Off-the-Shelf Havoc: Ransomware as a Service

With ready-made hacking kits for sale, almost anyone can be a cybercriminal

By Andrew Wig

Hacking into a company’s computer system used to require some level of computer science expertise. Now, you just have to know how to access the dark web, thanks to a model for cybercrime known as ransomware as a service (RaaS).

“You don't have to be an expert anymore,” says Avani Desai, CEO of Schellman, a provider of attestation, compliance and cybersecurity services. 

In selling access to ready-made cyber attack kits, RaaS provides the same ease of use as the software as a service (SaaS) model that inspired it. With SaaS, “I can basically pay someone to do most of the work on my behalf. I don't have to worry about installing the software, maintaining the software, updating the software,” Jason Kichen, chief information security officer at the software testing and quality engineering firm Tricentis, explains. 

 

And RaaS is no different, except that the software is code that enables non-experts to gain control of the targeted organization’s data, hold it hostage and extract ransom, typically in the form of cryptocurrency. The cybersecurity world has taken notice, because ransomware as a general threat was already keeping them up at night. 

 

“I think for most chief information security officers, [ransomware] is the closest thing you get to what we would consider an existential threat,” Kichen says. “This is the type of thing that when it goes bad, if it goes wrong, can literally be the difference between your company surviving and not surviving.” 

 

And now, RaaS has brought in a whole new group of potential attackers. “I believe moving forward, we will see an expanded number of attacks, and they will be more damaging," says Jessica Doherty, a senior manager and strategist at Broadcom Mainframe Software.

 

The victims may take no comfort in the notion that it’s just business, but that’s what it is. “Anytime you see money in a business, you want to make it a true business. And these are really true businesses. They actually have set up call centers and so forth,” Desai says. 

It really is going to expand, I believe, how many attacks we will see moving forward.

—Jessica Doherty, Senior Manager and Strategist, Broadcom Mainframe Software

SPONSORED CONTENT

Manage, Secure & Maximize Your Data with DataVantage

Wherever your sensitive data resides, it must be secured from breaches and be compliant with a growing list of privacy regulations: Protected data is productive data for AI/ML, Analytics, Testing, DevOps and more.

 

With its advanced data masking capabilities, DataVantage Data Masking Express (DME) is a single application install, cost-efficient tool that boosts security across your entire z/OS environment, enabling data preparation for AI/ML and analytics workflows while ensuring privacy for personal, financial and health information.

 

DME is a flat-fee subscription-based solution regardless of the size of your mainframe—it’s a modern way to get the data protection you need with budget predictability

↓ Turn cards to learn more

Protect Sensitive Data

Mask data during extraction in a single step.

Friendly Implementation

Works in conjunction with existing data management solutions.

1-for-3 Data Masking

Use one powerful tool for Db2, IMS, and VSAM environments

Conquer Compliance

Avoid non-compliance penalties for PII, PHI, PCI DSS, GDPR and more.
Can you afford to do nothing?

Organized Cybercrime

Instead of having one bad actor do everything, “ransomware as a service actually breaks down ransomware into specialized roles,” Desai explains. There’s the developer, who creates the ransomware kits, the affiliates who purchase the ransomware and carry out the attack, “and then there's going to be that broker; they're going to be the ones that get the data from the affiliate, and they're going to sell the stolen credentials,” she says.

 

And like legitimate businesses, there are people whose job it is to negotiate deals. “They're going to be the ones that handle the ransom demands with the victims. They're the ones who are going to send you the email or they're going to call you,” Desai says. It’s only that final link in the chain, the money launderer, that doesn’t have an analog to legitimate business. “They're going to take your crypto, and they're going to take the payments, and then they're going to make it into usable funds,” Desai explains. 

The Division of Labor in RaaS

Reveal the answers ...

The Developer: 

Creates the ransomware kits

The Affiliate: 

Purchases the ransomware kit and executes the attack

The Broker: 

Receives data from the affiliate sells stolen credentials

The Negotiator: 

Makes the ransomware demands

The Launderer: 

Turns payments into usable funds

These conspirators work together under varying arrangements. Affiliates can sign up for a monthly subscription that can cost as little as $40 a month. They can purchase ransomware code outright for a one-time fee. They can join a program where they pay a fee for the privilege of receiving a small percentage of ransomware payments. And there are profit-sharing programs in which affiliates pay nothing up front but pay the attack engineer a percentage of the bounty. 

