaS has become more widespread and profitable since this ransomware can reach multiple targeted organizations at once.

The average cost of a ransomware attack on a small business in 2021 was $178,254. This includes the ransom payment and other expenses associated with the attack, such as downtime costs, recovery costs, regulatory fines, legal fees, and even reputational damage. It is valuable to understand the mechanics of RaaS in order to determine the best course of action to combat or prevent such attacks in the future.

What is Ransomware as a Service (RaaS)?

Ransomware as a Service (RaaS) functions when ransomware developers lease their malware to other criminals who use it to carry out attacks. RaaS allows individuals or groups with little to no technical expertise to quickly launch ransomware attacks, increasing the scale and frequency of such threats.

In a typical RaaS model, the ransomware developer creates and maintains the malware while affiliates or customers use it to carry out attacks. Ransomware developers are typically responsible for distributing the malware, identifying targets, and negotiating ransom payments, and in return, they receive a percentage of the ransom paid by victims.

RaaS has lowered the barrier for entry-level cybercriminals to get involved in cybercrime and allowed new attackers to interact with skilled developers, allowing both parties to benefit and reach more victims.

RaaS has become a significant threat to organizations of all sizes, enabling ransomware phishing attack types to become more widespread and targeted to maximize their chances of success.

It's become imperative that organizations implement comprehensive cyber security tools and strategies that include employee training, regular backups, phishing detection, advanced threat protection and response tools, and an incident response plan. Staying up-to-date on the latest threat intelligence is essential to be vigilant for signs of a potential ransomware attack. Guardian Digital has a wealth of cybersecurity guides on protecting against ransomware attacks and email security experts who can help you defend against these attacks at your company.

The Evolution of Ransomware-as-a-Service

Recently, ransomware gangs have started using a technique known as "double extortion," in which they steal and encrypt a victim's data and threaten to release it if the ransom is unpaid.

Data extortion attacks that do not involve encryption, also known as "leakware" or "doxware," have become increasingly common in recent years. These attacks include stealing sensitive data from an organization and using the threat of data exposure as leverage to extort payment.

Another evolution in the types of ransomware attacks is the use of advanced techniques such as fileless malware, which operate entirely in memory and can be challenging to detect. Threat actors also use social engineering tactics to trick victims into downloading malware ransomware, often using spear-phishing emails that are highly targeted and difficult to detect.

Ransomware attacks have become more targeted and sophisticated as threat actors use surveillance and intelligence-gathering techniques to identify high-value targets, exploiting vulnerabilities in their defenses. Some threat actors also engage in long-term phishing campaigns, compromising an organization's network over an extended period and exfiltrating sensitive data before deploying ransomware or carrying out a data extortion attack.

Ransomware gangs increasingly seek access to specific industries and organizations, such as hospitals and schools, which are more likely to pay a ransom to regain access to their data. Today, ransomware gangs constantly modify their tactics to evade detection and maximize profits. Using fileless malware or target remote desktop protocol (RDP) makes it more difficult for gangs to be detected with accessing a victim's network.

Understanding the RaaS Business Model

The Ransomware-as-a-service (RaaS) business model enables non-technical criminals to launch sophisticated ransomware attacks without developing or maintaining the necessary tools and infrastructure for the threat. Instead, RaaS providers offer ransomware supplies for rent or purchase to other cybercriminals, known as "customers."

Here's how the RaaS business model works:

1. RaaS providers develop and maintain ransomware software and infrastructure, such as command-and-control servers, payment gateways, and decryption keys. They then offer this ransomware and infrastructure to potential customers.
2. Customers pay a fee or percentage of the ransom payments to the RaaS provider in exchange for access to the ransomware and infrastructure.
3. Customers identify and target victims, infect their systems with malware ransomware, and demand payment in exchange for the decryption key, which would unlock the victim's files.

RaaS providers may offer various pricing models to their customers, such as a percentage of the ransom payments from each successful attack, a monthly or yearly subscription fee for access to the ransomware and infrastructure, or a combination of both.

The RaaS business model has several benefits for threat actors, including:

1. Easy access to sophisticated ransomware tools and infrastructure without developing them from scratch. This makes entry for cybercriminals more accessible and increases the number of potential attackers.
2. Low startup costs, as the threat actors can rent or purchase the tools and infrastructure rather than invest in the development and maintenance themselves.
3. Reduced the risk of detection and prosecution, as the RaaS providers often operate from countries with more relaxed cybersecurity laws and regulations.

The most well-known RaaS groups include DarkSide, REvil, and Avaddon. These groups are known for their involvement in high-profile ransomware breaches, such as the Colonial Pipeline attack in May 2021, the JBS attack in June 2021, and the attacks on healthcare and financial organizations attributed to Avaddon.

RaaS providers recruit customers through various means, such as online forums, social media, and dark web marketplaces. Providers offer training and support to customers and a percentage of the ransom payments, incentivizing customers to carry out attacks successfully. These organizers may use sophisticated marketing tactics to maximize their profits and attract potential customers. For example, they may discount high-profile targets or promote their ransomware tools as "undetectable" by antivirus software.

