All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
Ransomware-as-a-service (RaaS) is where malicious groups offer their malware programs to affiliates for a fee. The RaaS model has been built to mimic the software-as-a-service (SaaS) model only with more malicious objectives.
For example, in May 2021, ransomware found its way into the infrastructure of the Colonial Pipeline computer system.[1] This attack caused a full pipeline shutdown, disrupting fuel operations and availability for many living in the Eastern United States. It was determined to be part of a ransomware-as-a-service operation.
Continue reading to learn more about how this growing cyberthreat works, examples of RaaS entities, and how to protect yourself from ransomware.
Instantly blocks distracting ads on millions of websites, including Facebook and YouTube ads
Blocks third-party trackers to protect your privacy and information
Improves page load times and enables faster browsing
Cybercriminals use many different types of malicious software to steal information and extort victims. Ransomware is a kind of malware that installs on computers and locks users out until they pay a ransom with a credit card, Bitcoin, or another form of cryptocurrency. The goal of ransomware is to restrict access to a user’s system or data until they pay to regain access.
Notably, not all malware hackers use ransomware, and not all malicious software is developed into ransomware-as-a-service. Ransomware services allow users to create their ransomware without building it entirely from scratch. Envision it as similar to a SaaS product in that the ransomware program is the product, and the RaaS is the service selling it to users.
Ransomware as a service (RaaS) is a cloud-based platform that allows users to build and buy ransomware. The most common way a RaaS operates is that a developer will sell access to their ransomware online through sites like Black Market Reloaded, AlphaBay, or dark web forums. The buyer pays the distributors upfront based on their payment or fee structure.
Many RaaS distributors also offer a monthly subscription via a monthly fee or profit sharing for the affiliates. The purchaser then waits for the software to be provided and is given instructions on how to use it.
Most RaaS operators use a unique algorithm to encrypt files and send them back to the user purchasing the ransomware. RaaS also includes an administrative panel where the creators can view statistics about how purchasers use their ransomware. These details are valuable to the RaaS creators because they can use them for future virus developments or target specific organizations to maximize the earnings from ransom payments.
Once users purchase their copy of ransomware, it is transferred via email. From there, users can configure what types of files should be encrypted by the program and set up an email account to which victims can submit their ransom demands.
Most ransomware engineers will include a set of instructions with their software that explains how to configure it. This usually involves editing a text file and adding some information about where encrypted files are stored and the email address that receives the payment demands from victims. Many RaaS models also guide buyers on conducting phishing or social engineering attacks to deploy their ransomware on victims.
Buying or leasing access to the ransomware software from the original creator is the standard selling structure of most RaaS distributors. They then distribute ransomware, which allows buyers to use it on their computers or across their networks. Purchasers then have complete control over how many files they want to be encrypted and how much money they will charge victims for them to get their data back.
RaaS kits that are sold have a price range from roughly a few hundred dollars to over thousands. The RaaS operators often set the price based on an affiliate or subscription fee, profit sharing, one-time payment, or a flat fee for others to purchase their software. For instance, if a buyer wants to charge victims $2,000 to regain access to their system, they can split that profit with the RaaS distributors or net the profile minus the expenses of the fee.
The payout of the RaaS kit can also be highly lucrative for both the buyer and purchaser. This is partly because the return on their product investment can be highly profitable depending on how many victims are targeted and the monetary amount of ransoms collected.
This has led to these malicious groups turning ransomware's profitability into a full business entity. Like SaaS businesses, ransomware developers can build successful software once and continue earning revenue from it through multiple pathways. Notably, many RaaS distributors often also mirror the structure of a legitimate technology company with dedicated websites for customer support, supporting forums, reviews, and more.
There has been a distinct increase in ransomware cyberattacks over the past several years. This could be due to the easier accessibility of ransomware for purchase, which is offered to more novice cybercriminals. According to IT security company Sophos, the average ransomware cost for businesses worldwide is nearly $1.4 million annually.[2]
As RaaS becomes more common among many cybercriminals, that number will likely continue to increase. Currently, several threat actor groups are among the main ransomware operators that distribute their software to other hackers. Below are the more widely known threat groups that sell RaaS.
The malicious group REvil, also known as Sodinokibi, is a Russian-based ransomware gang that runs a RaaS toolkit operation. The ransomware gang has been active since initial chatter with the hackers began in 2019.[3] They have conducted many attacks on individuals and businesses, including a high-profile attack in 2021 on CNA Financial.[4]
The core members of this group maintain and provide the ransomware payload. They also host the victim data leak/auction site, facilitate victim communication, provide payment services, and distribute the decryption key to purchasers. The group focuses on leveraging hackers for hire, referred to as affiliates, to conduct the breach, steal target data, delete backups, and infect victims’ systems with ransomware for a share of the proceeds.
DarkSide has become a notable threat group over the past few years. Most notably, they orchestrated the attack on the Colonial Pipeline in May 2021. This ransomware gang offers its RaaS to affiliates for a percentage of the profits.
The ransomware built and sold to their affiliates utilizes phishing and remote desktop protocol (RDP) abuse and exploits known vulnerabilities to gain initial access. The group also uses standard, legitimate tools throughout the attack process to remain undetected and obscure the attack.
