Ransomware as Service (RaaS) describes a business model developed by malware authors that provides cybercriminal affiliates the ability to purchase access to ransomware tools and infrastructure to execute ransomware attacks. The inspiration for this business model clearly stems from legitimate software developers, and direct comparisons can be drawn with SaaS (software as a service) products such as Microsoft Office 365, DocuSign, Canva, Slack, Dropbox, and Mailchimp. It is a variant of the Malware as a Service (Maas) business model, specialized for distributing ransomware.
While in the past, a degree of technical knowledge was a prerequisite for launching cyberattacks, the rise of the MaaS model has made ransomware available to organizations or individuals without any specialized knowledge to launch sophisticated cyberattacks. Recent data suggests that upwards of 4,000 ransomware attacks occur daily, and the average organization will pay a ransom of $230,000 after falling victim to a successful ransomware attack.
Once ransomware has been developed for a RaaS, it is modified to ensure that the ransomware is usable for a multi-end user infrastructure, and ready to be widely disseminated or “licensed” to a network of cybercriminal affiliates.
While the recruitment process for affiliates varies between RaaS operators, most RaaS providers post offerings on dark web forums. Some, however, seek to recruit affiliates that fit certain profiles, such as having specific technical skill sets that increase affiliates’ chances of launching successful attacks.
Similarly, many RaaS distributors offer multiple subscription tiers for their affiliates, including price points for one-time uses, as well as recurring monthly and yearly subscriptions. That said, other RaaS operators may not have any requirements of their affiliates, including not requiring upfront payment, and instead relying on a commission-based payment structure.
Drawing further inspiration from the legitimate SaaS economy, some RaaS providers offer newly-accepted affiliates additional onboarding materials, including detailed instructions for launching ransomware attacks. Depending on the RaaS in question, moreover, some criminal networks even have dashboard interfaces where subscribers can get reports and updates on their various ongoing ransomware attempts. These interfaces may even offer “customer support” agents to provide tech support and — not just for affiliate payouts, but even for facilitating the victim’s ransom payments.