Off-the-Shelf Havoc: Ransomware as a Service
With ready-made hacking kits for sale, almost anyone can be a cybercriminal
By Andrew Wig
“You don't have to be an expert anymore,” says Avani Desai, CEO of Schellman, a provider of attestation, compliance and cybersecurity services.
In selling access to ready-made cyber attack kits, RaaS provides the same ease of use as the software as a service (SaaS) model that inspired it. With SaaS, “I can basically pay someone to do most of the work on my behalf. I don't have to worry about installing the software, maintaining the software, updating the software,” Jason Kichen, chief information security officer at the software testing and quality engineering firm Tricentis, explains.
And RaaS is no different, except that the software is code that enables non-experts to gain control of the targeted organization’s data, hold it hostage and extract ransom, typically in the form of cryptocurrency. The cybersecurity world has taken notice, because ransomware as a general threat was already keeping them up at night.
“I think for most chief information security officers, [ransomware] is the closest thing you get to what we would consider an existential threat,” Kichen says. “This is the type of thing that when it goes bad, if it goes wrong, can literally be the difference between your company surviving and not surviving.”
And now, RaaS has brought in a whole new group of potential attackers. “I believe moving forward, we will see an expanded number of attacks, and they will be more damaging," says Jessica Doherty, a senior manager and strategist at Broadcom Mainframe Software.
The victims may take no comfort in the notion that it’s just business, but that’s what it is. “Anytime you see money in a business, you want to make it a true business. And these are really true businesses. They actually have set up call centers and so forth,” Desai says.
It really is going to expand, I believe, how many attacks we will see moving forward.
—Jessica Doherty, Senior Manager and Strategist, Broadcom Mainframe Software
Manage, Secure & Maximize Your Data with DataVantage
Wherever your sensitive data resides, it must be secured from breaches and be compliant with a growing list of privacy regulations: Protected data is productive data for AI/ML, Analytics, Testing, DevOps and more.
With its advanced data masking capabilities, DataVantage Data Masking Express (DME) is a single application install, cost-efficient tool that boosts security across your entire z/OS environment, enabling data preparation for AI/ML and analytics workflows while ensuring privacy for personal, financial and health information.
DME is a flat-fee subscription-based solution regardless of the size of your mainframe—it’s a modern way to get the data protection you need with budget predictability
Protect Sensitive Data
Friendly Implementation
1-for-3 Data Masking
Conquer Compliance
Organized Cybercrime
Instead of having one bad actor do everything, “ransomware as a service actually breaks down ransomware into specialized roles,” Desai explains. There’s the developer, who creates the ransomware kits, the affiliates who purchase the ransomware and carry out the attack, “and then there's going to be that broker; they're going to be the ones that get the data from the affiliate, and they're going to sell the stolen credentials,” she says.
And like legitimate businesses, there are people whose job it is to negotiate deals. “They're going to be the ones that handle the ransom demands with the victims. They're the ones who are going to send you the email or they're going to call you,” Desai says. It’s only that final link in the chain, the money launderer, that doesn’t have an analog to legitimate business. “They're going to take your crypto, and they're going to take the payments, and then they're going to make it into usable funds,” Desai explains.
The Division of Labor in RaaS
Reveal the answers ...
Creates the ransomware kits
The Affiliate:
⟶
Purchases the ransomware kit and executes the attack
The Broker:
⟶
Receives data from the affiliate sells stolen credentials
The Negotiator:
⟶
Makes the ransomware demands
The Launderer:
⟶
Turns payments into usable funds
Hatched in Broad Daylight
This collaboration happens more or less out in the open, Kichen says. When people think about RaaS, “they imagine criminals in a dark alley meeting under the cover of night, exchanging cash in a suitcase, like a very cloak-and-dagger type of deal,” he says. “The reality of it is, it's not quite completely out in the open, but it's pretty much out in the open.” While the RaaS providers are generally found on the dark web, that’s not exactly hidden away, since anyone can access it with a Tor browser, Kichen notes.
