What is the Ransomware as a Service Model? And Why is it so dangerous?

As economies have evolved, so have the business models within them. From barter trade to digital currencies, we can now simply purchase whatever, whenever we need. But we haven’t stopped there.

Over the centuries, companies have realized that instead of making all money at once, it is better to rent out services on a subscription based model, thus giving rise to a subscription based economy. This is a win-win situation for enterprises and their customers. And that’s where companies like Amazon Prime, Netflix, and Dropbox, etc. are successfully growing by assuring that they have stable income in the long run and an efficient use of resources in a fractional reserve deployment of services.

How does Ransomware As A Service Model work?

In the digital world, we call it Software-as-a-Service or simply as a SaaS business model, where software is rented out and used by clients as a service against a flat monthly fee. This is light on the pocket for clients, but at the same time provides ample amount of monthly guaranteed income for businesses to keep up in a world concerned mostly with efficiency and continue growing in the future.

On the flip side, the dark web also operates similarly, where Ransomware as a Service, or commonly known as RaaS is thriving. There are numerous Ransomware as a Service 2020 examples that we will be discussing here.

And just when the FBI and cybersecurity experts were scrambling to contain losses, cybercriminals went one step ahead in creating this dangerous business model.

What is the Ransomware as a service model?

Ransomware-as-a-service lends its nature from Software-as-a-Service (SaaS) business model whereby it allows anyone with minimal cybsersecurity experience to hack systems for a ransom.

RaaS businesses thrive on selling and/or renting out easy-to-deploy, small, and scalable malware exploit kits including guides, user manuals, video tutorials, and strategies for staging cyber attacks for a ransom.

There are different packages offered on the dark web, and the sales, marketing and promotion is done similarly to legitimate businesses. It’s like building a team of hackers without needing them to know how to hack.

Think of it like an affiliate business model, where you are promoting another businesses’ products/services. The more sales they make out of your referrals, the more you rewards the are there for the reaping.

Simply put, the more systems affiliates penetrate using a single developer’s virus, the more money both make. Again, a win-win situation for cybercriminals.

Just like any SaaS model, Raas kits start from typically $40-$50, all the way up in the thousands of dollars. It all depends upon the working capacity of each kit. The more potential to make top dollar, the costly the RaaS kit!

What are some examples of RaaS kits?

There are various type of RaaS kits available on the dark web, such as

• Philadelphia
• Cerber
• Atom
• Satan
• Phobos
• Dharma
• Sodinokibi

Despite their names, the intent is same; to demand ransom payment against decryption of files. The Philadelphia RaaS kit costs anywhere from $400 to $799 with a complete Graphical User Interface and ongoing support and updates. It works almost as if you have bought a software from an authorized developer.

Cerber, an infamous RaaS kit, turned disastrous for Microsoft Office 365 users back in 2016. Most of these kits stage attacks through phishing attempts such as emails.

What are the revenue models of Ransomware as a Service?

There are 4 revenue models that RaaS operators use:

• Charging a one-time flat fee
• Monthly Subscription plans
• Profit-sharing plan based on a defined percentage
• Affiliate Marketing

This business model is so enticing to novice hackers that instead of writing new code, they simply rent it out, and split the ransom revenue received.

Unfortunately, to conduct a ransomware attack, technical experience is no longer a requirement because the RaaS model has made it equally possible for amateurs to launch malicious attacks at an unprecedented scale.

Despite a low success rate of ransomware attacks, those that do manage to infiltrate networks, demand big bucks through extortion. This makes a profit-sharing revenue model particularly irresistible for RaaS operators to thrive in such an environment.

Why is the RaaS Business Model so popular?

Several factors account for the popularity of Ransomware as a service business model, and here are a few:

1. Ease of Use

The fact that anyone accessing the dark web, although having almost zero knowledge of cyber security and hacking, can purchase a RaaS kit and stage cyberattacks, is a most attractive characteristic for hackers. Just like someone would sign up for a Netflix account, criminals can do the same on the dark web.

2. Ability to extort high ransom payments from victims

We have seen and heard success stories of how companies like Apple and Google were built from a garage and went on to become corporate giants with billions of dollars in market worth.

We hate to break it to you, but there’s nothing different when it comes to the dark web. It all starts with one hacker, who then joins others in an attempt to grow his army of hackers. It is impossible for just one hacker to bring down a network of hundreds of computers all at once. It requires intensive planning, and teamwork, just like any legitimate business does.

There is no better way for these cyber criminals to stage attacks without a large centralized team which would require significant resources. Due to a low success rate, the ransom payment demanded is often in hundreds of thousands of dollars to millions.

This is where the RaaS business model comes in, giving these hackers the ability to build their team.

The infamous NetWalker gang has banked over $25 million since March 2020 until now. It isn’t possible for one person to extort this magnitude ransom payments within a short period of time.

3. Ability to defraud their own clients

If criminals would stop committing crimes, the police wouldn’t exist anymore, but we aren’t living in an ideal world.

The Ransomware as a service model is so appealing, that many RaaS operators keep selling their services despite being under tremendous scrutiny. In spite of having little to no success rate, many newbie wannabe hackers are lured in purchasing RaaS kits. Unfortunately most of them turn out to be scams that antivirus programs can easily detect.

As opposed to what you see on the media, conducting a successful ransomware attack is insanely difficult! It takes days and weeks of planning in understanding the victims’ network and laying out a framework of traps. Some attackers make a fortune out of it, but the rest of it just waste their resources.

The underground market of forums and websites in the dark web is filled with scam artists sucking money out of the so-called “hackers.”

It is important to note that RaaS is more or less like a multi-level marketing scheme.

Ransomware as a Service and COVID19

It’d be pointless to talk about RaaS without mentioning COVID19. The current pandemic has paved the way for far more opportunities for cyber criminals to thrive than ever before. From hospitals to financial institutions, ransomware hit hard, mostly in developing nations lacking a sound healthcare and banking infrastructure.

How to Prevent RaaS attacks?

Prevention is better than cure, and it can’t be any better than in this situation. It is better to be safe than sorry. We have a detailed blog post on how to prevent ransomware attacks, however in a nutshell, these are the tips you need to implement:

• Employee education – Employees need to be educated via security awareness training on how to remain safe and vigilant while working on a cloud based environment. The most common vector that RaaS operators use is phishing, mostly through emails. Organizations need to train their employees on how to browse the web and communicate through emails safely.
• Keep Backup data – You should keep at least 3 copies of backup data (see also the 3-2-1 Backup Rule and Strategy), 1 in external drives, 1 in cloud, and the other on the network. You can and should not rely on only one source of backup data. Always keep your external drives updated regularly and always isolated/air-gapped from the network.
• Keep your antivirus software up-to-date – A reliable antivirus software updated regularly goes a long way to ensure protection.
• Turn off remote sessions – You should keep your RDP (Remote Desktop Protocol) turned off when not in need as hackers continuously scan the most common ransomware ports to attack.
• Don’t open any suspicious looking emails – Using emails remains the most popular method to deliver Sodinokibi, Phobos and RYUK ransomware. Never open any email or click any links to exe files.

Final Thoughts

Ransomware isn’t going anywhere. In fact, with the passage of time, cybercriminals have ushered in a new era of using highly sophisticated attacks to continue bypass antivirus programs and attack networks. You need to remain proactive and vigilant now more than ever.

As RaaS becomes more accessible, more organizations and individuals may get hit in coming days and weeks. Last but not least, follow the tips outlined herein to decrease your chances of getting compromised.