In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.

We now see RaaS outfits with organizational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But has RaaS grown too big? The factors that led to the niche’s growth may also lead to its demise.

Let’s look at the rise — and potential fall — of Ransomware-as-a-Service. After Reveton, things have never been the same.

RaaS takes root in Reveton

Reveton burst on the scene by sending fake police agency messages to infected computers. Intruders impersonated the FBI or other law enforcement agencies and coerced victims into paying fines. Actors threatened victims with arrest for supposedly downloading child pornography and pirated content.

Reportedly, Reveton actors raked in about $400,000 from victims every month. At the time, Reveton was unique as it was customized to location. It appeared as if it came from a local law enforcement agency.

Reveton malware packages loaded malicious software into phony and hijacked web pages. If a visitor clicked an infected link, the malware would scan the user’s device for exploitable plugins via the CVE-2012-1723 exploit.

The malware also included info stealers, which penetrated password management platforms to steal credentials. Phishing campaigns also delivered malicious links. Eventually, Reveton even evolved to target smartphones through fake app downloads.

Ransomware-as-a-Service is born

Reveton’s distribution methods were highly sophisticated. The malware’s operation command used reverse proxies at dozens of servers scattered across the globe. Periodically, Reveton released new features and new customizations for ransom messages. It was also one of the first ransomware attacks to demand payment in bitcoin.

The most unique aspect of Reveton was that it offered its malware packages to third parties as a service. Since the appearance of Reveton, other RaaS gangs have surfaced. This places the tools to launch a ransom attack in the hands of many more actors. Undoubtedly, RaaS has contributed to the continued rise in ransomware incidents. In 2021 alone, there were over 623 million ransomware events worldwide.

Read the Ransomware Guide  

Just like SaaS brands

Ransomware-as-a-Service is the product of the larger ransomware phenomena, and the economics behind it are startling. In 2021, average ransom payments reached $812,000 compared with $170,000 the prior year. In 2021, the overall damage worldwide from ransomware was $20 billion.

RaaS also helped spearhead a larger Malware-as-a-Service (MaaS) trend. Just like their SaaS counterparts, MaaS brands can have slick websites and monthly newsletters that announce new features, customizations and upgrades. Some MaaS brands have their own marketing campaigns, video tutorials, white papers and Twitter accounts.

Clients of RaaS can choose different subscription tiers, such as Basic, Professional and Enterprise. Or they might pay a percentage of each successful attack. Traditionally, to sign up for Malware-as-a-Service, users needed a referral or access to encrypted messaging or dark web forums. However, newer providers only require an email to set up an account accessed from a normal web URL.

Too much of a bad thing?

The problem with success is that it attracts attention. This means more successful Malware-as-a-Service brands are more likely to attract notice from law enforcement. And if attacks are especially high profile, or involve critical infrastructure, federal and international agencies get involved. One example of this was the takedown and dismantling of the high-profile REvil ransomware gang.

As a RaaS operation grows, so does its infrastructure. Ironically, this also becomes a liability since the attacker’s own attack surface grows. This means easier detection and disruption by legal authority takedown. As a result, RaaS groups are forced to invest more in infrastructure obfuscation and redundancy. This, in turn, cuts into profit margins and resources used for innovation and expansion.

New fluid, brandless approach

In response to these challenges, some ransomware agents are adopting more dynamic, low-profile tactics. For example, the Russian-language ransomware gang Vice Society wields a constantly changing array of tools, including ransomware variants. “Vice Society actors do not use a ransomware variant of unique origin,” according to a joint alert from the FBI and CISA.

Due to the increased scrutiny of law enforcement, the demand for RaaS may be slowing. Vice Society appears to have bought off-the-shelf malware rather than signing up for a RaaS subscription. Ransomware affiliates are becoming very fluid in their sampling of different RaaS kits. They may even develop their own tools based on leaked ransomware source code, such as Hello Kitty’s source code or even Conti’s leaked source code.

Are smaller targets safer?

The flip side of this move away from high-profile RaaS brands is targeting smaller victims. Rather than attacking large corporations or infrastructure like the Colonial Pipeline, most attackers prefer smaller targets. For example, Vice Society favors attacks on schools and colleges, a far cry from massive pipeline-sized targets. While ransomware remains a threat to businesses of all sizes, companies with less than 1,000 employees are most at risk.

In a rare interview, a REvil-associated threat actor said, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies.”

Effective ransomware prevention

The CISA Ransomware Guide provides extensive advice to mitigate threats. Some of its high-level advice includes:

  • Maintain offline backups of data
  • Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure
  • Review the security posture of third-party vendors
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy
  • Document and monitor external remote connections
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location (i.e., hard drive, storage device or cloud).

CISA also recommends the implementation of identity access management (IAM). This can include automated, cloud-based and on-premises capabilities for administering identity governance. IAM can manage workforce and consumer identity/access and provide privileged accounts control.

Reveton opened the door to a wider range of threats, and ransomware isn’t going away soon. The best strategy is to be well prepared against attack.

More from Risk Management

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today