Understanding Ransomware as a Service: How it Works and Why it's Dangerous
- by Dave Wreski

Ransomware has evolved significantly since its first discovery in the late 1980s. Since the first ransomware incident was discovered in 1989, when the AIDS Trojan was spread via floppy disks, ransomware has become a profitable business model for cybercriminals, with the emergence of RaaS. RaaS allows cybercriminals to create and distribute ransomware to other criminals in exchange for a percentage of the profits.
RaaS is a business model in which threat actors provide ransomware to other cybercriminals on a rental or revenue-sharing basis. This has lowered the barrier to entry for ransomware attacks, making it easier for less technically skilled cybercriminals to carry out attacks. RaaS has also enabled ransomware attacks to become more widespread and profitable, as multiple affiliates can use the same ransomware to target different organizations.
The average cost of a ransomware attack on a small business in 2021 was $178,254. This includes the ransom payment, as well as other costs associated with the attack, such as downtime costs, recovery costs, regulatory fines, legal fees and even reputational damage.
What is Ransomware as a Service (RaaS)?
Ransomware as a Service (RaaS) is a business model in which ransomware developers lease their malware to other criminals who use it to carry out attacks. RaaS allows individuals or groups with little to no technical expertise to easily launch ransomware attacks, increasing the scale and frequency of these attacks.
In a typical RaaS model, the ransomware developer creates and maintains the malware, while affiliates or customers use the malware to carry out attacks. Affiliates are typically responsible for distributing the malware, identifying targets, and negotiating ransom payments. In return, they receive a percentage of the ransom paid by victims.
RaaS has lowered the barrier to entry for cybercriminals to carry out ransomware attacks, making it easier for less technically skilled individuals to become involved in cybercrime. It has also made ransomware attacks more profitable for the developers, as they can sell their malware to multiple affiliates, who in turn can launch attacks on multiple victims.
RaaS has become a significant threat to organizations of all sizes, as it has enabled ransomware attacks to become more widespread and more targeted. Ransomware developers and affiliates can target specific industries or organizations, and tailor their attacks to maximize their chances of success.
It’s become imperative that organizations implement a comprehensive cybersecurity strategy that includes employee training, regular backups, advanced threat detection and response tools, and an incident response plan. It is also important to stay up-to-date on the latest threat intelligence and to be vigilant for signs of a potential ransomware attack. Guardian Digital has a wealth of cybersecurity guides on how to protect against ransomware attacks, as well as email security experts that can help you with defending against these attacks at your company.
The Evolution of Ransomware-as-a-Service
Recently, ransomware gangs have started using a technique known as "double extortion," in which they not only encrypt a victim's data but also steal it and threaten to release it if the ransom is not paid.
Data extortion attacks that do not involve encryption, also known as "leakware" or "doxware," have become increasingly common in recent years. These attacks involve stealing sensitive data from an organization and threatening to release it publicly unless a ransom is paid. Unlike traditional ransomware attacks, data extortion attacks do not encrypt the victim's data, but instead use the threat of data exposure as leverage to extort payment.
Another evolution in ransomware attacks is the use of advanced techniques such as fileless malware, which operates entirely in memory and can be difficult to detect. Threat actors also use social engineering tactics to trick victims into downloading malware, often using spear-phishing emails that are highly targeted and difficult to detect.
In addition, ransomware attacks have become more targeted and sophisticated, with threat actors using reconnaissance and intelligence gathering techniques to identify high-value targets and exploit vulnerabilities in their defenses. Some threat actors also engage in long-term campaigns, compromising an organization's network over an extended period of time and exfiltrating sensitive data before deploying ransomware or carrying out a data extortion attack.
Ransomware gangs are increasingly targeting specific industries and organizations, such as hospitals and schools, which are more likely to pay a ransom to regain access to their data.
Today, ransomware gangs are constantly evolving their tactics to evade detection and maximize profits. For example, they may use fileless malware, which is more difficult to detect, or target remote desktop protocol (RDP) to gain access to a victim's network.
