Ransomware as a Service (RaaS) is a business model between ransomware operators and affiliates in which the affiliate (often called “hackers”) compromise corporate networks and deploy ransomware to encrypt sensitive files. The operator of the RaaS earns commissions each time an affiliate infects or locks an unsuspecting organizations’s files by using their distribution platform. The ransomware operators take about 20% of the affiliate earnings for themselves. The affiliates usually pay a fee (usually in the form of Bitcoin) to their operators.
Launching a RaaS is free, which is why it represents such an important threat for organizations. Just like in the SaaS industry, affiliates can choose from hundreds of ransomware variants to use as their malicious distribution platform. Traditionally, ransomware attacks had to be coordinated between various threat actors, as they require developers who compile the malware and write an application to generate keys, encrypt files and decrypt files with their own private decryption tool. This ease of access has rapidly accelerated the number of ransomware attacks organizations face on a daily basis.
Who is behind the Ransomware as-a-Service model?
The ransomware operators, who earn commissions from their affiliates, are usually located in Eastern Europe, specifically Russia and Ukraine. The affiliates are located all over the world and often use compromised computers to spread malware or use their own systems to set up a RaaS distribution platform. They are quick to capitalize on any new vulnerabilities that emerge and can quickly gain access to victims that are infected by their affiliates.
Top Known Ransomware as-a-Service Variants
Many of the biggest names in ransomware are also the leading RaaS operators as well. Some of the most prolific and dangerous RaaS variants include:
- Ryuk: Ryuk ransomware is known for originally using the NSA EternalBlue exploit. It is being distributed using a combination of known vulnerabilities and adware.
- Lockbit: Lockbit has been around since early 2016 and is an open-source RaaS that does not require a download or installation. It spreads via spam e-mails.
- REvil/Sodinokibi: REvil competes with Ryuk as the greediest ransomware variant. This malware is spread in various ways, and REvil affiliates have been known to exploit unpatched Citrix and Pulse Secure VPNs to infect systems.
- Egregor/Maze: The Maze ransomware is being spread by malicious adverts on YouTube and Google search results via the Angler Exploit Kit.
- CryptXXX/CryptoShield: CryptXXX uses a number of different vulnerabilities to infect users’ systems.
Protecting Against RaaS Attacks
There is no one-size-fits-all solution to protecting against ransomware attacks. Because there are different ransomware variants and also because each variant is written differently, every victim is at risk of a different level of infection. Victims can help protect themselves by:
- Patching: Keeping your operating system and software up to date with the latest security patches is crucial in defending against new ransomware variants.
- Two-factor Authentication: Using two-factor authentication is also important to protecting accounts from being compromised by ransomware as it is unlikely that a criminal will be able to hack an account protected by two-factor authentication.
- Backups: Regular backups of criticaldata, especially important documents and files, can be a great way to protect against ransomware.
- Antivirus and EDR Software: Antivirus software provides valuable protection against ransomware by blocking malicious script files that are often used as part of an infection.
- User Education: User education is important in any security strategy, but it is especially important when it comes to ransomware. Teaching users about the dangers of opening unknown email attachments or clicking on links from untrusted sources can go a long way in preventing infections.
Wrapping things up
We hope this article helped you better understand the RaaS business models and various measures to protect your organization against it. Need to assess your company’s resilience to ransomware attacks? Perform a ransomware readiness audit, allowing you to determine exactly how a ransomware may spread across your technologies to encrypt your systems. Reach out to an expert to learn more at no cost.