What is Ransomware as a Service (RaaS)?
Ransomware as a Service (RaaS) is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. Think of ransomware as a service as a variation of software as a service (SaaS) business model.
RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.
A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2021 was $6 million. A threat actor doesn’t need every attack to be successful in order to become rich.
How the RaaS Model Works
The table below outlines the roles operators and affiliates play in the RaaS model:
RaaS Operators | RaaS Affiliates |
---|---|
Recruits affiliates on forums | Pays to use the ransomware Agrees on a service fee per collected ransom |
Gives affiliates access to a “build your own ransomware package” panel Creates a dedicated “Command and Control” dashboard for the affiliate to track the package | Targets victims Sets ransom demands Configures post-compromise user messages |
Compromises the victim’s assets Maximizes the infection using “living off the land” techniques Executes ransomware | |
Sets up a victim payment portal “Assists” affiliates with victim negotiations | Communicates with the victim via chat portals or other communication channels |
Manages a dedicated leak site | Manages decryption keys |
There are 4 common RaaS revenue models:
1. Monthly subscription for a flat fee
2. Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20-30%) going to the ransomware developer
3. One-time license fee with no profit sharing
4. Pure profit sharing
The most sophisticated RaaS operators offer portals that let their subscribers see the status of infections, total payments, total files encrypted and other information about their targets. An affiliate can simply log into the RaaS portal, create an account, pay with Bitcoin, enters detailson the type of malware they wish to create and click the submit button. Subscribers may have access to support, communities, documentation, feature updates, and other benefits identical to those received by subscribers to legitimate SaaS products.
The RaaS market is competitive. In addition to RaaS portals, RaaS operators run marketing campaigns and have websites that look exactly like your own company’s campaigns and websites. They have videos, white papers, and are active on Twitter. RaaS is business, and it’s big business: total ransomware revenues in 2020 were around $20 billion, up from $11.5 billion the previous year.
Some well-known examples of RaaS kits include Locky, Goliath, Shark, Stampado, Encryptor and Jokeroo, but there are many others and RaaS operators regularly disappear, reorganize and re-emerge with newer and better ransomware variants.