RaaS

What Is RaaS?

Ransomware as a Service (RaaS) operates similarly to Software as a Service (SaaS) but for cybercrime. In RaaS, operators develop ransomware tools that affiliates can rent to launch attacks, lowering the barrier for entry into ransomware attacks. This model allows attackers to gain access to victims' devices, encrypt data, and demand payment for its release, without needing to create their own ransomware tools.

Impact of RaaS

RaaS is accessible to any individual or group seeking to initiate cyberattacks, leading to a surge in ransomware incidents and posing challenges for law enforcement efforts. Even in cases where malware developers are apprehended, RaaS affiliates can continue their illicit activities unhindered. The impact of ransomware has intensified with the proliferation of RaaS ecosystems adopting the double extortion tactic. In addition to encrypting data, attackers threaten to publicly disclose it to coerce victims into paying the ransom. In 2020 alone, ransomware attacks incurred approximately US$20 billion in global economic losses. Most criminal organizations utilize the RaaS model for launching attacks.

How Does RaaS Work?

RaaS Operation Principle

RaaS operates on a subscription-based model for executing ransomware attacks. Developers create ransomware payloads and payment portals for interacting with victims. Carriers attract affiliates through marketing efforts on forums or darknets. Affiliates sign up, pay fees (typically in Bitcoin), and receive RaaS kits tailored to specific targets. These kits may include technical support, bundled offers, updates, private forum access, and other features akin to legitimate SaaS providers. Upon payment, affiliates initiate attacks using the ransomware. Email phishing is a common method for ransomware delivery. Once deployed, the ransomware locks the victim's device and encrypts data. A ransom message is then sent, demanding payment in exchange for the decryption key. The following delineates the roles of operators and affiliates in the RaaS model:

RaaS Operator

• 1. Recruit affiliates on forums or darknets.

• Provide affiliates with access to a "build your own ransomware package" panel.

• Create a dedicated "Command and Control" dashboard for affiliates to track the package.

• 2. Set up a victim payment portal

• Assist affiliates with victim negotiations

• Provide technical support.

• 3. Manage a dedicated leak site

RaaS Affiliates

• 1. Create an account and pay to use the ransomware.

• Set ransom demands.

• Configure the ransomware message sent to the victim after the attack intrusion.

• Deploy ransomware.

• Compromise the victim's assets

• Maximize the ransomware infection scope.

• 2. Communicate with the victim via chat portals or other communication channels.

• 3. Manage decryption keys.

RaaS Revenue Model

Common revenue models in RaaS include:

• Affiliate Program: Ransomware developers receive a percentage of the ransom (typically 20% to 30%) after affiliates pay subscription fees.

• Monthly Subscription: Affiliates pay a fixed monthly fee without sharing profits with RaaS providers.

• One-time License Fee: Affiliates purchase RaaS with a single payment, enabling indefinite usage without profit sharing with operators.

• Pure Profit Sharing: Profits are divided among affiliates and operators post-license purchase.