Over the last few years, news reports around ransomware attacks have noted that the attacks are increasingly sophisticated. Simultaneously, they say that the attackers are less sophisticated than in the past. While these two statements appear to conflict with each other, they are both true when viewed through the lens of the current cybercriminals business models.
Ransomware-as-a-Service (RaaS) applies a subscription payment model to cybercriminal ransomware activities. The ransomware developers focus on evolving increasingly sophisticated attacks then sell these capabilities to less sophisticated cybercriminals. This ecosystem makes it easier for less technical criminals to deploy attacks while enabling the creators to make the ransomware more difficult to defend against.
With insight into how Ransomware-as-a-Service works, security teams can implement additional controls to mitigate risk.
What is Ransomware-as-a-Service (RaaS)?
Ransomware-as-a-Service (RaaS) is a cybercrime business model selling ransomware tools based on the legitimate Software-as-a-Service (SaaS) subscription model. With the RaaS model, developers build the malware then sell it to affiliates who carry out the attack. This process enables less-skilled cybercriminals to deploy sophisticated ransomware attacks.
With the RaaS model, cybercriminals can expand their reach while making prevention and detection more difficult for security teams.
How does the RaaS model work?
With the RaaS model, threat actors operationalize ransomware attacks and provide cybercriminals with the same services that a legitimate SaaS product company would offer, including customer support services and a payment portal.
At a high level, the RaaS model consists of three types of adversaries:
- Operators: Create and sell the malware, campaign infrastructure, and services
- Initial access brokers (IABs): compromise networks and then sell the unauthorized access to other cybercriminals
- Affiliates: purchase and deploy the ransomware
While the specifics are unique to each operation, the overall structures tend to fall into a few models.
Monthly subscription
In this model, affiliates pay a recurring fee for continued access to the latest ransomware tools and services. The affiliates avoid the upfront costs and technical knowledge necessary for creating the ransomware from scratch. The operators gain recurring revenue from the affiliates while remaining distanced from the actual attack, enabling them to evade law enforcement.
One-time fee
Under this model, the affiliates pay the cybercriminal version of a lifetime license for full access to the ransomware code. The affiliate retains access to the tools, enabling them to run ransomware operations without further financial obligations. For affiliates who want to manage multiple attacks over a long period of time, this might be a cost-effective option.
Affiliate programs
An affiliate program uses a profit sharing model where the affiliates and operators split the ransom as payment. While payment structures differ across ransomware groups, they often fall under three structures:
- 70% to affiliate, 30% to operators
- 80% to affiliate, 20% to operators, seen recently with LockBit
- 90% to affiliate, 10% to operators, seen recently with Ransom Hub or APT 73
These arrangements are often flexible, with an affiliate’s skill sets impacting commission. Affiliates who have teams, infrastructure, and tools often receive a higher percentage of the ransom than less sophisticated cybercriminals.
What are the different extortion categories?
In the early days of ransomware, attackers would encrypt an organization’s data, providing the decryption key only once the victim paid the ransom. In response, organizations implemented more sophisticated backup and restoration capabilities for improved business resilience.
Recently, cybercriminals have changed their methodologies. Today, ransomware includes data theft, holding the sensitive information hostage until victims pay the ransom. These extortion methods include:
- Single extortion: stealing data then asking for money
- Double extortion: publishing some sensitive data and threatening to put it on the dark web
- Triple extortion: pressuring companies into paying ransom through other means, like exposing file listings or sending victims emails
What are real-life examples of RaaS groups?
Although the RaaS ecosystem has seen some changes recently due to law enforcement actions, some groups are well-known across the landscape.
DarkSide
Linked to the 2021 Colonial Pipeline attack, DarkSide is known for targeting large corporations and using double extortion tactics. In June 2021, law enforcement seized cryptocurrency valued at $2.3 million, representing the proceeds of this attack.
LockBit
First appearing in 2019, this group is commonly considered the most prolific ransomware group, linked to 2,000 victims and stealing more than $100 million. Its malware, LockBit 3.0 (LockBit Black), added double extortion tactics. In 2024, law enforcement seized control of the group’s infrastructure and its alleged administrators, securing convictions of several affiliates.
REvil
Also called Sodinokibi, this group was involved in several high-profile attacks, like ones against JBS Foods and Kaseya. In May 2024, one group member was sentenced to over thirteen years in prison for his role in attacks related to over $700 million in ransom payment.
Conti
Linked to attacks against over 900 global victims, this group notably attacked Ireland’s Health Service Executive (HSE), severely disrupting healthcare services. In 2023, law enforcement charged four Russian cybercriminals over their involvement with the group.
Best Practices for Mitigating Ransomware Risks
The RaaS model increases the volume of ransomware sophisticated attacks by lowering the barrier to entry. With these best practices, you can improve your security and reduce risk.
Improve credential hygiene
With IABs selling initial access, improving credential hygiene is a fundamental security control. Implementing multi-factor authentication (MFA) enables you to mitigate risks by providing challenge questions related to something people have (like a smartphone) or something people have (like a face ID).
Monitor for credential exposure
Monitoring data breach information can help you identify leaked credentials related to your employees. Often, people reuse the same password across personal and professional logins, so identifying employee credentials leaked in previous data breaches can improve your security.
Reduce the attack surface
Every network access point is a location where attackers can gain initial access. Some typical ways to reduce the attack surface include:
- Limiting access according to the principle of least privilege
- Reviewing firewall rulesets for outdated rules with excess permissions
- Disabling unnecessary device and software functionalities
- Blocking known malicious IP addresses
Regularly scan for vulnerabilities and apply security updates
IABs often target vulnerabilities as a way to gain initial system and network access. Scanning for vulnerabilities across software, hardware, and firmware on network-connected devices closes this security gap when combined with installing security patches as quickly as possible.
Incorporate threat intelligence
Threat intelligence provides real-time insight into operator, IAB, and affiliate attack methodologies. For example, threat intelligence can provide insight into the known vulnerabilities that these groups target, helping to prioritize vulnerability remediation actions.
Graylog Security: Contextual Risk Insights for Improved Security Operations
Graylog Security’s contextual risk scoring, powered by Adversary Campaign Intelligence, incorporates threat intelligence into our risk scoring to amplify real threats and reduce noise. With Graylog, security teams can prioritize activities based on asset criticality and connect the dots between alerts to reduce alert fatigue.
Graylog Security’s Illuminate bundles map Sigma rule detections to the MITRE ATT&CK framework so you can gain immediate value from your logs and improve your security alert capabilities.
To see how Graylog Security gives you the SIEM that never asks you to compromise, contact us today.
