Ransomware-as-a-service (RaaS) is a pay-for-use subscription mannequin on the darkish internet the place builders license out malware to different events to execute focused ransomware assaults. 

RaaS is marketed on the darkish internet with various value factors the place anyone can merely login and purchase ransomware kits off-the-shelf to launch an assault. That is what makes RaaS so harmful, as even a novice hacker with restricted coding expertise will pay and use already-developed malicious software program to launch focused assaults. As soon as the hacker will get entry into the goal group, they use malicious malware to exfiltrate and encrypt information after which use double extortion strategies to blackmail the group.

World ransomware harm prices are predicted to value round $265 billion (USD) by 2031. It’s this lure of large financial features that has led to the emergence of newer and extra refined strategies like RaaS.

How ransomware-as-a-service works

The RaaS mannequin includes two events: builders and associates. Builders are accountable for creating and leasing out ready-to-use code to different attackers known as associates. Associates are those who launch the ransomware assault. As soon as the associates efficiently ship the payload, they obtain a share of the ransom cash.

Associates are educated on technical particulars and supplied with detailed guides on launching ransom assaults. These associates are additionally supplied with 24/7 assist and entry to group boards.  

RaaS kits could be purchased:

  • For a set month-to-month charge
  • For a one-time license charge
  • On an affiliate foundation, with criminals paying a decrease month-to-month charge whereas the service supplier retains about 25% of the ransoms
  • On a revenue sharing or “no ransom no charge” foundation

Whereas focused ransomware gangs use plenty of techniques to achieve entry to unsuspecting customers’ networks, phishing emails are one of the crucial widespread strategies of focusing on a sufferer’s community. These emails include contaminated hooked up Phrase paperwork, and when an worker clicks on the malicious hyperlink, the malware will get downloaded routinely.

Phases of a RaaS assault

A RaaS assault takes place in a number of phases, starting with preliminary entry and continuing to unfold all through the community earlier than exfiltrating and encrypting information, and at last demanding a ransom.

  1. Preliminary entry stage: This is step one, the place customers are tricked into clicking on an contaminated file.
  2. Command and management: As soon as contained in the community, the malware connects to the hacker’s command-and-control heart and establishes communication.
  3. Staging: On this stage, the ransomware establishes a foothold, and privilege escalation happens. It steals credentials and features entry to a very powerful property of the community.
  4. Growth: In growth mode, the ransomware begins lateral motion and spreads all through the community. When the attackers have sufficiently contaminated the community, they will then proceed to extortion.
  5. Information exfiltration: Information exfiltration is a standard approach of contemporary ransomware assaults. Dangerous actors exfiltrate information and use double and even triple extortion strategies to blackmail corporations to offer in to their calls for.
  6. Information encryption: As soon as information exfiltration is completed, attackers use a mix of symmetric and uneven encryption to render the information ineffective.
  7. Ransom observe: The assault ends with the supply of the ransom observe requesting the cost phrases and a risk to share the exfiltrated information if situations should not complied with.

Examples of ransomware-as-a-service

Though many types of RaaS are by nature secretive and continuously evolving, some have gained sufficient notoriety to be extensively recognized on account of their success in executing large-scale assaults. Some examples embody DarkSide, LockBit, REvil, and Ryuk.


DarkSide is a cybercriminal group that sells RaaS to different hackers in alternate for earnings. DarkSide first emerged in August 2020 and rapidly unfold to over 15 nations, focusing on organizations throughout a swath of industries. 

This is identical group that was accountable for the Colonial Pipeline ransomware incident, which accurately introduced the East Coast to a grinding halt.


Launched in 2019, LockBit is among the most harmful malware round. Whereas initially this group remained within the shadow of different well-known gangs like REvil and Ryuk, it got here into the limelight within the second half of 2021. And by the primary quarter of 2022, it had already turn into probably the most extensively used ransomware variant. 

If we go by the gang’s claims, they’ve focused over 12,125 organizations. LockBit is infamous for utilizing double extortion strategies the place they steal the information after which threaten to publish confidential data if the group doesn’t pay up.  


