What is RaaS? Taking cyber extortion to the masses

Anton P. | February 8, 2022

RaaS (ransomware-as-a-service) is a business model selling or leasing file-encrypting viruses to interested parties. These buyers can have no technical skills to launch ransomware campaigns. Thus, ransomware operators no longer need to initiate high-profile attacks themselves. Instead, individuals without high-end expertise but with the necessary funds can execute them. Due to the boom of RaaS services, the cyber-extortion threat has never been more far-reaching.

RaaS (ransomware-as-a-service)

What ransomware does: file-encryption and blackmail

A ransomware virus is all about compromising personal or corporate systems and holding their assets at ransom. Usually, criminals employ various tactics for spreading ransomware:

  • Social engineering scams containing malicious payloads or links leading to infected sites.
  • Cracked software deceiving people into downloading a ransomware virus.
  • Drive-by downloads when users visit a fake website and the infections get installed without their knowledge.
  • Through social media scams and dangerous instant messaging or SMS messages.

Ransomware usually enters a system through one of these distribution channels and encrypts detected files. Then, the crypto-malware drops a ransom letter, requiring victims to pay large sums via cryptocurrencies. Criminals allege that victims will receive a decrypt key for regaining access to their data after paying.

Other ransomware symptoms include:

  • Locked access to the infected device.
  • Encrypted files have a new file extension added to their filenames.
  • Threats to publish degrading, implicating, or highly confidential details if victims do not meet ransom demands.

According to our ransomware research, authorities reported 2,845 ransomware attacks worldwide in 2021. Around 48% of them focused on systems in the USA, with France and Canada as other popular targets.

What is RaaS?

RaaS (ransomware-as-a-service) is a business affair when hackers sell their ransomware tools to independent distributors. The latter individuals do not need special coding skills to launch malicious software into action. Therefore, not only talented hackers become capable of sophisticated tactics wreaking havoc on targets’ devices.

Developers of RaaS and potential distributors engage in business relationships, resembling affiliate partnerships. Each partner can receive a personal RaaS code with their unique ID embedded. For example, REvil RaaS offers 30% of earnings to the affiliate, increasing to 40% after three successful attacks.

There are several big guns in the RaaS industry. DarkSide is also one of the services, presenting its startup-like culture and shady professionalism. An interesting focus for such ransomware operators is responsive communication, or “good customer service.”

Thus, it relates to attempts to make the ransom-paying procedure as smooth as possible via dedicated chat systems or email. Also, RaaS representatives guarantee that decryption software gets delivered in exchange. However, it in no way means that victims should pay ransoms. After all, it only pushes the RaaS industry forward.

The hunt for RaaS and its controllers has never been more agile. The Department of State offers a reward of up to $10,000,000 for information relevant to finding culprits behind DarkSide.

How does most RaaS work?

Besides the affiliate model, with each party getting a set percentage of the earnings, other RaaS models exist.

  • Subscription-based. Some RaaS providers can support annual or monthly payments for access to their crypto-malware.
  • Lifetime licensing. It is also possible that wannabe hackers can make one-time payments in exchange for full ransomware kits. Naturally, such purchases are likely to be the most expensive.
  • Partnership. A rarer instance is for distributors to transform into full-time partners. It could be due to the skills or expertise contributed to the project. Such partnerships likely lead to equally split earnings.

Launching malicious campaigns with RaaS

RaaS collaborators will likely have to deal with the distribution of malicious payloads. Phishing is one of the cost-effective ways to go, meaning most campaigns will deliver deceptive emails or messages. However, other paths are viable options, like posting a free download for a premium and highly popular software.

So, attacks using purchased RaaS will likely follow a series of steps (after picking a RaaS provider):

  • Collaborators select specific or multiple distribution channels for the malicious software.
  • Then, they craft believable scenarios, like fake email messages addressing alleged credit card fraud or exploiting situations.
  • If targets download malicious files or click on infected links, the ransomware enters the system.
  • The virus goes on a rampage, encrypting files, locking access, and adding instructions for paying ransoms. Usually, the hackers list their demands in a TXT file dropped on victims’ devices.
  • The RaaS blackmail can operate in two ways. One requires payment for file decryption key/software. The second is the threat of leaking sensitive or even potentially incriminating information.
  • Victims pay via the instructed paths: untraceable payment options like cryptocurrencies. The intention here is to obfuscate the trajectory of funds, preventing the detection of RaaS developers or affiliates.
  • The paid sums can fully belong to collaborators if they buy the lifetime licensing option. In other cases, they will receive a percentage of the earnings.

Despite the business-like attire of RaaS, victims should avoid paying ransoms. It only inspires and funds future attacks. Also, experts have made suggestions toward making ransom payments illegal. However, the latter requires a robust support system for RaaS victims, including individuals, businesses, and other institutions.

Defending against RaaS: no need to pay ransoms

Prevention of ransomware is not always possible. Therefore, individuals and corporations must invest resources and time into making their devices immune. It essentially means safeguarding assets so that crypto-malware damage is not as severe.

  • Regular data backups. There are many options for creating backups for important files. You can go for a simple choice like storing data on USB sticks. However, you can also go for cloud storage solutions.
  • Maintain updated software. Malware sometimes gets to enter systems because of vulnerabilities or security loopholes. Thus, applying updates to your operating system and individual software apps is crucial.
  • Do not interact with suspicious messages. If you receive suspicious texts or emails, do not respond to them. Hackers frequently use scare tactics for inciting ill-advised decisions. Therefore, take a minute or two before opening files or links.
  • Download software only from reliable sources. Cracked or pirated programs should never enter your system. Not only are they illegal, but their arrival can bring viruses into your system.
  • Get additional tools for protection online. You need to protect each activity you perform online. For instance, connecting to free Wi-Fi or unknowingly visiting fake websites can lead to infections. Atlas VPN can help you connect safely to any network by encrypting traffic and preventing snooping. Our SafeBrowse can also help block potentially dangerous websites.

What to do if you have fallen victim to RaaS?

After noticing unsolicited changes to your device and files, it is crucial not to panic or make hasty decisions. Here is a simple guide for surviving a ransomware attack:

  • Take a screenshot of your device. Make sure elements like the extensions added to encrypted files are visible. It can help recognize the exact RaaS and safe ways to get back data.
  • Shut down your system. Disconnect the infected device from the network to avoid spreading the infection to other connected gadgets.
  • Check whether decryption tools are available. There are free decrypting options that experts have generated. Find information on whether a specific ransomware strain has a dedicated tool.
  • Identify the attack vector. Determining the source of infection might not always be possible. However, you might remember opening questionable emails.
  • Notify authorities. It is important to report ransomware attacks to federal law agencies. You will also get mitigation tips and support for dealing with the infection without paying.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.



© 2023 Atlas VPN. All rights reserved.