The dangers of ransomware as a service (RaaS)

What is ransomware as a service?

RaaS (or ransomware as a service) is a service that allows users to use already-developed ransomware tools and execute ransomware attacks. RaaS is like an evil version of the software as a service (SaaS) model. It enables lay users to lock their targets’ data and demand ransom without much technical knowledge.

How does ransomware as a service work?

RaaS mimics the model of other online services. Developers create ransomware tools with high chances of success. Then they modify them to serve a multi-user infrastructure. Various affiliates then sell the software to end users on the dark web. This enables users without much technical knowledge to initiate ransomware cyberattacks by simply signing up for the service and using the tools.

All cybercriminals need to do is find a service that suits their purposes and sign up on its website. Then they simply select the type of tool they wish to use and pay with cryptocurrencies. Users can then initiate attacks, receive all the guidelines and the necessary documentation to proceed, and even track the progress of their malicious activities.

Sometimes the user friendliness and availability of RaaS services are surprising. Some even have customer service, various discounts, bundle offers, and customer reviews. They are also relatively affordable.

Here are a few types of RaaS business models:

• Hostile entities use the software but then pay a percentage of their extorted money to the RaaS service operators.
• One pays a flat fee for a subscription.
• Cybercriminals pay a one-time fee and use the ransomware whenever they want.
• Customized or personalized profit-sharing schemes may be available depending on the scheme used by a service.

Ransomware as a service examples

• DarkSide. DarkSide is one of the most notorious RaaS operators and is responsible for the Colonial Pipeline hack, one of the worst ransomware attacks to date. It targets mostly Windows users, but recently, it has expanded to Linux. It was especially active in 2021.
• Dharma. While Dharma has been known since 2016, it started operating as a RaaS provider only in 2020. Dharma attacks have been linked to Iranian cybercriminal groups and are usually financially motivated. The service is not centrally controlled, and its variants come from many sources. There is also little known about who is behind Dharma due to the identical nature of its attacks.
• REvil. REvil is another infamous RaaS operator. It was very active throughout 2021. It initiated attacks on American meat producer JBS, Kaseya, and CNA, a cyber insurance company. REvil informs victims about their attacks via their own blog. They are also behind one of the largest known ransom demands in history — 10 million dollars.
• LockBit. LockBit first emerged as a virus that encrypted user files. However, it later became a RaaS operation. It has a distinct ability to automatically self-propagate to target networks, which makes it attractive to cybercriminals.
• Maze. Maze not only encrypts user data but also threatens to make it public. Maze was shut down in 2020 for reasons unknown. But the people behind the attack most likely created other RaaS initiatives.

How to prevent ransomware as a service

Here are a few tips on how to prevent or at least minimize RaaS damage:

• Don’t click on suspicious links, banners, or attachments.
• Avoid downloading content from dodgy websites because you can get some unwanted surprises if you do.
• Always be aware and informed to avoid phishing attacks and other social engineering attempts.
• Monitor and validate all your connection requests.
• Regularly update your software.
• Regularly back up your data so that you won’t lose it in a ransomware case. We recommend also using external hard drives rather than just cloud storage.
• Make sure you use premium security software. Also, check out the new NordVPN’s Threat Protection feature. It helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.

Should you pay the ransom?

There is no 100% correct answer to this question, but most law-enforcement agencies advise not paying a ransom. In some countries, it is even illegal to pay the ransom.