Ransomware attacks have been increasing at an alarming rate over the last couple of years (between +50% and +100% according to various sources) with ransomware becoming the preferred method for many cybercriminals to monetize their fraudulent activity. With the emergence of the Ransomware-as-a-Service (RaaS) “business model” in the hackers’ community, this type of attack is likely to keep proliferating, suggesting that the cyber threats to most organizations’ IT systems will remain elevated in the near future.
In RaaS, ransomware criminals, called operators, lease out their software infrastructure to other cybercriminals, called affiliates, allowing them to be up and running quickly and at affordable costs. In this model, that mimics Software-as-a Service, operators develop a range of malware that affiliates select for their attack(s) and offer portals/dashboards that let affiliates monitor the status of infections, the number of files encrypted, the payment(s) received as well as the communications with their victims. They can also offer hosting services to store exfiltrated data (and/or leak them online) in addition to cryptocurrency transaction services.
Quite surprisingly, this full range of services is advertised online just like any cloud software subscription offering, the only difference being that it can only be found on the dark web.
Meanwhile, the affiliate will first focus on getting access to a target network, something he can also purchase on the dark web from other cybercriminals or obtain it by himself through, most of the time, phishing attacks/emails that are a widely used method for stealing sensitive data such as login credentials. Then, the affiliate will handle the infection, the data exfiltration, the ransom negotiation, and the decryption keys.
In all, this model, which works most of the time with a flat fee and a revenue sharing agreement, is attractive for both the operator and the affiliate. For the former, it’s the opportunity to leverage all the time and resources spent to develop malware on a much larger target base. For the latter, it’s the opportunity to gain access to state-of-the-art malware and software infrastructure and to materially improve the chances of success of the envisioned attack.
The main implication of the rise of the RaaS business model is that it significantly lowers the barriers to entry for wannabe cybercriminals. While coding erudition has traditionally been a prerequisite for hackers, RaaS makes it easy for unexperienced hackers and even for those with limited technical knowledge to deploy sophisticated cyberattacks.
As such, RaaS should contribute to the democratization of cyberattacks and, accordingly, to victim proliferation. Along with the economy digitization and the rapid rise of connected devices, it should then emerge as a secular driver of cybersecurity and sustain strong demand for sophisticated threat detection and automated response solutions (also called XDR) from the likes of CrowdStrike, Palo Alto Networks and SentinelOne.
Getting some sort of protection is indeed a no-brainer for most organizations, as the average ransomware payment (slightly below $1 million according to Palo Alto) and the total cost of the ransomware attack (around $5 million according to IBM for downtime, IT system remediation, legal expenses, higher insurance premiums, reputation/brand damage…) keep growing at a fast pace.