RaaS: What Is It and Why Is It Making Ransomware More Prevalent?

person trading key for money in from of laptop

Ransomware-as-a-Service (RaaS) is a type of scheme where malware authors franchise their ransomware out to affiliates.explains that anRaaS arrangement involves the franchisers providing franchisees with everything they need to encrypt a victim’s data. In exchange, affiliates agree to hand over a percentage of whatever profits they make to the developers.

Let’s look atREvil’sRaaS operation as an example.Per,developers make their crypto-malware available to affiliates, and they take upwards of 30% of ransoms collected by the affiliates. This arrangementrewardsaffiliatesforselecting a targetand developing an attack chain, leaving the developers to designate a ransom amount, communicate with the victims, and split the money.

How RaaS Operations Benefit Digital Criminals

RaaS schemeshelpindividuals withoutmuchtechnical expertise togain access toproven ransomware strains.Those “script kiddies” can then launch their own ransomware campaigns, attacks which add on to whatever campaigns the ransomware authors themselves are conductingon their own. RaaS operations thereby increase the volume of ransomware attacks and elevate the profitability of individual ransomware strains. As a result of their RaaS operation, for instance, theREvilattackers made $100 million in profit over the span of a year.

It’s experiences such as these that explain why RaaS arrangements are on the rise.Indeed,found that small ransomware campaigns decreased in the first quarter of the year while RaaS operationsramped up to focuson fewer, more lucrative targets.observed something similarin 2020, a year when64% oftheransomware attacks itanalyzed traced back tooperators of a RaaS model.The security firm went on to note that it witnessed the emergence of no less than 15 new public ransomware affiliate programs over the course of that year.

All Kinds of Unwanted Attention

Though they might be helping to drive up ransomware profits, RaaS operations are attracting some unwanted attention from government entities and law enforcement. They don’t always survive that attention, either.

Takewhat happened toDarkSide. As you willrecall,DarkSidewas the ransomware strain responsible for infecting the Colonial Pipeline Company in May. The infection caused panic buying up and down the East Coast, elevatingDarkSide’sprofile among the FBI and CISA.DarkSidetried to walk back the attack by claiming that an affiliate had perpetrated it and vowing to review their affiliates’ targets going forward. But that didn’t preventDarkSidefrom closing its doors after someone seized the operation’s data leaks site, payment server, and DOS serversbefore withdrawing all available funds.

There’s alsotheexample ofREvil. In the beginning of July, security researchers analyzed the forensic patterns, ransom notes, and Tor URL associated with theKaseya supply chain attack. They determined that aREvilaffiliate was responsible for the attack. At first,the threat actorbegan by individually extorting victims of the supply chain attack, buttheyeventually moved on to demanding $50 million for a universaldecryptor.Itwhen theREviloperation’s websites shut down and when an admin for a Russian digital crime forum banned aREvilrepresentative, wrote Bleeping Computer.

Defending Against RaaS Operations

Group-IB had some troubling words to share on the future of RaaS operations:

From what used to be a rare practice and an end-user concern, ransomwarehas evolvedlast year into an organized multi-billion industry with competitionwithin,market leaders, strategic alliances, and various business models. This successful venture is only going to get bigger from here. Due to their profitability, the number of RaaS programs will keep growing, more cybercriminals will focus on gaining access to networks for resale purposes.

It's therefore imperative that organizations defend themselves againstREvil,DarkSide, and other RaaS programs. One of the ways they can do that is by augmenting the security of their email,one of the most common delivery vectors for ransomware. They can do this by investing in an email security solution that’s capable of scanning incoming messages for campaign patterns, IP addresses, and other threat indicators while allowing legitimate correspondence to reach their intended business destination.

Learn howƵɫ| AppRiver can help to defend your organization against RaaS schemes.