Sometimes, RaaS providers extend customer support to their victims to facilitate the ransom payment. This may include providing a decryption key once the ransom is paid or offering advice on how to obtain cryptocurrency to pay the ransom.

Overall, the RaaS business model has proven to be a lucrative and effective way for cybercriminals to profit from ransomware phishing attack types. However, law enforcement agencies and cybersecurity professionals are increasingly focusing on disrupting RaaS groups and prosecuting their members to mitigate the damage caused by these attacks.

Most Effective Variants Used in RaaS Attacks

Many types of ransomware are used in Ransomware-as-a-Service (RaaS) attacks, each with its unique features and capabilities. Some of the most effective types of ransomware used in RaaS attacks include:

• Ryuk: Ryuk first emerged in August 2018 and has since become one of the world's most widely used ransomware families. It is typically distributed through spear phishing emails or remote desktop protocol (RDP) attacks. It is known for its ability to encrypt large volumes of files in a short amount of time. Ryuk is also known for using a custom-built encryption algorithm that makes it difficult to decrypt files without paying the ransom.
• Sodinokibi (REvil): Sodinokibi, also known as REvil, is a sophisticated ransomware that first appeared in April 2019. It is often distributed through exploit kits, malvertising, or spear phishing emails and is known for its ability to evade detection by antivirus and email security software. Sodinokibi is also known for using double extortion tactics, which encrypts the victim's files, steals sensitive data, and threatens to publish it online if the ransom is not paid.
• Maze: Maze first appeared in May 2019 and is known for its complex and advanced features. It is typically distributed through phishing email attacks or exploiting vulnerabilities in remote access tools. It is known for using various obfuscation techniques that make detecting and analyzing the threat difficult. Maze also uses double extortion tactics and publicly shames victims who refuse to pay the ransom.
• DoppelPaymer: DoppelPaymer is a ransomware that first appeared in early 2020 and is known for its speed and efficiency. It is typically distributed through phishing email attacks or exploiting vulnerabilities in remote access tools. It is known for using a fast and powerful encryption algorithm to encrypt large file volumes in seconds. DoppelPaymer also exploits double extortion tactics and has the ability to exfiltrate sensitive data from the victim's network before encrypting their files.
• DarkSide: DarkSide is a RaaS group that gained notoriety for the attack on Colonial Pipeline in May 2021. The group operates as a business, offering ransomware tools and infrastructure to other cybercriminals, and reportedly takes a 10-25% cut of the ransom payments.
• REvil: REvil is another RaaS group responsible for several high-profile attacks, including the one on meat-processing company JBS in June 2021. The group offers ransomware tools, infrastructure, and a "customer service" portal for victims to negotiate and pay the ransom.
• Avaddon: Avaddon is a relatively new RaaS group that emerged in late 2020. The group offers ransomware tools and infrastructure and has been linked to attacks against organizations in the healthcare and financial sectors.

These are just a few examples of the most effective types of ransomware attacks utilized in RaaS operations. As the ransomware landscape evolves, new and more advanced types will likely emerge, making it increasingly difficult for organizations to defend against these attacks. 

Organizations should implement comprehensive cyber security tools and strategies that include regular backups, employee training, and advanced threat detection and response tools to mitigate the risks of a ransomware attack.

What Are the Shortcomings of Default Security Against RaaS?

Static, single-layered email security defenses such as endpoint threat protection or built-in Microsoft 365 email security are no longer effective in protecting organizations from the rapidly changing methods of attackers. This is especially true of ransomware attacks.

With a multi-layered, adaptive design, Guardian Digital EnGarde Cloud Email Security detects and blocks ransomware threats in real time while working together to offer more excellent protection. The critical component of our fully managed email security services is the level of support required to provide peace of mind for your business. Our unique combination of features and attributes offers the best protection by addressing common third-party and default email security issues and weaknesses to reduce risk and prevent malicious threats from taking action.

Keep Learning about Ransomware-as-a-Service

Ransomware attacks have evolved significantly over the past five years, becoming more sophisticated and profitable for threat actors. It is impossible to block ransomware completely at its two most common points of entry: email and websites. You can, however, take steps at the email security software level to reduce ransomware attacks and cyber threats.

The most effective method to prevent lasting damages caused by ransomware is to back up and verify your system regularly. Despite this, a ransomware attack may delete or encrypt your backed-up data, so businesses should consider all their options to bolster their security plan. 

Organizations must incorporate comprehensive cyber security tools and strategies such as regular backups, employee training, and advanced threat protection tools to mitigate the risk of any ransomware attack. It is also essential to have an incident response plan that can be quickly activated during a ransomware attack.

• Learn more about effectively protecting your business from malware ransomware.
• Learn more about an effective email security software solution that understands your relationships with others while gaining a more profound knowledge of your conversations with them.
• Prepare your business for cyberattacks to make sure employees stay safe online.
• Following best practices for email security, you can improve your business’s security posture to protect against attacks and breaches.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.