What is
ransomware-as-a-
service and how
can organizations
combat it?

Ransomware is on the rise.  In fact, ransomware is up 13% this year, more than the last 5 years combined, according to Verizon's 2022 Data Breach Investigations Report (DBIR). 

Why has the threat become so elevated that governments are now regularly issuing warnings to critical infrastructure and other organizations? A big part of the blame lies with the emergence of ransomware-as-a-service (RaaS) and the affiliate model underpinning it.  What is ransomware-as-a-service and what does it mean for your organization?

Organizations wanting to understand how to combat ransomware-as-a-service need not look far. In fact, the advice for mitigating such attacks largely remains the same: focus on building resilience in the first instance, and improve detection and response in the second.

Ransomware-as-a-service is a malicious, subscription-based business model that involves the selling or renting of ransomware to buyers, called affiliates, in order to execute attacks. The RaaS operators typically collect a percentage of the ransom payments. Just as software-as-a-service (SaaS) streamlined the deployment and ongoing management of enterprise software, so too has ransomware-as-a-service simplified and democratized the ransomware space. By bundling all the capabilities threat actors need to carry out attacks in a cloud service, ransomware operators effectively opened the door to a whole new business model for budding cyber criminals. The result is triple-digit growth in attacks, according to some estimates.

There are two very good reasons why it's now so popular on the cyber crime underground:

• The operator provides the ransomware payload and infrastructure, accelerating time to value for the ransomware-as-a-service affiliate.
• The operator gets scale while the affiliate has an excellent and relatively cost-effective way to make money, pocketing as much as 80% of the profits.

Competition among ransomware operators can be fierce, according to some researchers. Flashy websites, how-to videos and other materials help them vie for the attention of affiliate groups. It's said that some operators prefer more tech-savvy affiliates in order to go after the "big-game" victims that will reap the largest rewards. In general, ransomware-as-a-service has significantly lowered the barrier to entry for cyber crime gangs.

So, what is ransomware-as-a-service and how does it work? Most follow a similar attack pattern:

1. Affiliate signs up with a monthly flat-fee payment or an affiliate subscription with 20-30% of profits going to the developer/operator. Some operations allow sign-ups on a commission-only basis.
2. The affiliate gains access to onboarding documentation, guides and possibly even dashboards to track the progress of attacks.
3. They launch their attack, sometimes using initial access broker (IAB) services for ready-made network access. They then perform lateral movement, data theft and deployment of the ransomware payload.
4. The affiliate sends a ransom demand to their victim and manages the communication and payment process, sending decryption keys if the ransom is paid.
5. Double extortion features in most ransomware attacks. Here, the affiliate will pressure the victim into paying, by threatening to leak stolen data on the dark web. The leak site is managed by the ransomware operator, which also provides the affiliate with a pre-built payment portal.

It's difficult to accurately assess the financial impact of ransomware, given that many attacks aren't fully disclosed.

The Internet Crime Complaint Center (IC3) is a division of the Federal Bureau of Investigation (FBI) concerning suspected Internet-facilitated criminal activity. IC3 works with law enforcement authorities and industry partners, to collect and analyze information for public awareness, investigative, and intelligence purposes. The (IC3) released its 2021 cyber crime report highlighting the threat that ransomware attacks pose to critical infrastructure entities. According to the report, the IC3 received 847,376 complaints in 2021 on all internet crimes, with losses amounting to $6.9 billion and cites that adjusted losses from attacks equated to more than $49.2 million in 2021. One business process outsourcer alone recently admitted that a 2021 attack likely cost it nearly $35 million.

According to a report from Coveware, the average ransom payment surged 130% from Q3 to Q4 in 2021. But this is just one factor to consider. Victims are on the hook for both significant financial and reputational damage, including:

• Regulatory fines, especially if data is stolen or leaked
• Customer churn and reputational damage
• Lost output
• Lost sales
• Legal costs, especially if class action lawsuits follow a data breach
• IT overtime to remediate and restore
• Third-party fees for forensics, investigations, etc.

Time is money when it comes to ransomware. Even if your organization has backups to restore from, it can be days before systems are back up and running, which can have a significant operational and financial impact. As the Coveware report indicates, the average ransomware case in Q4 2021 lasted 20 Days. It claims the most serious cost from ransomware is that associated with business interruption.