Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) is a form of criminal enterprise in which apex predator ransomware gangs (AKA ransomware operators) contract out their service—namely deploying ransomware against a target, then extorting payments—to affiliates. Most RaaS operations use a revenue-sharing model where the ransomware operators commission a percentage of the ransom to an affiliate in exchange for initial access to a target network. This model bisects the ransomware attack sequence into two distinct phases: gaining initial access and a second-stage attack that seeks to compromise valuable data. By segmenting the stages of a cyberattack, both the ransomware operator and affiliate leverage each other’s specialized skill sets, increasing the overall chances of success. A second RaaS model exists in which affiliates pay a subscription or flat fee to purchase ransomware payloads from ransomware operators.

The two most common RaaS business models:

1. Profit-Sharing Model

The ransomware operator collects the ransom and shares a percentage with the affiliate. This is the most common model for situations in which affiliates provide initial access.

2. Subscription or Flat-Fee Model

Affiliates pay either a periodic (monthly) subscription or a one-time fee for a DIY copy of the ransomware payload, known as a ransomware kit. The purchaser configures the ransomware kit and deploys it against the chosen target.

RaaS is one of the biggest drivers behind ransomware’s aggressive growth because it allows prospective threat actors who lack advanced hacking abilities to partner with highly skilled advanced persistent threat actors (APT) and suspected nation-state operators. This tag-team approach increases the potency of the attack by allowing all involved parties to focus on only a tiny part of the exploitation process. 

Collectively, ransomware gangs extorted more than $600 million from their victims in 2021; considering the average ransomware payout per incident was more than $800,000, it’s clear how RaaS represents a cash cow opportunity for affiliates, even at a low commission rate.

In the RaaS model, primary ransomware threat actors known as operators partner with affiliates to deliver ransomware against a target. The affiliate will either pay a flat fee to the operator to launch an offensive cyberattack campaign against a specified target or provide initial access to an already compromised network in exchange for a percentage of any extorted funds. In this way, RaaS operates similarly to legitimate B2B professional networks. 

Affiliates often develop sophisticated social engineering attacks that use phishing or spear-phishing techniques to gain initial access. They may also gain initial access through unpatched vulnerabilities, configuration errors, compromising existing user accounts using stolen credentials or publicized data from previous cyberattacks to test for re-used passwords or even physical access to a target’s premises.

Communication and deal-making happen on Dark Web forums hosted by the ransomware operators. There are at least 25 such portals known to be explicitly offering RaaS.