Understanding the RaaS Business Model
Ransomware-as-a-service (RaaS) is a criminal business model that enables non-technical criminals to launch sophisticated ransomware attacks without having to develop or maintain the necessary tools and infrastructure themselves. Instead, RaaS providers offer ransomware tools and infrastructure for rent or purchase to other cybercriminals, who are known as "customers."
Here's how the RaaS business model works:
- RaaS providers develop and maintain ransomware software and infrastructure, such as command-and-control servers, payment gateways, and decryption keys. They then offer this ransomware and infrastructure to potential customers.
- Customers pay a fee or percentage of the ransom payments to the RaaS provider in exchange for access to the ransomware and infrastructure.
- Customers identify and target victims, infect their systems with the ransomware, and demand payment in exchange for the decryption key to unlock the victim's files.
RaaS providers may offer various pricing models to their customers, such as a percentage of the ransom payments from each successful attack, a monthly or yearly subscription fee for access to the ransomware and infrastructure, or a combination of both.
The RaaS business model has several benefits for threat actors, including:
- Easy access to sophisticated ransomware tools and infrastructure without having to develop them from scratch. This lowers the barriers to entry for cybercriminals and increases the number of potential attackers.
- Low startup costs, as the threat actors can rent or purchase the tools and infrastructure rather than investing in the development and maintenance themselves.
- Reduced risk of detection and prosecution, as the RaaS providers often operate from countries with lax cybersecurity laws and regulations.
Some of the most well-known RaaS groups include DarkSide, REvil, and Avaddon. These groups are known for their involvement in high-profile ransomware attacks, such as the Colonial Pipeline attack in May 2021, the JBS attack in June 2021, and the attacks on healthcare and financial organizations attributed to Avaddon.
RaaS providers recruit customers through various means, such as online forums, social media, and dark web marketplaces. The providers offer a percentage of the ransom payments as an incentive for customers to carry out attacks. Some RaaS providers also offer training and support to customers to help them carry out successful attacks.
To maximize their profits, RaaS providers may use sophisticated marketing tactics to attract potential customers. For example, they may offer discounts for high-profile targets or promote their ransomware tools as "undetectable" by antivirus software.
In addition to providing ransomware tools and infrastructure, some RaaS providers offer customer support to their victims to facilitate the payment of the ransom. This may include providing a decryption key once the ransom is paid, or offering advice on how to obtain cryptocurrency to pay the ransom.
Overall, the RaaS business model has proven to be a lucrative and effective way for cybercriminals to profit from ransomware attacks. However, law enforcement agencies and cybersecurity professionals are increasingly focusing on disrupting RaaS groups and prosecuting their members, in an effort to mitigate the damage caused by these attacks.
Most Effective Variants Used in RaaS Attacks
There are many different types of ransomware used in Ransomware-as-a-Service (RaaS) attacks, each with its own unique features and capabilities. Some of the most effective ransomware used in RaaS attacks include:
- Ryuk: Ryuk is a type of ransomware that first emerged in August 2018 and has since become one of the most widely used ransomware families in the world. It is typically distributed through spear-phishing emails or via remote desktop protocol (RDP) attacks, and is known for its ability to encrypt large volumes of files in a short amount of time. Ryuk is also known for its use of a custom-built encryption algorithm that makes it difficult to decrypt files without paying the ransom.
- Sodinokibi (REvil): Sodinokibi, also known as REvil, is a sophisticated ransomware that first appeared in April 2019. It is often distributed through exploit kits, malvertising, or phishing emails, and is known for its ability to evade detection by antivirus software. Sodinokibi is also known for its use of double extortion tactics, where it not only encrypts the victim's files but also steals sensitive data and threatens to publish it online if the ransom is not paid.
- Maze: Maze is a type of ransomware that first appeared in May 2019 and is known for its complex and advanced features. It is typically distributed through phishing emails or by exploiting vulnerabilities in remote access tools, and is known for its use of a variety of obfuscation techniques that make it difficult to detect and analyze. Maze is also known for its use of double extortion tactics and for its practice of publicly shaming victims who refuse to pay the ransom.