“It's really become a subscription-based business where anyone can launch an attack,” Desai observes. “I have a 14-year-old son who could probably go use, probably spend $20 on the dark web and buy a prebuilt ransomware kit and find instructions on how to actually launch it, and then can have a third party actually do the negotiation.”
Quantity, if Not Quality
“What's going to happen—and this is where my customers or my clients are really concerned—is more attacks, more ransomware demands,” Desai says.
Proliferation also means a higher rate of attack. “Before, these things were relatively slow-moving,” Kichen says. “...The efficiency for any given ransomware operator was pretty limited. But with ransomware as a service, the scale of that is well beyond what it used to be. So the speed is what presents the biggest challenge now.”
Cyber defenders might at least take heart in the supposition that attacks via RaaS are likely to be less sophisticated than custom-built assaults due to their off-the-shelf nature. “I think that's the right mental framework that we should assume,” Kichen says, “that the most sophisticated technical capabilities are going to be reserved for the hardest targets, and the hardest targets are not going to come through the ransomware as a service mechanism. They're going to come through some other mechanism.”
Ransomware victims don’t have an immediate way of knowing whether an attack came through RaaS, Kichen notes, so hard data on the prevalence of the crime model is hard to come by. However, if RaaS has proliferated as much as expert observers believe, that didn’t translate to a higher overall financial toll last year, according to an estimate from Chainalysis, a block chain analytics company. Total ransomware payments dropped by 35% in 2024, although the $1.25 billion in payments made in 2023 was a record, according to Chainalysis.
Before…the efficiency for any given ransomware operator was pretty limited. But with ransomware as a service, the scale of that is well beyond what it used to be.
—Jason Kichen, Chief Information Security Officer, Tricentis
Ransomware Payments by Year
$999.05
million
$1.07
billion
$655.4
million
$1.25
billion
$813.55
million
2024
Source: Chainalysis
Defending Against RaaS
While RaaS is a relatively new feature on the threat landscape, the way to defend against it doesn’t differ from regular ransomware precautions. In guarding against RaaS, “we do the same things that we've always been doing against digital threats that we've been doing for 10, 20 years or longer,” Kichen says. However, given the presumed increase of threats brought by RaaS, cybersecurity professionals might feel more urgency to shore up weak points.
That includes enforcing multi-factor authentication (MFA) across all access points, layered security, diligent software updating and vulnerability patching and continuous monitoring, Desai advises. Doherty adds, “Cybercriminals seek the easiest entry points, so the best defense is to close off the most common vulnerabilities.”
Keeping secure, offline backups is another precaution, “because now what our attackers are really doing is they're targeting cloud backups too,” Desai says. And remember that your employees are human. “Your employees are really the weakest links, because if your employees don't know what to look for, they're going to get exploited,” Desai says. “So employee training that's done more than once a year, that's more than just a checkbox, I think is really important.”
Despite all those precautions, it’s also important to have a plan for responding to a successful attack, she adds. That includes being ready to pay up, if necessary. “Should you buy Bitcoin? Yeah, probably,” Desai says.
Should you buy Bitcoin? Yeah, probably.
—Avani Desai, CEO, Schellman
The Evolution of Cybercrime
To the uninitiated, the concept of RaaS may seem absurd, but cybersecurity experts see it as a natural evolution in cybercrime. “I think non-security professionals, they're generally a little bit incredulous at it,” Kichen says. “For security professionals, it's not much of a surprise. The bad guys, especially the financially motivated ones—they go where the money is. That's been the name of the game.”
For that reason, it’s safe to say that RaaS won’t go away anytime soon, especially as operators reinvest and stay on top of evolving technology. The cybercriminal underworld used to consist of the haves and the have-nots, but the democratization of cybercrime has put cyber weapons in the hands of lay people.
