RaaS (Ransomware-as-a-Service) is a business model whereby malware developers lease out ransomware and its control infrastructure to other cybercriminals.
RaaS is a variation of the MaaS (Malware-as-a-Service) model, which in turn is a malicious variant of the SaaS (Software-as-a-Service) model.
What does RaaS include?
The RaaS model is most commonly used to spread cryptomalware — programs that encrypt files on a target device and demand a ransom for their recovery. Since the end of 2019, many ransomware developers have also included data theft as part of the service in order to threaten victims with its publication if the ransom is not paid. Under the RaaS model, cybercriminals can also distribute lockers — programs that lock the device until the ransom is paid.
RaaS services can include:
- Compiled ransomware or its source code
- Ransomware customization tools — for example for selecting the target’s operating system, writing a custom ransom note, etc.
- Other malicious tools, such as programs that extract data before encryption
- Infrastructure for managing the ransomware
- Control panel
- Technical support
- Private forum for information exchange
- Instructions
Some RaaS providers additionally offer to help negotiate the ransom.
Paying for RaaS
RaaS-type services are usually procured on a darknet. There are various RaaS payment models:
- One-off ransomware purchase
- Monthly subscription
- Commission as a percentage of the ransom
Some RaaS providers combine several payment methods, such as a subscription fee and a share of the ransom.
RaaS and the rise of ransomware attacks
The RaaS model lowers the entry threshold for the extortion business: ransomware developers lease out ready-made malware and infrastructure, so even attackers who are not well-versed in programming languages or lack other technical expertise can stage attacks. This is leading to an increase in the number of ransomware incidents, while at the same time, it is hindering the fight against ransomwarers: even if the malware developers get caught, RaaS customers can still carry on with their criminal activity.
Known groups that distribute ransomware through the RaaS model
Major players in the RaaS market include Conti, REvil (aka Sodinokibi), DarkSide, Babuk and Lockbit.