- DoppelPaymer: DoppelPaymer is a ransomware that first appeared in early 2020 and is known for its speed and efficiency. It is typically distributed through phishing emails or by exploiting vulnerabilities in remote access tools, and is known for its use of a fast and powerful encryption algorithm that can encrypt large volumes of files in a matter of seconds. DoppelPaymer is also known for its use of double extortion tactics and for its ability to exfiltrate sensitive data from the victim's network before encrypting their files.
- DarkSide: DarkSide is a RaaS group that gained notoriety for the attack on Colonial Pipeline in May 2021. The group operates as a business, offering ransomware tools and infrastructure to other cybercriminals, and reportedly takes a 10-25% cut of the ransom payments.
- REvil: REvil is another RaaS group that has been responsible for several high-profile attacks, including the one on meat-processing company JBS in June 2021. The group offers ransomware tools and infrastructure, as well as a "customer service" portal for victims to negotiate and pay the ransom.
- Avaddon: Avaddon is a relatively new RaaS group that emerged in late 2020. The group offers ransomware tools and infrastructure, and has been linked to attacks against organizations in the healthcare and financial sectors.
These are just a few examples of the most effective ransomware used in RaaS attacks. As the ransomware landscape continues to evolve, it is likely that new and more advanced types of ransomware will emerge, making it increasingly difficult for organizations to defend against these attacks. To mitigate the risks of a ransomware attack, organizations should implement a comprehensive cybersecurity strategy that includes regular backups, employee training, and the use of advanced threat detection and response tools.
What Are the Shortcomings of Built-In Security Against RaaS?
Static, single-layered email security defenses such as endpoint protection or built in Microsoft 365 email security are no longer effective in protecting organizations from the rapidly changing methods of attackers. This is especially true of ransomware attacks.
With a multi-layered, adaptive design, Guardian Digital EnGarde Cloud Email Security detects and blocks ransomware threats in real time while working together to offer greater protection. Our critical component of fully-managed services is the level of support required to provide peace of mind for your business. Our unique combination of features and attributes provide the best protection by addressing common weaknesses of third-party and default email security to reduce risk and protect against today's malicious threats.
Keep Learning about Ransomware as a Service
Ransomware attacks have evolved significantly over the past five years, becoming more sophisticated and profitable for threat actors. It is impossible to block ransomware completely at its two most common points of entry: email and websites. You can, however, take steps at the system level to reduce ransomware attacks and cyber threats.
The most effective method to prevent lasting damages caused by ransomware is to back up and verify your system regularly. Despite this, a ransomware attack may delete or encrypt your backed up data, so businesses should consider all of their options to bolster their security plan.
To mitigate the risk of a ransomware attack, organizations need to implement a comprehensive cybersecurity strategy that includes regular backups, employee training, and advanced threat detection and response tools. It is also important to have an incident response plan in place that can be quickly activated in the event of a ransomware attack.
- Learn more about effectively protecting your business from ransomware.
- Learn more about an effective email security solution that understands the relationships you have with other people while gaining a deeper knowledge of the types of conversations you have with them.
- Prepare your business for cyberattacks to make sure employees stay safe online.
- Improve your email security posture to protect against attacks and breaches by following best practices.
- Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
- Get the latest updates on how to stay safe online.
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself in 2023
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know in 2023
- Complete Guide to Email Viruses & Best Practices to Avoid Infections in 2023
- How Phishing Emails Bypass Microsoft 365 Default Security
Latest Blog Articles
- What To Prioritize In Ransomware Protection
- Cybersecurity Mistakes That Could Cost You Your Job
- Top Microsoft 365 Security Concerns & How To Overcome Them
- Why Cybercrime Continues to Thrive, And What You Can Do About It
- Top Malware Strains and How to Mitigate Them
- What is the Difference Between SIEM and SOAR?
- SPF, DKIM & DMARC: What Are They & How Do They Secure Email Against Sender Fraud?
- Assessing the ROI of Your Email Security Solution
- What is a Brute-Force Attack?
- How Guardian Digital Stops Impersonation Attacks