What Is Ransomware as a Service?
Ransomware as a Service gets its name from the nomenclature generally used for cloud services, says Adam Meyers, CrowdStrike senior vice president of counter-adversary operations. Just as a government may contract for a Software as a Service solution, such as Zendesk for help desk communications or Slack for internal messaging, criminals may turn to RaaS for a tool that they can use to attack government IT.
Circa 2014, bad actors largely attacked financial institutions seeking big paydays through wire transfers or credit cards. But they began deploying “crypto lockers” that would freeze a machine until the victim paid a ransom. In 2015, CrowdStrike began tracking a bad actor called Boss Spider.
“They pioneered the modern enterprise ransomware where they started targeting large organizations by blocking every system and then demanding increasingly higher payments. From there, other groups took notes and pivoted from traditional botnet activities to ransomware,” Meyers says.
LEARN MORE: Focus on these three areas to improve cyber resilience.
Groups began creating malware similar to Tox, widely considered to be the first RaaS threat, and LockBit, which IBM identifies as one of the most pervasive RaaS variants.
“They recognized that they could do only so many ransomware operations at any given time,” Meyers says. “But if they opened up their ransomware, which had good cryptography and a good back end, then they could let other people use it for a fee, and so they got into revenue-sharing.”
With RaaS solutions, criminals don’t have to build their own ransomware. They can go to a threat group, use its RaaS kit and pay the creators a percentage of the ransom. “Now, we’ve got a whole mosaic of these Ransomware as a Service operators out there looking to generate revenue by building the ransomware and then letting others use it,” Meyers says.
How Has Ransomware as a Service Evolved Over Time?
Ransomware grew in sophistication in four stages to produce today’s RaaS threats, says Ryan Anschutz, North America head of incident response at IBM X-Force.
In the early days of ransomware, state and local governments saw mostly custom-built ransomware used in one-off attacks. Then, between 2016 and 2020, organized groups began leveraging ransomware for cyberattacks. These groups operated like a business and offered 24/7 support to their customers, who were individual attackers.
“That was really the jump into industrialization of Ransomware as a Service,” Anschutz says of this second stage.
Since 2020, RaaS experienced two distinct stages of growth. In 2023, attackers began not only encrypting data but stealing it as well. “And when they steal it, they then threaten to leak the sensitive information if that ransom isn’t paid,” Anschutz says. Organized criminals thus sought to gain the most value from stolen data.