REvil, or Sodinokibi, is a RaaS variant shaped in 2019 that’s accountable for quite a few high-profile ransomware circumstances. Examples embody the JBS USA case, the place the meals processing firm needed to pay $11 million ransom cash in bitcoins, and the Kaseya assault that compromised over 1,000 corporations. 

Aside from the same old methodology of encrypting information and demanding cash, REvil additionally makes use of double extortion strategies of threatening its victims to leak the stolen data in public if the ransom quantity shouldn’t be paid.


Ryuk is a human-operated focused ransomware that assaults high-value establishments like media retailers and authorities businesses which have the potential to pay giant sums of ransom cash. 

Originating in 2018, Ryuk makes use of open-source instruments and handbook hacking strategies to achieve entry into techniques. As soon as the information is encrypted, the Ryuk group calls for a ransom in bitcoins. 

Thus far, the gang has earned over $150 million in ransom, making it one of the crucial infamous within the commerce. Whereas it’s not clear who owns Ryuk, it’s generally attributed to Wizard Spider, a cybercrime group based mostly in Russia.  

shield your self from RaaS assaults

Fortunately, there are methods to shield your group from ransomware assaults. Listed below are some greatest practices you may implement to stave off prison assaults.

Safety consciousness coaching

It is advisable to prepare your employees to spot ransomware assaults. For that, you will need to conduct complete safety consciousness coaching that features figuring out social engineering strategies and phishing emails, in addition to collaborating in penetration checks and safety ability checks to be recurrently up to date based mostly on the most recent RaaS threats.

Community segmentation

As soon as malware enters your laptop, it might probably rapidly infect the whole community by way of lateral motion. Thus, it’s smart to phase your community into smaller sub-networks in order that even when it will get contaminated, you may isolate infections to as few machines as potential.

Observe a zero-trust strategy to safety

Zero belief safety is an strategy that works on the precept of not trusting any machine or particular person except authenticated. Steps embody verifying customers, implementing multifactor authentication (MFA), and permitting least privilege entry to restrict the blast radius of criminals attempting to achieve unauthorized entry.

Replace recurrently

Hackers are all the time trying to exploit vulnerabilities in techniques and networks. Make sure that your working techniques and software program are up to date and patched recurrently to forestall hackers from exploiting vulnerabilities. Additionally, encourage your staff to make use of sturdy passwords and make it a behavior to vary them recurrently.

Carry out common backups

It may be tough to decrypt information that has been encrypted by ransomware; due to this fact, you will need to again up your information at common intervals to a number of places. Thus, even when your techniques get hacked, a minimum of you may have a clear copy of your information residing elsewhere.

Endpoint safety

Endpoints function a straightforward level for hackers to interrupt into your company community. Thus, securing endpoint units is crucial to take away any weak hyperlinks. Put measures in place to trace all endpoint units and run endpoint safety software program in order that your safety operations groups can spot a ransomware assault.

Ceaselessly Requested Questions (FAQ)

By the use of summarizing a number of the factors of this text, listed here are a number of fast questions you or your staff might need about how RaaS compares to different ransomware or malware fashions.

What’s a ransomware-as-a-service mannequin?

The ransomware-as-a-service (RaaS) mannequin is a subscription-based system designed to supply beginner hackers entry to ready-made ransomware code to simply launch ransomware assaults with minimal programming. They will accomplish that by shopping for RaaS kits from the darkish internet.

How fashionable Is ransomware-as-a-service?

Cybercriminals are more and more utilizing RaaS to extort ransom cash from hundreds of organizations of each dimension. In truth, the variety of RaaS and different extortion teams grew by 63.2% in the course of the first quarter of 2022 when in comparison with the earlier 12 months.

Backside line: Defending towards RaaS assaults

Ransomware operators are adept at bypassing the safety defenses of even the biggest organizations. In such a situation, it pays to be additional cautious. Whereas there isn’t a approach to fully stop ransomware, organizations can undertake a hypervigilant strategy and shore up their safety defenses in order to reply effectively to cybersecurity incidents. 

Be taught extra in our ransomware collection:

Already been focused? Listed below are the greatest restoration options to get your information again as rapidly as potential.

Supply hyperlink

By Samy