In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.

We now see RaaS outfits with organizational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But has RaaS grown too big? The factors that led to the niche’s growth may also lead to its demise.

Let’s look at the rise — and potential fall — of Ransomware-as-a-Service. After Reveton, things have never been the same.

RaaS takes root in Reveton

Reveton burst on the scene by sending fake police agency messages to infected computers. Intruders impersonated the FBI or other law enforcement agencies and coerced victims into paying fines. Actors threatened victims with arrest for supposedly downloading child pornography and pirated content.

Reportedly, Reveton actors raked in about $400,000 from victims every month. At the time, Reveton was unique as it was customized to location. It appeared as if it came from a local law enforcement agency.

Reveton malware packages loaded malicious software into phony and hijacked web pages. If a visitor clicked an infected link, the malware would scan the user’s device for exploitable plugins via the CVE-2012-1723 exploit.

The malware also included info stealers, which penetrated password management platforms to steal credentials. Phishing campaigns also delivered malicious links. Eventually, Reveton even evolved to target smartphones through fake app downloads.

Ransomware-as-a-Service is born

Reveton’s distribution methods were highly sophisticated. The malware’s operation command used reverse proxies at dozens of servers scattered across the globe. Periodically, Reveton released new features and new customizations for ransom messages. It was also one of the first ransomware attacks to demand payment in bitcoin.

The most unique aspect of Reveton was that it offered its malware packages to third parties as a service. Since the appearance of Reveton, other RaaS gangs have surfaced. This places the tools to launch a ransom attack in the hands of many more actors. Undoubtedly, RaaS has contributed to the continued rise in ransomware incidents. In 2021 alone, there were over 623 million ransomware events worldwide.

Read the Ransomware Guide  

Just like SaaS brands

Ransomware-as-a-Service is the product of the larger ransomware phenomena, and the economics behind it are startling. In 2021, average ransom payments reached $812,000 compared with $170,000 the prior year. In 2021, the overall damage worldwide from ransomware was $20 billion.

RaaS also helped spearhead a larger Malware-as-a-Service (MaaS) trend. Just like their SaaS counterparts, MaaS brands can have slick websites and monthly newsletters that announce new features, customizations and upgrades. Some MaaS brands have their own marketing campaigns, video tutorials, white papers and Twitter accounts.

Clients of RaaS can choose different subscription tiers, such as Basic, Professional and Enterprise. Or they might pay a percentage of each successful attack. Traditionally, to sign up for Malware-as-a-Service, users needed a referral or access to encrypted messaging or dark web forums. However, newer providers only require an email to set up an account accessed from a normal web URL.

Too much of a bad thing?

The problem with success is that it attracts attention. This means more successful Malware-as-a-Service brands are more likely to attract notice from law enforcement. And if attacks are especially high profile, or involve critical infrastructure, federal and international agencies get involved. One example of this was the takedown and dismantling of the high-profile REvil ransomware gang.

As a RaaS operation grows, so does its infrastructure. Ironically, this also becomes a liability since the attacker’s own attack surface grows. This means easier detection and disruption by legal authority takedown. As a result, RaaS groups are forced to invest more in infrastructure obfuscation and redundancy. This, in turn, cuts into profit margins and resources used for innovation and expansion.

New fluid, brandless approach

In response to these challenges, some ransomware agents are adopting more dynamic, low-profile tactics. For example, the Russian-language ransomware gang Vice Society wields a constantly changing array of tools, including ransomware variants. “Vice Society actors do not use a ransomware variant of unique origin,” according to a joint alert from the FBI and CISA.

Due to the increased scrutiny of law enforcement, the demand for RaaS may be slowing. Vice Society appears to have bought off-the-shelf malware rather than signing up for a RaaS subscription. Ransomware affiliates are becoming very fluid in their sampling of different RaaS kits. They may even develop their own tools based on leaked ransomware source code, such as Hello Kitty’s source code or even Conti’s leaked source code.

Are smaller targets safer?

The flip side of this move away from high-profile RaaS brands is targeting smaller victims. Rather than attacking large corporations or infrastructure like the Colonial Pipeline, most attackers prefer smaller targets. For example, Vice Society favors attacks on schools and colleges, a far cry from massive pipeline-sized targets. While ransomware remains a threat to businesses of all sizes, companies with less than 1,000 employees are most at risk.

In a rare interview, a REvil-associated threat actor said, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies.”

Effective ransomware prevention

The CISA Ransomware Guide provides extensive advice to mitigate threats. Some of its high-level advice includes:

  • Maintain offline backups of data
  • Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure
  • Review the security posture of third-party vendors
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy
  • Document and monitor external remote connections
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location (i.e., hard drive, storage device or cloud).

CISA also recommends the implementation of identity access management (IAM). This can include automated, cloud-based and on-premises capabilities for administering identity governance. IAM can manage workforce and consumer identity/access and provide privileged accounts control.

Reveton opened the door to a wider range of threats, and ransomware isn’t going away soon. The best strategy is to be well prepared against attack.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today