Skip to main content

What is ransomware as a service?

A laptop displays an attack enabled by ransomware as a service.

A specific distribution model for a particular type of malware, ransomware as a service (Raas) is a significant threat to cybersecurity. This affiliate-type scheme gives more would-be cybercriminals the opportunity to launch attacks without the necessary technical and programming expertise, thus making ransomware attacks more prevalent.

Given how damaging ransomware can be, it is especially important for companies to understand the RaaS implications for cybersecurity and how protecting systems from ransomware is so crucial.

Understanding ransomware as a service

Ransomware as a Service (RaaS) is a business model that specializes in a particular type of malware—ransomware—and operates on the dark web. In the simplest terms, it is a malicious evolution of the more traditional, and legal, Software as a Service (SaaS) model, which is used by many major corporations including Microsoft, Adobe, Shopify, Zoom, and Dropbox. The RaaS business model sees operators create the ransomware (and often, an entire ecosystem around it) and offer it to third parties. Cybercriminals can "subscribe" to Ransomware-as-a-service (RaaS) for free. Once they become partners in the program, they pay for the service after the attack happens in the form of a percentage from the ransom.

Cyber attackers who want to execute ransomware attacks but lack the time and ability to develop their own malware can simply pick a RaaS solutionon the dark web. they can access the ransomware and all the necessary components, such as command-and-control (C2) panels, builders (programs for quick creation of unique malware samples), malware and interface upgrades, support, instructions, and hosting. Then they can launch their attack, without having to do all the development work. As such, malicious actors can execute a sophisticated chain of ransomware attacks without having any kind of knowledge or experience in developing these types of malware.

Often, operators offering ransomware as a service develop an entire product offering around their malware. This can include a wide range of services such as community forums, playbooks for strategic attacks, and customer support. This is especially useful to would-be attackers with no experience in launching cyberattacks. The additional RaaS services may include:

  • Customization tools to create highly targeted attacks
  • Additional tools, such as programs for data exfiltration
  • Community forums for advice and discussion
  • Playbooks for strategic attacks
  • Instructions for setting up the panel and the product
  • Manuals on attacks which include a description of tools, tactics and techniques for attackers.

Whichever type of ransomware as a service the attacker chooses to use, the end goal is always the same: to compromise an individual’s—or organization’s—network and steal or  decrypt data, and then get the target to pay a ransom.

The difference between malware, ransomware, and ransomware as a service

Malware is a general term for any type of malicious software that is used to gain unauthorized access to an IT system or electronic device. This could be for a range of purposes, including data stealing and system disruption, for example. However, ransomware is a malware  that is used to infect a target’s system and encrypt or destroy its data; the target can be required to pay a ransom—hence the name—in order to stop the attacker from publicly releasing the information, or to receive a decryption key to restore the data if it was encrypted

What are the legal implications of ransomware as a service (Raas)?

Given that RaaS enables a particular type of cybercrime and that it operates on the dark web, it should be abundantly clear that the entire business model is illegal. Any type of involvement in the industry—whether as an operator or an affiliate (“subscriber”) —is unlawful. This includes making RaaS available for sale, purchasing a RaaS with the intent of executing ransomware attacks, breaching networks, encrypting data, or extorting ransoms.

How does ransomware as a service work?

RaaS operates on an organizational hierarchy. At the top of the ladder is the operator, usually a group that develops the ransomware and makes it available for sale. The operator essentially acts as an administrator, overseeing all aspects of the RaaS’s business operations, including managing its infrastructure and the user interface. Often, the operator also handles the ransom payments and provides the decryption key to those victims who pay. Within the operator group, there may be smaller designated roles, including administrators, developers, and testing teams.

RaaS affiliates—the “clients”—buy access to the RaaS in order to use the operator’s ransomware in attacks. They identify the opportunities for attack and deploy them. The role of the affiliate is to identify targets, execute the ransomware, set the ransom, manage post-attack communication, and send decryption keys when the ransom is paid.

In Kaspersky's recent findings for Anti-Ransomware Day 2023, the major initial vectors of ransomware attacks in 2022 were unveiled. The report revealed that over 40% of companies experienced at least one ransomware attack last year, with small and medium-sized businesses paying an average of $6,500 for recovery, and enterprises shelling out a substantial $98,000. The study pinpointed the primary attack entry points, including the exploitation of public-facing applications (43%), compromised user accounts (24%), and malicious emails (12%).

Once the ransomware is downloaded onto the system, it tries to disable  endpoint security software, Once the attacker has gained access, they can then reinstall tools and malware This will allow them to move around the network and then roll out the ransomware. They can then send out a ransom note, after encrypting files. In general, this is done through a TXT file that appears on the victim’s computer, which instructs them that their system has been breached and they must pay a ransom to receive a decryption key to regain control.

