Over the last couple of years, ransomware attacks have grown substantially, crippling businesses, governments, and healthcare institutions worldwide. Protecting against these ransomware attacks has therefore been a key pillar of all security strategies across organizations. As we get better at defending, criminals also get better at attacking. They do so by professionalizing their services, almost working similarly to legitimate software businesses, and creating a business model out of these attacks: selling Ransomware-as-a-Service (RaaS).
Ransomware-as-a-Service
The RaaS business model makes it easier for non-expert cybercriminals to engage in high-impact ransomware campaigns, as it allows attackers that lack the skills or time to develop their own ransomware variant to purchase on in an affordable manner.
The kits are easy to find on the dark web, and much like subscription-based Software-as-a-Service (SaaS) businesses, RaaS platforms often provide user-friendly interfaces, customer support, and even updates to ensure affiliates can launch successful attacks. Some RaaS providers even go a step further, offering guides on how to distribute the malware via phishing emails, exploiting system vulnerabilities, or using other attack vectors.
This model lowers the barrier to entry for cybercrime, turning ransomware into a scalable and profitable service that anyone with malicious intent can exploit.
RansomHub & other RaaS platforms
One of the groups that has established itself as an efficient and successful service model is RansomHub. The attackers, formerly known by names such as Cyclops and Knight, leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims.
Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors, America’s Cyber Defense Agency said.
RansomHub appears to have hit the ground running thanks to attracting criminal talent from well-known ransomware groups such as ALPHV and LockBit following law enforcement attention impinged upon their operations, Forbes added.
Other well-known RaaS platforms include Lockbit, which uses a subclass of ransomware known as ‘crypto virus’, as its ransom demands are based on payment in exchange for decryption. Rather than individuals, its primary targets are corporations and government agencies.
In the past, an infamous RaaS group was DarkSide, which gained widespread attention for its role in the Colonial Pipeline attack in 2021. The attack caused fuel shortages across the Eastern United States and resulted in a ransom payment of nearly $5 million. And one of the most notorious RaaS groups was REvil, which was responsible for numerous high-profile attacks, including the Kaseya attack, which impacted hundreds of businesses worldwide. REvil affiliates used their ransomware to target victims in various industries, collecting millions in ransom payments.
Defend against RaaS
Ransomware-as-a-Service has transformed cybercrime, making it accessible to a broader range of criminals and increasing the frequency and severity of attacks. The RaaS model’s scalability and professionalization pose a growing threat to organizations worldwide, as evidenced by high-profile attacks on critical infrastructure and businesses.
In response to the RansomHub attack threat, the FBI advised to take three mitigating strategies, which includes installing updates for operating systems, software and firmware as soon as they are released, implementing multi-factor authentication, and educating users to recognize and report phishing attempts.
While these are known strategies for every CISO, repetition of these protocols within their organization can never hurt.