Il RaaS (Ransomware as a Service) it is a business model used by ransomware developers to offer products and kits capable of launching ransomware attacks even to those with little technical knowledge:

What is RaaS (Ransomware as a Service)


A business model known as RaaS (Ransomware as a service), takes place between ransomware operators and affiliates, where affiliates pay operators to initiate ransomware attacks. “Do it yourself” RaaS kits they allow affiliates to get up and running quickly and cheaply even if they don't have the knowledge or time to create their own type of ransomware.

On the dark web, RaaS service offerings are advertised similarly to how products are advertised on the Internet.


How RaaS works


Malware authors rent their malware, and the infrastructure that created and powers it, to other cybercriminals through a cloud computing business called MaaS (Malware as a Service).


Because customers can access software and infrastructure without having to install and maintain it, MaaS is comparable to software-as-a-service (SaaS) models.

MaaS and RaaS (Ransomware-as-a-Service) differ in that MaaS is used to spread various forms of malware, while RaaS is used only to spread ransomware.

The two services are equivalent in terms of functionality, differing only in the type of virus spread. Both MaaS and RaaS charge customers for using the service, and both provide technical support and administration tools.

The MaaS model


The MaaS (Malware as a Service) model is a malicious form of the SaaS (Software as a Service) concept.

The RaaS model is a subset of various MaaS, making it easy for people with no prior training or experience to easily receive significant rewards from malicious attacks.

RaaS comes with a very large package of services and instructions. The package includes: compiled ransomware or its source code, tools for customizing ransomware, programs that extract data before encryption, infrastructure for managing ransomware, a control panel, technical support, a forum private for information sharing.

RaaS business models


There are different business models depending on the division of the RaaS profits and the pre-established tasks of the operators and affiliates where each is assigned a particular role to perform.

The most common business models are the following:

  • offering monthly subscription plans,
  • offering profit sharing agreements with a set percentage
  • using affiliate marketing.


The revenue sharing arrangement, which splits the ransom money between the ransomware operator and an affiliate, is the most commonly used revenue model.

Although slightly less common, other revenue models are still in use.

The affiliate must pay the operator a one-time fee for using the RaaS kit in order to charge a one-time flat fee. Monthly subscription plans are comparable, but the affiliate pays an ongoing cost.

Instead, in the case of affiliate marketing, the operator compensates the affiliate for each successful attack.

How Ransomware Was Born


In the past, ransomware attacks were automated and performed on a much smaller scale than today.

It worked like this: you sent a bulk email with an attachment, and when the recipient double-clicked on it, the ransomware started running on their computer. The user's computer was locked and he was asked to pay approximately $300 in Bitcoins to unlock it. Attackers sent large numbers of these emails, many recipients' data was locked down with encryption, and many of them paid the attackers a few hundred dollars. In practice, this was the business model of the "old days".

But later, ransomware groups saw a huge opportunity.

The evolution of ransomware attacks


Ransomware attacks are now more targeted than they always have been, because RaaS attacks are handled on an ad hoc basis. Targeted attacks are much more harmful than mass email attacks.

Attackers invest more time, resources, and effort into targeted attacks to gain access to the corporate network and steal information. These attacks often gain access by exploiting well-known security holes.

RaaS Affiliates can choose exactly when to launch an attack because RaaS attacks are individually targeted and handled. This also includes taking advantage of times when businesses are most vulnerable, such as weekends or holidays.

For attackers, the first phase of the attack is the most important since the intrusion, data encryption and data download must be completed. The data download is carried out in order to put more pressure on the company in case it refuses to pay, as in this case your data would be made public or sold on the dark web to anyone who could make illegal use of it.

One of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encrypting it and threaten to make it public if the ransom isn't paid.

Double extortion model


Unfortunately, double extortion has become very common in recent years. Data stolen from companies is leaked in order to prove that the data has been accessed and to speed up negotiations. Even some gangs no longer bother to encrypt data, because the economic result is still obtained.

In recent years, companies have become much more aware of the risks involved in a ransomware attack, and for this reason they have equipped themselves with much more frequent backups. So in case of data encryption, they are much less vulnerable. On the other hand, the public dissemination of data always involves serious damage to reputation and costs for loss of functionality.

Sale of access


Recently it has been discovered that criminals, after perpetrating a ransomware attack, spread news and evidence of the break-in on the dark web in order to sell access to the corporate network. Advertisements of this type have been seen, promising access to the network as well as selling the already stolen data package. In this way the offenders can open an auction between the company damaged by the ransomware and the possible buyer who wants to take possession of the company's confidential information.

It is estimated that around 80% of companies agree to pay the ransom. But being a victim of ransomware is always traumatic and can slow down your business' growth. It is imperative for companies to adopt rigorous security measures to protect themselves from this calamity which seriously endangers the development and productivity of the companies themselves.

error: Content is protected !!