Introduction to RaaS (Ransomware-as-a-Service)

The cyber threats come in all shapes and sizes, from benign adware that is now considered legacy threats as they have become easily detected and removed to ransomware capable of locking your device, website and\or files. Ransomware authors are continually progressing with their methods have recently developed a new breed of threat called ransomware-as-a-service or also known as RaaS.

What is RaaS?

The ransomware itself has been around for many years now, but unfortunately, it had not been fully recognized as a top threat until a widespread attack of WannaCry virus in 2017. The attack began in Europe but moved swiftly to reach more than 250,000 computers in 116 countries in less than a week. WannaCry affected not only home users but also government organizations, hospitals, telecommunication providers, and universities.

Once a computer is infected with ransomware, the user cannot access the files or programs at all until he pays an amount of money to the attacker within a limited period. Attackers usually demand about 600 – 1000 USD worth of Bitcoin from each computer.


Now put in mind that WannaCry is not RaaS, but a conventional form of ransomware, albeit a powerful one. Ransomware falls under the RaaS category if it runs on a cloud-computing platform. It is an offshoot of software-as-a-service (SaaS), in which single application or software is possibly accessed simultaneously by multiple users as long as they are connected to the Internet.

In SaaS, software developer allows subscribed users to use its program without actually downloading and installing the software itself to their computers. This also means that users can rely on the computing power made available by the provider, so they don’t have to purchase or maintain expensive IT infrastructure.

Just like SaaS application, RaaS is available to interested users as long as they have the money to pay the subscription fee. In some cases, there isn’t even any subscription fee at all; users may borrow the application and use it as they like; in return, the developer earns a percentage of the ransom money collected as commission.

How it works

There is nothing entirely new about how cloud-based application works, and the same thing applies to RaaS. Cybercriminals, the original developers of the ransomware, create the malware code and rent it via the Internet with subscription or affiliate business model.

In simple terms, the approach works as follows:

  1. Knowledgeable and experienced hackers write ransomware code
  2. They market the ransomware on forums or websites in the dark web
  3. Interested cybercriminals buy the malware, either with one-time purchase or subscription
  4. Developers provide step-by-step information on how to use the code and admin panel
  5. Buyers launch an attack. If successful, ransomware locks victim’s files
  6. Victims must pay ransom money to unlock the files
  7. Criminals get their money without any assurance that they will send the decryption key to users

For the developers, RaaS earns quick money because they don’t have to worry about orchestrating the attack and spreading their virus. At the same time, attackers who are “buyers” don’t need to spend much time writing the codes. Instead of handling every piece of work on their own, they can just rent or buy the code.

RaaS application is generally pretty complex. Even the most casual computer user can launch an attack thanks to developer-provided instructions. RaaS is deployed through online portals with a user-friendly interface, so there is no coding skill required on the attacker’s part. Concerns are escalating because many developers actually offer customer service as well, so new buyers can seek for help and assistance to get their ransomware attack up and running if needs be.

Notable RaaS

There have been several major RaaS attacks over the last 5 years. A somewhat-peculiar threat was SamSam. An interesting fact about this malware is that it attacked only pre-selected high-profile targets rather than spreading like wildfire to increase its chances of success. Among the victims were healthcare facilities, Colorado Department of Transportation, and the City of Atlanta. Attackers were indicted on November 28, 2018, but not before they had collected more than $6 million in ransom money and caused over$30 million in financial losses to victims.

Cerber also is a prominent form of RaaS. In July 2016, attackers managed to collect close to $195,000 in ransom money. This amount was then divided among the attackers and the virus creators; the former took 60% of it, and the rest was the commission rate for the latter. Creators took a bold move to market the ransomware via forum posting and advertisement banner on the dark web.

Another notable RaaS is Satan which came to light for the first time in January 2017. It probably is the most accurate example of malware of its kind. Developers created a web portal with an easy-to-use interface for buyers to make further customization to the code itself. Satan makes it easy for the buyers to create a different version of ransomware simply by using the web portal.

Protecting Yourself from RaaS

Cybersecurity companies and software developers are on the constant effort to prevent and stop any malware attacks – including RaaS – even before the malware reaches users’ computers. On the users’ parts, the most effective preventive measures are often the simplest and most obvious ones, such as:

  • Using reliable security software. When it comes to computer security suite, you get what you pay for. A lot of free offerings claim to be the most reliable, but often the premium ones are more reliable. This is not to say that free security software is all bad; it is just that premium options usually come with more robust and complete protection. In addition to antivirus, it is good to have VPN software.
  • Updating system software. Regardless of the computer system you have, don’t be reluctant to update it with a new security patch as soon as it is available. The update is there to fix potential security issues and vulnerabilities.
  • Having data backup. Attacks always happen in the most unfortunate time, so it is never a bad idea to backup all your important files and applications regularly, preferably every day.

Cloud-computing is, without any doubt, one of the greatest innovations in the IT industry to make work and life easier. The problem is that technology is also available for cybercriminals who can take advantage of cloud platforms to launch ransomware attacks. No system is invulnerable, but you can minimize the risk of getting infected by using trustworthy anti-malware suites and avoiding any suspicious website links or email attachments.

Leave a Reply