Ransomware-as-a-Service: The New Normal in Cybercrime

Mar 7, 2024 | Cybercrime, Terms & Jargon

Or listen on:


Explore the rise of ransomware-as-a-service, its impact on cybersecurity, and the complex decision-making behind paying ransoms.

In recent years, the digital landscape has experienced a seismic shift in the nature of cyber threats. In response to cybersecurity and data backup measures designed to defend against traditional ransomware methods, the practice has adapted itself in several ways. One adaptation, discussed in an earlier episode, involves not just the encryption of essential business data, but the exfiltration and publication of sensitive information online. Another frightening adaptation that has turned ransomware into a more sophisticated and destructive force is the emergence of ransomware-as-a-service.

The Decline and Resurgence of Ransomware

During the initial stages of the COVID-19 pandemic, an unexpected trend emerged in the realm of cybersecurity: the decline of ransomware attacks. In 2021, there was a noticeable decrease in the number of ransomware incidents, and although 2022 saw a slight uptick in attacks, the overall financial impact inflicted by ransomware significantly dropped. This reduction could be attributed to various factors, including cybersecurity measures that finally caught up with the rise of remote working arrangements. Additionally, the plummeting value of Bitcoin, the preferred currency for ransom payments, played a crucial role in diminishing ransomware’s profitability.

However, this period of relative decline was short-lived. In the subsequent 18 to 24 months, there has been a substantial resurgence in ransomware attacks. This new wave of ransomware is characterized by a nearly universal reliance on multiple forms of extortion and the explosive growth of Ransomware-as-a-Service.

Ransomware-as-a-Service: A Disturbing Innovation

The concept of “Ransomware-as-a-Service” marks a significant evolution in the cybercrime landscape, transforming ransomware from a niche threat carried out by skilled attackers into a widespread menace accessible to a broader audience. This transformation is facilitated by a service model that democratizes the tools and processes needed to launch ransomware attacks, significantly lowering the barrier to entry for potential cybercriminals.

Ransomware-as-a-service platforms operate much like legitimate software-as-a-service (“SaaS”) offerings, providing would-be attackers with sophisticated ransomware tools, customer support, and even marketing materials, all for a fee.

What is Ransomware-as-a-Service?

Ransomware-as-a-Service is a subscription-based model that allows affiliates to access ransomware tools, infrastructure, and support in exchange for a fee or a percentage of the ransom payments they collect. This model provides customers with everything they need to conduct ransomware attacks, including malware, deployment strategies, and even customer support for victims on how to pay the ransom. Essentially, ransomware-as-a-service enables individuals who may lack technical expertise to execute sophisticated ransomware campaigns. This model has significantly lowered the barrier to entry for engaging in cyber extortion, contributing to the proliferation of ransomware incidents.

Why Ransomware-as-a-Service Has Emerged

The emergence of ransomware-as-a-service is attributed to both the high profitability of ransomware attacks and the increasing demand for easy-to-use cyberattack tools. With cybersecurity measures improving, traditional attack methods have become less effective, prompting cybercriminals to innovate. Ransomware-as-a-service offers a solution by providing sophisticated attack capabilities without requiring extensive knowledge or resources, appealing to a wide array of individuals looking to engage in cybercrime.

Key Players in Ransomware-as-a-Service

Initial Access Brokers: These individuals specialize in breaching security and gaining unauthorized access to systems. They sell this access to others, facilitating the initial step for various cyberattacks, often serving as the entry point for ransomware attacks.

Ransomware Developers: These are the creators of ransomware programs. They develop a malicious software, which they distribute through ransomware-as-a-service platforms, continuously updating their creations to evade detection and enhance effectiveness. Their expertise in crafting effective and evasive ransomware makes them a central figure in the ransomware-as-a-service ecosystem.

Affiliates: Affiliates are essentially the customers or end-users of ransomware-as-a-service platforms. They execute the ransomware attacks using the tools and information provided, handling the distribution of malware, communication with victims, and negotiation of ransoms. In return for access to the ransomware-as-a-service platform’s resources, affiliates often pay a fee or share a portion of their profits with the service providers.