Ryuk is a family of ransomware that originally appeared in 2018. According to security SaaS company Trend Micro, Ryuk is a malicious software program believed to be the product of a RaaS operator named Wizard Spider.[5] The threat group that operates the Ryuk RaaS toolkit is said to specifically target businesses, hospitals, and government institutions with their attacks.
Experts have advised that this ransomware is derived from an older version of the Hermes ransomware, which was developed by the same gang. The main attack method of this service is phishing emails that facilitate user entry into systems.
Once the user clicks on the phishing email, the ransomware downloads additional malware elements called droppers onto the operating system. From there, the ransomware secures and encrypts files that lock users out of their data unless they pay a ransom to regain access.
LockBit is one of the oldest ransomware groups operational since at least 2019. Their malicious software self-propagates, making it easier for even novice technical people to purchase and deploy it.
The main targets of this ransomware have been the healthcare, professional services, and government sectors. LockBit’s RaaS operators require purchasers to deposit for custom for-hire attacks and profit under an affiliate program. Ransom payments are then divided between the LockBit developer team and the attacking affiliates.
LockBit released a bug bounty program for 2022, allowing developers to fix bugs with their ransomware for a flat payout. According to Darkfeed.io, the first payout of the bug bounty program was completed on July 6, 2022. This $50,000 bounty from LockBit helped further strengthen the encryption, ensuring victim payout.
Similar to many other RaaS distributors, Maze first began surfacing in 2019. One of their more notable attacks was when they breached the system of the printing company Xerox.[6] Hackers originally facilitated this ransomware program via malicious email attachments.
As the group has evolved, its ransomware point of origin now commonly attempts to use stolen or guessed RDP credentials to infiltrate a network. Other attack points have begun by compromising a vulnerable virtual private network (VPN) server.
With ransomware and RaaS becoming an increasing threat to individuals and businesses, it may seem challenging to stay protected online. However, it's possible to protect yourself from ransomware threats.
Here are some simple ways to stay safe online and protect yourself from ransomware.
| Antivirus | 
|
 |
|
|
| Best for | Best overall antivirus software | All-in-one software | Comprehensive security | Best value |
| Starting price | $29.00/yr (first year only) | $35.99/first yr | $29.99/first yr | $3.19/mo (billed annually) |
| Features | Zero-day scans, anti-phishing, ransomware protection, password manager, ad blocker, TotalVPN | Antivirus protection, VPN, password manager, security for multiple devices | Antivirus, malware, ransomware, and hacking protection, cloud backup, password manager, Norton Secure VPN | Antivirus protection, Surfshark VPN, private search engine, data leak alerts, ad blocker |
| Learn more | Get TotalAV | Get Aura | Get Norton360 Antivirus | Get Surfshark Antivirus |
Malware-as-a-service (MaaS) is the illegal use of software and hardware for cyberattacks. Owners of MaaS servers offer threat actors a paid botnet service that distributes malware. This service's clients are often provided access to a personal account on an online platform. Their account will allow them to manage the attack and get technical assistance.
Cybercriminals can use software-as-a-service (SaaS) applications to sell or lease out malicious software (malware) to others. RaaS malware is the product that RaaS distributors sell to their affiliates. It can easily infect both on-premise and cloud SaaS applications resulting in the loss of critical data from vital SaaS applications.
Any involvement with ransomware-as-a-service is illegal. It is illegal to build, develop, and deploy malicious software with the intent to steal information, cause damage, or disrupt services. This also includes buying RaaS kits on the dark web to cause harm by transmitting unwanted code to victims and extorting ransom from them.
Ransomware-as-a-service is a relatively recent development in the cybercrime world. It's become an easy way for cybercriminals to get into ransomware and use it to make money by selling access to these attacks.
RaaS has made it easier than ever for both high-level and low-level cybercriminals to use ransomware tools for extortion. Since this type of malware is easy to create and distribute, it's highly lucrative for affiliates and distributors alike.
While ransomware will continue to threaten individuals and businesses, you can still take cybersecurity measures to protect your information online. Invest in trusted cybersecurity software with real-time ransomware protection.
Real-time protection from viruses, malware, and online threats
Blocks tracking cookies and ads, proactively monitors for data breaches, and option to schedule smart scans
100% compatible with Windows, Mac, Android, and iOS operating systems on up to 3 devices
/images/2023/06/15/guardio_review.jpg)
/images/2024/02/21/avg_vs._totalav_antivirus_featured_image.jpg)
/images/2024/11/06/avast_antivirus.png)
/images/2024/10/31/best_mcafee_alternatives.png)
/images/2024/10/30/best_adlock_alternatives.png)
/images/2024/10/29/avg_alternatives.png)
/images/2024/10/29/bitdefender_alternatives.png)
/images/2024/10/26/antivirus_prices_mcafee_antivirus.png)
/authors/amanda-scheldt-allaboutcookies-author.jpg){kind=small}
/authors/steph-trejos-allaboutcookies-editor.jpg){kind=small}
/images/2023/03/01/logo-total-adblock.png){kind=logo}
/images/2022/09/22/logo-totalav.png){kind=logo}
/authors/amanda-scheldt-allaboutcookies-author.jpg)