Hatched in Broad Daylight

This collaboration happens more or less out in the open, Kichen says. When people think about RaaS, “they imagine criminals in a dark alley meeting under the cover of night, exchanging cash in a suitcase, like a very cloak-and-dagger type of deal,” he says. “The reality of it is, it's not quite completely out in the open, but it's pretty much out in the open.” While the RaaS providers are generally found on the dark web, that’s not exactly hidden away, since anyone can access it with a Tor browser, Kichen notes. 

 

“It's really become a subscription-based business where anyone can launch an attack,” Desai observes. “I have a 14-year-old son who could probably go use, probably spend $20 on the dark web and buy a prebuilt ransomware kit and find instructions on how to actually launch it, and then can have a third party actually do the negotiation.”

Quantity, if Not Quality

“What's going to happen—and this is where my customers or my clients are really concerned—is more attacks, more ransomware demands,” Desai says. 

 

Proliferation also means a higher rate of attack. “Before, these things were relatively slow-moving,” Kichen says. “...The efficiency for any given ransomware operator was pretty limited. But with ransomware as a service, the scale of that is well beyond what it used to be. So the speed is what presents the biggest challenge now.”

 

Cyber defenders might at least take heart in the supposition that attacks via RaaS are likely to be less sophisticated than custom-built assaults due to their off-the-shelf nature. “I think that's the right mental framework that we should assume,” Kichen says, “that the most sophisticated technical capabilities are going to be reserved for the hardest targets, and the hardest targets are not going to come through the ransomware as a service mechanism. They're going to come through some other mechanism.”

 

Ransomware victims don’t have an immediate way of knowing whether an attack came through RaaS, Kichen notes, so hard data on the prevalence of the crime model is hard to come by. However, if RaaS has proliferated as much as expert observers believe, that didn’t translate to a higher overall financial toll last year, according to an estimate from Chainalysis, a block chain analytics company. Total ransomware payments dropped by 35% in 2024, although the $1.25 billion in payments made in 2023 was a record, according to Chainalysis.

Before…the efficiency for any given ransomware operator was pretty limited. But with ransomware as a service, the scale of that is well beyond what it used to be.

—Jason Kichen, Chief Information Security Officer, Tricentis

Ransomware Payments by Year
$999.05
million
2020
$1.07
billion
2021
$655.4
million
2022
$1.25
billion
2023
$813.55
million

2024

Source: Chainalysis

Defending Against RaaS

While RaaS is a relatively new feature on the threat landscape, the way to defend against it doesn’t differ from regular ransomware precautions. In guarding against RaaS, “we do the same things that we've always been doing against digital threats that we've been doing for 10, 20 years or longer,” Kichen says. However, given the presumed increase of threats brought by RaaS, cybersecurity professionals might feel more urgency to shore up weak points. 

 

That includes enforcing multi-factor authentication (MFA) across all access points, layered security, diligent software updating and vulnerability patching and continuous monitoring, Desai advises. Doherty adds, “Cybercriminals seek the easiest entry points, so the best defense is to close off the most common vulnerabilities.”

 

Keeping secure, offline backups is another precaution, “because now what our attackers are really doing is they're targeting cloud backups too,” Desai says. And remember that your employees are human. “Your employees are really the weakest links, because if your employees don't know what to look for, they're going to get exploited,” Desai says. “So employee training that's done more than once a year, that's more than just a checkbox, I think is really important.” 

 

Despite all those precautions, it’s also important to have a plan for responding to a successful attack, she adds. That includes being ready to pay up, if necessary. “Should you buy Bitcoin? Yeah, probably,” Desai says. 

Should you buy Bitcoin? Yeah, probably.

—Avani Desai, CEO, Schellman

The Evolution of Cybercrime 

To the uninitiated, the concept of RaaS may seem absurd, but cybersecurity experts see it as a natural evolution in cybercrime. “I think non-security professionals, they're generally a little bit incredulous at it,” Kichen says. “For security professionals, it's not much of a surprise. The bad guys, especially the financially motivated ones—they go where the money is. That's been the name of the game.” 

 

For that reason, it’s safe to say that RaaS won’t go away anytime soon, especially as operators reinvest and stay on top of evolving technology. The cybercriminal underworld used to consist of the haves and the have-nots, but the democratization of cybercrime has put cyber weapons in the hands of lay people.

 

“There was a time where you basically had the best of the best in the cyber world, where the state actors could do all the things, and then you had criminals that were able to do just little things, and the gap between them was massive,” Kichen says. “But the last 10, 15 years or so, that gap has closed considerably such that now, criminal actors, financially motivated, have some of the best technical capabilities on the planet.”
Share this article