The Economics of Extortion: How Ransomware-as-a-Service Fuels the Epidemic

Only a small portion of cybercriminals possess the programming skills needed to create malware.

This is one of the main reasons why ‘variants’ of malware families are so common—it’s much easier to make minor alterations to malicious code than it is to write it from scratch.

In the past, this prevented smaller, less skilled groups from launching sophisticated ransomware campaigns. At best, they could buy a trojan from a dark web market and make minor changes—for example, substituting in their cryptocurrency wallet addresses and writing a new ransom note.

These changes often led to trojans becoming less effective, and sometimes not working at all.

Unfortunately, the equation has changed.

What is Ransomware-as-a-Service?

You’ve heard of Software-as-a-Service… and this is follows the same idea. Ransomware-as-a-service (RaaS) is a subscription model where ransomware authors allow ‘affiliates’ to use their fully-developed trojan and earn a percentage of each ransom paid.

RaaS affiliates technically don’t need any coding or technical skills whatsoever. An affiliate could spread the trojan using basic vectors like simple phishing attacks and have a reasonable chance of success on a small scale. Instead of working with half-baked trojans that barely work, amateurs can now deploy cutting-edge ransomware that even nation states would be proud of.

It’s an attractive business proposition. Average ransom payments grew by an incredible 82% in the first half of 2021 to a record $570,000. With affiliates receiving as much as 70 - 80% of the revenue, that means an average payout of roughly $400 - 450k per victim that opts to pay a ransom.

No surprise, then, that ransomware attacks continue to grow in number, almost doubling during the first half of 2021.

How To Become a RaaS Affiliate

RaaS groups develop their ‘products’ using a multi-user infrastructure, just like a SaaS provider. The group then licenses the trojan software to affiliates using a model of its choosing. Typically, an individual or group can become an affiliate by paying either a one-off fee or a monthly subscription. In some cases, RaaS groups waive this cost, allowing affiliates to sign up on a pure commission basis.

There’s an obvious hurdle for RaaS groups to overcome. Unlike a SaaS provider, these groups can’t advertise their wares through Google or Facebook. They do advertise—just in a different way.

Most RaaS groups attract new affiliates by posting on criminal forums, usually on the dark web. Some RaaS groups have strict criteria for prospective affiliates, demanding applications only from groups with specific technical skills, while others are less discriminating.

Once on board, RaaS groups provide affiliates with comprehensive support, including deployment guides, troubleshooting, and sometimes even monitoring solutions to help them track campaigns. Each new affiliate is assigned a unique identifier code used to determine which ransomware infections and ransom payments are their work.

It’s Not Just for Dummies

Although plenty of RaaS-based attacks are perpetrated by low-skill groups, many are the opposite. Some RaaS groups disallow low-level spammers and phishing groups from becoming affiliates, preferring to work only with groups that possess a proven level of skill.

In the recent Kaseya breach, a REvil affiliate exploited a zero day vulnerability in the company’s VSA product to infect customers’ servers with ransomware… just before Kaseya could patch the vulnerability. Whether the group knew it was racing against a pending patch is unknown, but the attack shows a significant level of sophistication.

RaaS is a Business

IT providers like Microsoft and Fortinet use partner programs and resellers to distribute products and service their customers. RaaS gangs do precisely the same thing, with just one slight difference: their “customers” don’t want to be serviced.

And that’s not the whole story. There’s a third player in the ecosystem: Initial Access Brokers (IAB).

IABs are cybercriminals that use their skills to gain unauthorized access to business networks, often via Remote Desktop Protocol (RDP) or compromised Citrix gateways—protocols that enable remote access to PCs or servers. Once they have gained access, IABs sell it via criminal forums—again, usually on the dark web—giving RaaS affiliates a ready-made channel to distribute their wares.

This is business at its best… or worst. Like a legitimate industry, each actor in this ecosystem plays to its strengths and outsources everything else to groups more suited to those roles:

RaaS groups build powerful, constantly evolving ransomware trojans. They rival (and even surpass) some legitimate software providers in the level of product quality, service, and support provided.

Affiliates distribute ransomware far more widely than a single RaaS group could manage on its own. They shoulder a lot of the risk, but they also pick up a large part of the reward. Skilled affiliate groups have pulled off some of the largest and most profitable cybersecurity breaches in history.

IABs use their skills to compromise business networks but leave the business of extortion or theft to groups more suited to it. They prefer a reliable ‘pay per compromise’ business model, and, of the three actors we’ve discussed, enjoy perhaps the least risk.

Combined, this creates an ecosystem where market forces incentivize each group to refine its capabilities as far as possible:

• RaaS groups with the most effective ransomware attract more and higher quality affiliates.
• Affiliates with the most in-demand skills and proven track records are more attractive to RaaS groups, make more money, and may even negotiate a higher percentage of ransom profits.
• IABs provide a ‘product’ that will only receive more demand over time. The more (and higher value) networks they compromise, the higher their earning potential.

Trends Change, Advice Remains the Same

The cybercriminal ecosystem is growing rapidly in sophistication. With billions of dollars on the table, that’s hardly surprising—but it presents a tremendous challenge for law abiding organizations.

So what can they do about it?

Fundamentally, protecting against ransomware activity is no different from any other threat. All of the usual recommendations still apply, such as:

• Focus on cyber hygiene measures like segmented networks, least privilege access, patching, and disaster recovery.
• Implement robust processes to identify and resolve security vulnerabilities.
• Identify your highest value assets (the ‘crown jewels’) and allocate the largest portion of your security budget to protect them.

With the rise of RaaS, all that has changed are the stakes and the level of security organizations need to minimize cyber risk. Now that advanced ransomware is widely available, any organization is a potential target and must be ready to protect against it—or at least recover quickly.