Ransomware as a Service: Unraveling This Ecosystem

The cybersecurity industry constantly monitors how ransomware groups attack and who the latest victims are. However, sometimes we forget to look at how all of these groups work behind the scenes and what kind of resources they use before and after an attack, from affiliate services to “customer support” platforms. What’s behind this boom? Jose Miguel Esparza, Head of Threat Intelligence at Outpost24, explains how RaaS operations work in today’s ecosystem.

The word ransomware is still around in today’s world, with the number of attacks increasing exponentially. Indeed, threat actors and ransomware groups make full use of Ransomware as a Service (RaaS). What is the RaaS ecosystem and what advice can security professionals give to best protect their organizations?

Tracking ransomware groups, their attack methods, and their targets is not an easy task, but through threat research and information sharing, we continue to learn more about these adversaries. These include reviewing their online forums, understanding how they deploy their attacks using Tactics, Techniques, and Procedures (aka TTPs), and reviewing hacking tools and malware samples used. Many mistakenly think that ransomware groups are dysfunctional groups made up of lone hackers and scammers, but that couldn’t be further from the truth. They are highly motivated and organized companies with sufficient resources. They do their due diligence behind the scenes before an exploit and linger long after. RaaS and the many infamous RaaS groups that have launched many successful attacks are at the forefront of their growing success.

Learn more: Manage cybersecurity needs when talent is scarce and alerts are overloaded

I have already discussed the ransomware progress which covered the history, its ecosystem, and the current landscape of this highly popular cyberattack method. Over time, ransomware has become more targeted, which has coincided with the development of new technologies, techniques, and services within the cybercriminal underworld. This allows advanced attackers to methodically penetrate corporate networks and move laterally to study the system(s). The malware is then deployed in a calculated manner designed to cause the greatest possible impediment to business operations, thereby maximizing the chances of getting paid. We are now seeing multi-international companies being hit by ransomware attacks as these hacking groups seek to increase their profits. Hitting bigger organizations means higher ransoms.

For starters, threat actors would create and deploy their own ransomware families. However, it also made attribution easier for law enforcement to track and shut them down. For example, the Russian-based group Evil Corp (once described as the world’s most wanted hackers) has been revealed by the FBI to be behind many DRIDEX-based malware attacks, so sanctions were imposed on them.

To avoid further detection and punishment, Evil Group turned to RaaS and began using a variety of malware families, including BitPaymer, WastedLocker, Hades, Phoenix Locker, PayloadBIN, and Macaw Locker.

Ransomware layers as a service

There are many components in Ransomware as a Service, which itself is a more advanced evolution of Malware as a Service (MaaS) where a vendor provides a customer with malicious code and botnet management along with other services. In the RaaS model, there are multiple layers and components that make it work the way it does.


First, you have the administrators who provide the buyer (or affiliate) with access to the malware and the infrastructure to host and deploy the malware. They also provide support during the negotiation stages with ransomware victims. Within the RaaS package, there are a few options available to the buyer, which include a dedicated leak site for victim information to be published, an online portal for the affiliate to manage victims and create other malware code as well as a communication site. to allow hackers to get in touch with the victims. It is even possible to have an instant messaging type communication line.

Administrators usually receive a percentage of the ransom for their work, but they are not directly involved in attacking victims.

Who are the sellers?

There are options available for buyers to purchase a private RaaS offering in which negotiations will be conducted privately, either via instant messaging or forums – these are generally only offered to cybercriminals who are well known or have a higher profile in the online underworld. Sellers and resellers facilitate and manage the process of selling on underground forums for all other users.

However, as of May 2021, simply discussing or using ransomware terminology is banned on these forums due to pressure from law enforcement, which was increasingly shutting down these online platforms.

Yet, just like the mythical hydra creature, as soon as a forum was deleted, others were created, almost instantly, to take its place. In July 2021, a new forum called RAMP appeared where advertisements offering ransomware were more than welcome.

Who is an Affiliate?

An affiliate is a name given to the hacker who uses the ransomware attack, usually gaining access to a company’s network – either using their own means or through an Initial Access Broker (IAB) – before deploying the ransomware, which was purchased via RaaS. .

Their main goal is to infect as many systems as possible without getting caught and causing the most disruption. If successful, the affiliate will upload the stolen details to the portal (depending on the RaaS program used) and begin communication as quickly as possible to increase the likelihood of obtaining the ransom payment before the authorities are alerted.

Initial Access Brokers (IABs)

As mentioned, IABs can play a pivotal role in how a malicious actor can penetrate the infrastructure of the targeted organization. Operating in underground forums, IABs are financially driven and make their money selling remote access and intelligence software and tools to help hackers gain access to corporate networks or exploit vulnerabilities.

BFIs are the intermediaries that help streamline a ransomware operation by giving the threat actor an entry point to focus on to begin their attack. Regardless of location, size, industry, or annual revenue of the organization, IABs are likely to experience an entry point.

The unfortunate victims

It’s always unfortunate to fall victim to a ransomware attack, but the victims or “customers” are a key part of the RaaS ecosystem, because without them the whole business model fails. Without their ransom payment, they hope to recover their sensitive data and online systems. Of course, there are always cases where hackers received payment and did not provide access to victims, but these are rare these days as it reduces the likelihood of payment for future victims. Additionally, in addition to the risk of significant financial loss, organizations (the victim) also face reputational damage as news of the ransomware attack spreads.

Learn more: The Authentication Problem: Rethinking Passwords

Evolve with the ecosystem

With the increase in the use of RaaS, targeted ransomware attacks will continue to be a problem for enterprises. Whether or not you are a security professional, understanding how threat actors operate and use the RaaS business model is critical. For businesses, it is necessary to integrate threat monitoring, vulnerability management and digital risk protection tactics into your defense as this will provide you with actionable insights to know if your organization could be a possible target, allowing you to be proactive and reduce the risk of being attacked. . Taking these steps will better protect your business from the threat of cyberattacks like ransomware.

Are you happy with your ransomware protection? Share your thoughts on Facebook, Twitterand LinkedIn. We would like to know!


Comments are closed.