Articles & E-Books


The increasing popularity of ransomware as a service

Jan 04, 2021

Ransomware has been at the top of the list of worries for network administrators and security teams for quite some time now. The prospect of having malicious software encrypt important company data and hold it for ransom can weigh heavily on security administrators’ minds.

Ransomware defined

Due to increased success among criminals and malicious actors, most people have heard of malware. Ransomware is malware that encrypts your data, preventing you from accessing it unless you pay cybercriminals for the decryption key to unlock your data. Recently, these criminals have also deployed a strategy where they download the data from your systems and threaten to release it to other criminals, competitive rivals, or the general public — depending on the sensitivity of the system — in an attempt to further “encourage” you to pay the ransom.

For ransomware to be effective, three main components are required:

  1. Software developers who can create, modify and update the malicious code
  2. An effective means of delivering the software (typically phishing emails, etc.)
  3. A way to collect the ransom and deliver the decryption key to unlock the data once payment is received.

These components take some highly talented individuals and established networks for distribution and money laundering to be successful. This can be quite expensive and difficult to successfully execute and maintain. This is why most ransomware originated from nation state attackers, organized crime or cybercriminal organizations.

Ransomware as a Service

Ransomware as a Service (RaaS) has become the solution for these difficulties. RaaS uses subscription-based models similar to legitimate Software as a Service (SaaS) (think Microsoft 365, Google Apps, etc.).

You can become an affiliate, or distributor, paying malicious software developers a one-time licensing fee, subscription fee or percentage of profits for use of the software and services. This allows even the least technically inclined cybercriminals to effectively spread ransomware and collect money from those successfully attacked.

Some services even have a help desk to support the criminals and help them with use of the software and collection of the ransom. There are even real-time status dashboards to show the status of attacks in some cases.

Ransom money acquired though successful attacks is then divided among attackers, software developers and the service provider, creating a full-fledged business model for ransomware attacks. This provides the ransomware developers with money without having to perform an attack, and the distributor doesn’t have to hire software developers for the ransomware code — an unfortunate win-win for the bad guys.

Common RaaS operations

Although constantly changing, common RaaS operations include DopplePaymer, Egregor/Maze, Netwalker, SATAN, REvil (also known as Sodinokibi), Petya, RaaSberry, Shark and Ryuk.

A newcomer named Smaug has recently entered the RaaS realm as well. With Smaug, distributors pay a pretty high registration fee as well as service fees. But the service claims to be able to affect a broader range of operating systems (Windows, Linux, and macOS), which is not typical. It also offers the ability to decrypt company computers with just one decryption key for all affected systems on a network, making it more convenient for the attacker and the victim.

The software can also run with no internet connection after the initial files are delivered, so disconnection will not stop the software from delivering its payload on an infected system.

Besides those more technical aspects, it offers customizable email campaigns for spreading the malware and highly developed payment systems for both the attacker and the victims, including tech support for both parties. Quite a scary system, and we can only hope it either doesn’t gain in popularity or is somehow taken down by authorities before it can be too widely used.

How to protect yourself

RaaS creates all kinds of opportunities for experienced hackers and has opened the door to novice, inexperienced and wanna-be hackers. How can you protect yourself? The good news is that this isn’t a new technology to look out for. But be prepared for increases in ransomware attacks.

Different measures for protection include:

  • Most importantly, training for network users. Teach the users to detect phishing emails as much as possible to help prevent ransomware being delivered using this method.
  • Regular backups that are air gapped (separated from regular network access) so ransomware cannot reach it.
  • Ensuring patches are applied for all software on your systems regularly.
  • Malware detection such as antivirus, advance phishing detection and intrusion detection systems.

How Wipfli can help

Phishing remains the number one deployment strategy to get the ransomware distributed to potential victims, mostly because the emails are easy to create and send. Wipfli’s cybersecurity services include phishing training as well as how to deploy the right technology to make your business more resistant to attacks and resilient. Learn more or contact us today.


Joel R. Lego
Senior Manager
View Profile