What is Ransomware-as-a-Service and How Does it Work?


The Software Engineering Institute (SEI) at Carnegie Mellon University defines RaaS as “a new business model for ransomware developers. …[These actors] sell or lease their ransomware variants to affiliates who then use them to perform an attack.” As part of that arrangement, the developers may set the ransom amount, coordinate negotiations with victims, and then take a portion of the ransom payment for their services. Affiliates keep the rest of the ransom payment for their part in running the attack, stealing data, and installing the ransomware payload onto a target’s network, notes Bleeping Computer.

In practice, RansomOps attacks begin with a ransomware developer making their malicious code available on the black market for affiliates to use in attacks for a fee or for a share of the ransom payment. SEI explains that the affiliates then use an infection vector of their choosing to launch an attack on a target. If successful, the custom RaaS code delivers the victim to a malicious website hosting the ransomware or infects the target machine with a malicious attachment, among other methods.

The malicious code then downloads and executes the ransomware on the target machines. At that point, the ransomware encrypts the victim’s files on the device or across numerous devices on the network. Completion of the ransomware’s encryption routine leads the campaign to deliver a ransom note to the victim informing them to pay the desired amount.

Once they’ve received their share of the ransom, the affiliate may send over a decryption utility to the victim, make additional demands of the victim, or do nothing in response.


Some of the more complex RaaS operations tend to be quite sophisticated, using APT-like attack sequences to gain persistence, move laterally on the target network, exfiltrate sensitive information from the victim for double extortion and more – we refer to these complex ransomware attacks as RansomOps. Unlike other ransomware attacks, RansomOps attackers methodically amplify their damage and ultimately put themselves in a position where they can demand multi-million dollar ransoms.

Cerber was one such ransomware operation. In 2016, Threatpost wrote that Cerber was the largest RaaS ring with 161 active campaigns and eight new offensives launched daily. Such activity earned the operation $200,000 in a single month, bringing its annual haul to $2.5 million.

It was a similar story with REvil (aka Sodinokibi). Per Bleeping Computer, REvil developers claimed to have made over $100 million in a single year by concentrating their attack activity on large businesses. The attackers told the computer self-help website that they wanted to make $2 billion from their ransomware service before calling it quits.

It’s unclear whether REvil succeeded before the ransomware gang’s websites and infrastructure went dark on July 12. The group did resume its attacks campaigns as of September 11. Even so, it’s questionable whether the attackers will meet their goal going forward if they haven’t already. That’s because the truth has come out about how the REvil threat actor conducts its negotiations, and recent arrests made by Europol may have included key ReVil ransomware gang members.

A few weeks after REvil came back online, Bleeping Computer reported that multiple threat actors had been trading stories on underground forums since 2020 about REvil’s operators taking over their negotiations. Those threat actors asserted that the REvil developers would inject themselves into negotiations with an affiliate by posing as the victim and claiming that they had decided to not pay. They would then open a second chat with the victim and collect the ransom without the affiliate’s knowledge, thus entitling them to keep the full payment for themselves.

After launching BlackMatter, the threat actor said that they reserved their right to inject themselves into affiliate negotiations with victims as they see fit going forward.


RaaS operations give attackers of low skill level the means to conduct ransomware attacks, hence the need for organizations to be better prepared to defend themselves against RansomOps because the barrier to entry is now so low and the number of ransomware attacks has increased.

Organizations should deploy an anti-ransomware solution that leverages both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle attack activity that can reveal a RansomOps attack before the devastating payload is delivered and critical assets are can be encrypted. Such a solution allows organizations to visualize a RansomOps attack wherever it’s occurring on their network, including the initial access and lateral movement that can precede the delivery of a ransomware payload by weeks or months, giving security teams time to detect and respond long before any systems can be impacted.


The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion.

activereach partner with Cybereason and their Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or advantageous chains of malicious behavior. This is why Cybereason is undefeated in the battle against ransomware and delivers the best prevention, detection, and response capabilities on the market, which include:

  • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
  • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

activereach and Cybereason are dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere – including modern ransomware. Schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Deepen your knowledge and meet the activereach and Cybereason teams at Mercedes-Benz World for an unforgettable day of security insights and high-performance. Learn how to achieve high-velocity SecOps in the race against ransomware with in-depth workshops on Friday 5th November 2021, 09:00 – 17:30. Register here or contact us for more information.

This post was written by the Cybereason Security Team and originally posted on the Cybereason website on October 12, 2021