The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development

Years ago, ransomware buyers would often purchase ransomware from sellers on underground forums. These standalone sellers usually offered ransomware as a one-time sale, often requiring significant upfront costs.

Many sellers were the original developers of the ransomware and provided support, updates, and sometimes decryption tools for a fee. As the demand for ransomware grew, so did the market, and the sophistication of these tools began to increase. Some sellers even offered customization options, allowing buyers to tweak ransomware features to suit their targets.

Image: An example of the RaaS customization options

However, this model began to change with the rise of ransomware-as-a-service (RaaS). RaaS platforms made it much easier for attackers to execute ransomware attacks without needing any specialized technical skills. Instead of purchasing a one-time tool, attackers could subscribe to RaaS platforms, pay for access to a control panel, and carry out attacks without the initial high investment.

The RaaS model works similarly to legitimate software-as-a-service (SaaS) platforms, providing a dashboard for affiliates to manage their campaigns.

RaaS platforms offer several payment models:

1. Commissions: The platform takes a percentage of the ransom payment.
2. Subscription fees: Attackers pay a monthly fee for access.
3. One-time fee: A one-off payment for lifetime access to the ransomware kit.

This low-cost, low-risk approach has made RaaS extremely popular, reducing the need for standalone ransomware sellers and custom tool development. Most RaaS platforms even offer customer support and updates, further enticing potential attackers to opt for these ready-made solutions.

The evolution toward RaaS is not confined solely to ransomware; rather, it is part of a broader trend within the cybercrime ecosystem toward SaaS models.

This trend has affected many areas of the cybercriminal world, as many tools and services are becoming accessible via subscription models – whether it’s phishing-as-a-service, ddos-for-hire, or botnet rentals.

Image: An example of phishing-as-a-service

It means cybercriminals can now lower the barrier to entry – like RaaS did for ransomware. Neither coding nor network penetration skills are necessary for wannabe attackers anymore. Now, they can rent or buy tools.

All stages of a cyberattack lifecycle from initial access to execution and monetization are now possible via these SaaS platforms. Using this service-first model has changed how cybercriminals work—cyberattacks are now easier to launch and harder to prevent because of the explosion of such offerings.

Evidence shows that many ransomware groups are using similar or even the same tools. A notable example is Vice Society, which has been observed using Inc ransomware, a RaaS offering.

The simplicity and accessibility of RaaS platforms mean that many attackers are leveraging the same base ransomware code, often with minor modifications to fit their needs.

RaaS platforms typically offer a core ransomware package with the ability to add or modify encryption methods, ransom notes, and more, making it easier for various groups to reuse tools with minimal customization.

Image: An example of a RaaS panel (Ransom32)

While some well-established ransomware groups, like Conti or REvil, developed their own proprietary ransomware in the past, even they have dabbled in the RaaS market, either licensing their tools to others or using others’ kits in certain attacks.

This general trend points to groups moving away from heavy investment in custom tool development, especially when RaaS kits provide them with sufficient capabilities to execute attacks efficiently.

Ransomware attacks rarely involve one tool. Attackers usually use a few tools and techniques to increase the odds of success and to maintain persistence within the target network. An average attack typically looks like this:

1. Initial Access: Attackers might use phishing emails, exploits, or stolen credentials.
2. Privilege Escalation: Tools like Mimikatz or Cobalt Strike are often used to escalate privileges within the network.
3. Lateral Movement: Tools like PsExec allow attackers to move laterally over networks.
4. Ransomware Deployment: The ransomware is deployed—often obtained via RaaS.
5. Exfiltration: More sophisticated attacks use data exfiltration tools to steal sensitive information before encrypting it—double extortion.

One group may handle initial access, and another may handle ransomware deployment. This means that several tools are used during one attack, creating a multi-stage, layered offense.

Common questions about RaaS, the benefits for attackers, and their role in ransomware attacks are answered here. We also clarify some misunderstandings about the tools and tactics used in these attacks, shedding light on how the different elements complement one another within the broader context of cybercrime.

1. How do attackers benefit from RaaS platforms?

Attackers benefit from RaaS platforms by accessing ready-made tools without needing to invest in custom development. They can also take advantage of features like encryption, decryption support, and even technical assistance from the RaaS developers. Additionally, many platforms offer easy-to-use dashboards for tracking infections and managing campaigns.

2. Do ransomware attacks typically involve multiple tools?

Yes, ransomware attacks often involve several tools throughout the attack lifecycle. Attackers may use tools for initial access, like phishing kits or stolen credentials, and additional tools for privilege escalation (e.g., Mimikatz), lateral movement (e.g., PsExec), and data exfiltration. The ransomware itself is often just one part of a broader attack strategy.

3. Can RaaS platforms be taken down by law enforcement?

While law enforcement agencies have successfully shut down some RaaS platforms in the past, such as REvil and DarkSide, many others continue to operate in the shadows. The distributed and often anonymous nature of these platforms makes them difficult to completely eradicate.

4. Is there a future for standalone ransomware sellers?

Standalone ransomware sellers have largely been overshadowed by the rise of RaaS. With lower upfront costs, ongoing updates, and easier access to tools, RaaS is more appealing to most attackers. However, there may still be niche markets for custom-developed ransomware, particularly for highly targeted attacks.

BlackFog provides a solution with a focus on preventing data exfiltration with ADX technology. This next generation cybersecurity solution has been designed to help organizations protect themselves from ransomware attacks and extortion 24/7, without the need for human intervention.

Don’t wait for the next ransomware attack wave; take proactive action now and secure your most valuable asset.

Learn how our solutions can strengthen your cybersecurity posture and prevent ransomware incidents.