The growing prevalence of ransomware as a method of cyber-attack is clear. In 2023, this tactic accounted for over 70% of attacks worldwide. Yet, ransomware attacks are no longer conducted exclusively by sophisticated hacking groups. Thanks to the rise of ransomware as a service (RaaS), anyone with a bad intention can launch a devastating attack with minimal financial investment.

Understanding this evolving business model is the first step in effectively protecting against it.

The affiliate as adversary

Under RaaS, a threat actor (called an affiliate) obtains ransomware code and uses it to originate an attack against their target. Affiliates are responsible for selecting the target, deploying the ransomware, and negotiating with the victim. These adversaries may be a single individual, but are often sophisticated groups like ShadowSyndicate with many different RaaS tools at their disposal.

RaaS operates under several different business models, with common ones including:

• Subscription-based: Affiliates pay a recurring fee, such as weekly or monthly, to access the RaaS platform and resources.
• One-time license: Affiliates pay a one-time fee for use of the tools.
• Profit sharing: Affiliates enter a contract agreeing to share a percentage of their ransom payments with the RaaS developers.
• Affiliate programs: Existing affiliates can earn a commission by recruiting new members to the platform.

The fundamentals of ransomware still apply to RaaS, meaning the primary differentiator is simply who is doing it. This arrangement dramatically lowers the technical barriers to entry, with many platforms offering prebuilt attack templates, around-the-clock support, and user-friendly interfaces. In short, the accessibility and relatively low cost of RaaS enable “aspiring” cyber criminals with limited expertise to launch sophisticated attacks.

Examples of ransomware as a service

Several recent high-profile RaaS attacks have made IT professionals more aware of the speed and complexity with which threats are emerging, including:

• REvil
• DarkSide
• LockBit
• Conti
• Phobos
• Dharma

Commonly targeted industries and organizations

Understanding which industries RaaS affiliates most frequently attack is crucial to effectively prioritize security and allocate resources. Common targets include:

• Critical infrastructure: Companies operating in sectors like energy and utilities, transportation, and water treatment represent high value and the potential for widespread disruption.
• Education: Affiliates often target educational institutions, which regularly run on legacy systems and have limited budgets for cybersecurity.
• Financial services: Access to sensitive personal data and the possibility of greater profitability attract affiliates to financial services organizations.
• Government: High disruption potential and high-value data frequently tempt adversaries to attack government agencies.
• Healthcare: Healthcare providers and facilities make attractive targets because they often have limited cybersecurity resources and store sensitive information that can be misused multiple ways and for long time frames.
• Legal: As with many industries, legal organizations store sensitive data and can have limited cybersecurity resources to defend against extortion by affiliates.
• Manufacturing: Mission-critical industrial control systems and operational technology that are challenging to secure make the manufacturing sector an attractive target.

The common targets, potential impacts, and challenges of RaaS intertwine and demand a holistic cybersecurity approach.

Impacts

The impacts of a successful RaaS attack extend far beyond the ransom payment, inflicting significant damage on an organization's brand, finances, and operations. For example, a business may experience reputational harm that erodes customer trust and impacts future opportunities.

Attacks also often involve data exfiltration of sensitive information. If the affiliate exposes that data, regulatory bodies may impose fines and penalties. Affected consumers may also have grounds to bring legal action.

Additionally, ransomware attacks disable a company's resources and disrupt its productivity. The resulting downtime is costly and directly impacts a business's financial health and ability to deliver for its customers.

Challenges

While ransomware is not novel in the threat landscape, the fast evolution of RaaS groups like RansomHub influences how companies must respond to keep pace. Common challenges that arise include:

• Securing the necessary budget, staff, and expertise when resources are limited.
• Gaining holistic visibility in complex modern networks and cloud-based architectures.
• Replacing or upgrading outdated security technologies and solutions that no longer offer effective protection.
• Ensuring end-user cybersecurity awareness and training as techniques like phishing and social engineering evolve and improve.
• Recovering data, assessing the scope of any exfiltration, and managing the breach promptly and effectively to comply with regulations and reduce potential damage.

Overcoming the challenges of defending against RaaS

The scalability of and increasing accessibility to RaaS tools mean that modern businesses must deploy unique defenses to protect their assets against an affiliate attack.

Start by identifying your organization's specific vulnerabilities to understand where specific RaaS attack vectors lurk, then implement the following best practices to strengthen your posture:

1. Adopt a multilayered approach

Cybersecurity is most effective when it encompasses multiple layers of protection rather than relying on a single solution. Consider a comprehensive combination of security tools like:

• Firewalls
• Threat detection technology
• Endpoint protection
• Email security solutions

Regardless of which combination is best for your needs, ensure accurate configuration and prompt deployment of patches and updates.

2. Mitigate user-related risks

Remote work environments and bring-your-own-device policies expand the user-related attack surface. That fact cements the importance of robust strategies to mitigate user-related, risky behaviors and activities. Consider investing in tools and initiatives to:

• Manage digital identities: Implement Identity Access Management (IAM), multifactor authentication, and zero trust protocols to strengthen identity management and control resource access.
• Limit the potential of compromised accounts: Enforce the principle of least privilege and role-based access controls, with regular credential reviews and prompt deprovisioning.
• Improve user knowledge: Conduct regular security awareness training and use tools like automated phishing simulations. These keep users educated about the latest threats and improve their ability to detect and report suspicious activity.

3. Strengthen network visibility, control, and security

A robust incident response plan is crucial and a comprehensive transparency into network traffic is nonnegotiable in detecting and responding to RaaS attacks. Such attacks often involve data exfiltration, living off the land techniques, and lateral movement — all of which generate network traffic but are more challenging to identify without unified visibility. Consider implementing network segmentation to limit lateral movement, isolating your critical assets on separate network segments with strict access controls.

Network monitoring tools are equally essential for identifying suspicious and anomalous behavior. Intrusion detection and security information and event management systems offer up-to-the-minute insights to inform strategic decisions. These solutions can pinpoint trends and traffic that may signal a potential RaaS attack in real time, supporting faster responses.

Additionally, integrate threat intelligence into your cybersecurity arsenal to ensure contextual awareness and insights into emerging techniques and known vulnerabilities. These tools help your team stay ahead of evolving threats and adapt your strategies as novelties arise.

Darktrace is a leading provider of AI-powered cybersecurity solutions designed for unparalleled network detection and response capabilities. Our technology has been instrumental in elevating network security and stopping RaaS attacks for thousands of businesses since 2013.

Learn more about modern cybersecurity threats and how to strengthen your defenses against them by reading our annual threat report or exploring our blog.