RaaS: Rise of Ransomware-as-a-Service in Cybercrime 

Over the years, Software-as-a-Service (SaaS) — a business practice where software solutions providers offer cloud-based sophisticated solutions to their clients — has transformed the industry. However, a similar and fast emerging trend is now slowly leaving its footprints in the dark world of organised cybercrime.

Ransomware-as-a-Service (RaaS) has turned what was once the domain of skilled hackers into a marketplace where anyone can rent powerful ransomware tools.

Recent trends show that cybercriminals have been adopting the same model, where anyone with malicious intent can purchase ransomware tools, eliminating the need for technical expertise or resources to develop malware.

Ransomware can be termed as the digital kidnapper of digital resources. In other words, it is basically a type of malicious software designed to block access to a computer system or data until a ransom is paid. It works by encrypting files on the victim’s system, rendering them unusable unless the decryption key is provided. The attacker typically demands a monetary payment, often in cryptocurrency, in exchange for the key to restore access. If victims fail to pay within a certain time, the attackers may threaten to delete the data or expose it publicly.

As per a report by UK based threat intelligence firm Searchlight Cyber, the number of ransomware groups has increased by more than 50 percent in the first half of 2024 as compared to the previous year.

Providing custom malware as a service mostly operates on the dark web, where expert developers provide ransomware tools and services to lesser capable threat actors known as affiliates. They usually put ads and promotional posts on dark web forums to hire affiliates and sell the code.

Once the affiliate purchases or joins a program, they are provided with custom ransomware executables and the necessary infrastructure, such as command-and-control servers, payment portals, and data leak sites. Tasked with the responsibility of deploying the malware to a business or government victim’s systems, these affiliates earn money from the RaaS operator in the form of commission once the ransom is paid.

Earlier this year, a well-known RaaS group named BlackCat (also known as ALPHV) carried out an attack on a big U.S. healthcare IT company Change Healthcare which serves 1 in every 3 American patients.

On 1st March 2024 the company reportedly paid a ransom of $22 Million in the form of Bitcoins to prevent the leak of 6TB of stolen data affecting over 110 millions Americans. However, despite the payment, the hackers allegedly pulled an exit scam, pocketing the money without sharing it with the affiliate who conducted the attack. A new ransomware group called RansomHub then emerged, claiming to have acquired the stolen data and demanding additional payment from Change Healthcare to prevent further leaks.

According to Group-IB, a US-based intelligence firm, the RaaS ecosystem primarily involves brokers who sell compromised access to corporate networks by exploiting weak credentials and unpatched systems. This access is then sold to RaaS affiliates, who play a crucial role in deploying the ransomware.

Affiliates start by gaining enterprise access, deleting backups to prevent recovery, and exfiltrating data for use in double extortion tactics. Operators manage the technical aspects of the operation, including building unique ransomware executables, overseeing the infrastructure, and handling data leak sites used in double extortion attacks – where the victims data is not only encrypted but also stolen.

This trend in RaaS was first seen in ransomware groups like Maze and Snatch. Tactics like this puts extra pressure on victims with 83% of ransomware cases now involving data exfiltration.

RansomHub, an emerging RaaS group from mid-february 2024, has already been involved in approximately 320 attacks worldwide. The group also recently claimed to have the access of 140Gb of data of IIIT-Delhi.

Also, the most active RaaS group, LockBit carried out 1079 successful attacks in 2023 alone, the majority of attacks targeting U.S. companies. These groups continue to recruit affiliates on Russian dark web forums like RAMP, which currently hosts 60% of all new RaaS programs, states the report from Group-IB, a US-based intelligence firm.