How Ransomware-as-a-Service is Used in Ransomware Attacks

Initial access brokers and ransomware-as-a-service providers make it easier to launch a ransomware attack contributing to the rise in attack frequency.
Ransomware-as-Service Ransomware Attacks

With average ransom demands now in the millions, ransomware attacks are a lucrative business. It’s no wonder then that more people are trying to get a piece of the profit, and it’s becoming easier than ever to do it with the rise of ransomware-as-a-service. Just like software-as-a-service businesses provide easy access to software, ransomware-as-a-service businesses offer anyone looking to launch a ransomware attack with easy access to the tools they need to do it — no set-up or development necessary.

These aren’t small-scale operations either. Some of the most well-known attacks of 2021 featured ransomware sold by RaaS providers. A DarkSide affiliate facilitated the Colonial Pipeline attack, and REvil was responsible for the attack on Kaseya. Ransomware-as-a-service is lowering the barrier of entry, making attacks like these an all-too-common phenomenon in the last few years.

How Ransomware-as-a-Service Works

Ransomware-as-a-Service is a business, and just like a legitimate business, these RaaS operators advertise to get clients. They recruit on the dark web where want-to-be ransomware attackers are browsing for the best product, just like any modern eCommerce consumer. There are a few different revenue models for RaaS. You may simply pay a monthly subscription fee for access to the service. You may pay a fee, as well as a portion of your ransomware profits, which is known as being an affiliate. Other models are solely based on profit sharing or a one-time fee for purchase with no profit sharing required.

Regardless of payment details, the end result of each is the same — easy access to ransomware which can be leveraged against a target of the client’s choosing. The attacker is provided with the infrastructure to launch the attack. It is then up to them to set a ransom payment, determine their messaging, execute the ransomware, and communicate with the victim using the dashboards and portals set up by their RaaS provider.

The Role of Initial Access Brokers in Ransomware Attacks

Ransomware-as-a-service eliminates the need for bad actors to develop a custom malware strain and payment portal, but they still need to be able to deliver the ransomware to the intended target. Without some type of way into your victim’s network, RaaS would be useless. That’s where initial access brokers come in. They’ve done the legwork of finding a way into a company’s network, and they’re willing to sell it to ransomware groups who don’t want to spend the time finding their own access.

Initial access brokers may sell active directory credentials, web shell access, access to a VPN or Remote Desktop Protocol, or any other method to get someone in, but the level of access impacts the asking price. Admin access where additional escalation won’t be required is worth more, as are credentials to a high-revenue target.

Impact of Ransomware-as-a-Service

Initial access brokers and RaaS providers are making it far easier for anyone with a little bit of money to buy their way into the ransomware game. This ease of access is one of the factors that has led to the dramatic increase in ransomware attacks over the last few years. According to the 2021 1H Global Threat Landscape report from FortiGuard Labs, ransomware grew 1070% between July 2020 and June of 2021.

Even as organizations adopt defensive practices such as keeping offline, up-to-date backups of their data, ransomware attacks continue to increase because these ransomware businesses are evolving as well. Double extortion attacks are becoming increasingly prevalent. According to a recent Crowdstrike report, there was an 82% increase in ransomware-related data leaks in 2021. RaaS providers are making it easier for threat actors to plug and play with whatever type of ransomware attack they’re interested in, while initial access brokers attempt to provide guaranteed access to the victim of your choice.

Defending Against Ransomware-as-a-Service Attacks

It is crucial for businesses to have a comprehensive ransomware resilience plan that addresses preparation, prevention, and response in the event of an attack. Following security best practices such as providing awareness training to employees, enforcing strong password policies and multi-factor authentication, regular patching of known vulnerabilities, and protection of RDP ports and VPNs are all vital for defending against any type of ransomware attack, as is ensuring that your data is backed up and encrypted.

If you’re interested in what information an initial access broker might have about your organization, RH-ISAC provides resources for members developing dark web monitoring strategies. RH-ISAC’s Dark Web Working Group has regular bi-weekly meetings and hosts meetings for all members to join and learn more about the dark web. Learn more about RH-ISAC membership.

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.