How is ransomware as a service monetized?

Cybercriminals can "subscribe" to Ransomware-as-a-service (RaaS) for free. Once they become partners in the program, they pay for the service after the attack happens. The payment amount is determined by a percentage of the ransom paid by the victim, typically ranging from 10 percent to 40 percent of each transaction. However, entering the program is no simple task, as it entails meeting rigorous requirements.

Learn more about Kaspersky Premium

Examples of ransomware as a service to know about

Cybercriminals have become adept at evolving their ransomware services so that they can always meet the demands of the “clients” who buy RaaS. There are a wide variety of ransomware as a service (Raas) programs available on the dark web and having an overview of these can be useful in understanding how and why they are a threat. Here are a few ransomware as a service examples that have become widespread in recent years.

  • LockBit: This particular ransomware has breached the networks of many organizations by exploiting Server Message Blocks (SMB) and Microsoft’s PowerShell automation and configuration management program.
  • BlackCat: By using Rust programming, this ransomware is easy to customize and can therefore be deployed against numerous system architectures.
  • Hive: An especially nefarious RaaS, Hive places its targets under significant pressure, forcing them to pay the ransom by publicly releasing details of the system breach and often counting down to when the stolen information will be leaked.
  • Dharma: Emails are the most common method for executing phishing attacks, and this RaaS, which has been responsible for hundreds of attacks, mimics these attacks by targeting victims through email attachments.
  • DarkSide: The malware from this ransomware Group is believed to have been responsible for the 2021 Colonial Pipeline breach.
  • REvil: Perhaps the most pervasive RaaS group, this ransomware has been responsible for the 2021 attacks on Kaseya, which affected some 1,500 organizations, and CAN Financial.

10 Tips for protecting devices from ransomware

Ransomware is just one of numerous threats that people must be cognizant of while online, and one that can be challenging—and expensive—to recover from. While it is impossible to neutralize these threats completely, there are a wealth of measures and best practices that can enhance cybersecurity against RaaS—and, indeed, mitigate against many digital attacks. Here are 10 tips for protecting electronic devices from ransomware:

Regularly back up data on a separate device—create multiple back-ups if necessary; organizations should also have a data recovery plan in place in case of an attack.

Use robust endpoint protection software that regularly scans and removes potential threats.

Ensure all software remains up to date and is running the latest security patches.

Enable multifactor or biometric authentication where possible.

Remember password hygiene—Use a reliable password manager to generate and store strong passwords, and create different logins for different accounts.

Implement strong email scanning software to catch malicious emails and potential phishing attacks.

Develop and Maintain a Robust Cybersecurity Policy: Pay attention to the outer perimeter and create a comprehensive cybersecurity policy that covers the entire organization. This policy should address security protocols for remote access, third-party vendors, and employees.

Since the stolen credentials may be put up for sale on the dark web, use Kaspersky Digital Footprint Intelligence to monitor shadow resources and promptly identify related threats

Use the principle of least privilege to minimize administrative or system access to as few people as possible.

Implement security awareness training that covers RaaS cybersecurity and other potential threats.

Avoid clicking email links unless the source is known and trusted—if in doubt, type the website into the browser’s search bar and navigate to the page manually.

Of course, even the most stringent protection measures will not always prevent a ransomware attack. When the worst happens, there are still a few options to mitigate the fallout of these attacks.

The enduring threat of ransomware as a service

Ransomware is a cybersecurity concern in and of itself. But the ransomware as a service business model has turned this particular malware into a much larger threat by giving more potential cybercriminals the ability to launch these attacks without any particular expertise or knowledge. Because these attacks can have such serious financial implications for the organizations—or individuals—who are targeted, it is important to understand the various methods of protecting systems from ransomware attacks. Many of these are basic cybersecurity best practices, but organizations may want to consider further efforts such as security training and regular backup on disparate systems.

Get Kaspersky Premium + 1 YEAR FREE Kaspersky Safe Kids. Kaspersky Premium received five AV-TEST awards for best protection, best performance, fastest VPN, approved parental control for Windows and best rating for parental control Android.

Related Articles and Links:

Top ransomware attacks

The biggest ransomware threats

Malware detection and prevention

Related Products and Services:

Kaspersky Standard

Kaspersky Premium

Kaspersky Endpoint Security Cloud

Kaspersky VPN Secure Connection

What is ransomware as a service?

Ransomware as a service has made this particular malware a bigger threat to cybersecurity. Here’s what you need to know.
Kaspersky logo

Related articles