While it is ultimately up to the affiliates to select the targets of their ransomware attacks and perform all the leg work involved in the extortion, it is quite common for ransomware-as-a-service providers to include a list of recommended or “approved” targets for the affiliates to go after. There are also frequently target types or specific businesses who the affiliates are prohibited from extorting with the ransomware-as-a-service tools.

Impact of the Rise of Ransomware-as-a-Service

The rise of ransomware-as-a-service has led to an increase in ransomware attacks across the globe, affecting organizations of all sizes and industries. Relying on what could almost be described as basic improvements in user interface and customer service, ransomware-as-a-service providers have continually improved their offerings in a number of ways, including:

Ease of Use: By simplifying the execution of these attacks, ransomware-as-a-service has expanded the pool of potential cybercriminals and increased the frequency and sophistication of ransomware incidents.

Distribution of Responsibilities: The distributed nature of ransomware-as-a-service operations complicates law enforcement efforts to combat ransomware, as responsibilities and roles are spread across different individuals and often across international borders. The distributed and anonymized nature of ransomware-as-a-service operations complicates efforts to track and prosecute responsible parties, further emboldening attackers.

Diversified Target Portfolio: Furthermore, the ease of access to ransomware-as-a-service platforms has led to a diversification of targets, with small businesses, healthcare institutions, and government agencies all falling victim to ransomware attacks.

These developments have resulted in significant financial and operational impacts on businesses and cybersecurity professionals.

Responding to the Rise of Ransomware-as-a-Service

The reemergence of ransomware has prompted varied responses from governments, businesses, and other entities. These stakeholders have long sought ways to disincentivize victims from complying with ransomware gangs’ demands, aiming to undermine the economic incentives that fuel these cybercriminal activities. However, the actual impact of these disincentives is not immediately clear.

Disincentivizing Payment of Ransom

Governments and regulatory bodies have introduced measures aimed at discouraging ransom payments. This includes the passing of laws in certain jurisdictions that prohibit government entities from paying ransoms, alongside insurance companies integrating “do not pay” clauses into their policies. Numerous regulatory bodies have begun requiring that regulated entities report any data breaches that include extortion demands or threaten the publication of exfiltrated data. (In one notable case, the ransomware gang used a regulated entity’s failure to report the gang’s ransom demand as required as a basis for their own extortion!)

These efforts are underpinned by the belief that reducing the profitability of ransomware attacks will diminish their prevalence combined with the belief that legal or contractual prohibitions will actually result in victims refusing to pay ransom that, absent these prohibitions, would likely be paid. It is unclear whether these beliefs are grounded in fact or are merely aspirational.

Additionally, law enforcement agencies have ramped up efforts to combat ransomware gangs by dismantling networks and publishing decryption keys, aiming to offer victims alternative means of recovering their data without capitulating to ransom demands.

Effectiveness of These Measures

The success of measures intended to disincentivize ransom payments has been mixed. Despite increased regulatory and law enforcement actions, ransomware gangs have continued to extract significant sums from victims, with the past year witnessing record amounts paid out in ransoms. This indicates a gap between the intent of such measures and their real-world effectiveness. The persistence of high-profile ransomware attacks, even in the face of legal and policy-based deterrents, suggests that the current strategies may not be sufficiently dissuasive or are being circumvented by both ransomware operators and their victims.

Factors Influencing Victims’ Decisions

The decision to pay a ransom is influenced by a multitude of factors, making it a complex dilemma for victims. Key considerations include the potential downtime and operational disruption, the sensitivity of exfiltrated data, and the reputational risks associated with data breaches. Victims weigh the immediate costs of paying the ransom against the long-term implications of data loss or public exposure of sensitive information. The calculation also involves legal and financial considerations, such as the possibility of fines for non-compliance with “do not pay” regulations and the impact on insurance claims. Ultimately, the decision is often driven by a pragmatic assessment of the least harmful course of action for the victim’s specific circumstances, highlighting the nuanced and multifaceted nature of responding to ransomware demands.

In conclusion, while efforts to disincentivize compliance with ransomware demands embody a proactive approach to countering this cyber threat, their effectiveness remains limited. The decision to pay a ransom involves a complex interplay of operational, legal, and financial factors, with victims often finding themselves in a position where paying the ransom appears to be the most viable option.


We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.

We aim…

to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.

Contact Us

©2024 Fearless Paranoia