How Does the Ransomware-as-a-Service Model Work?

[This article has been updated to clarify the differences between MedusaLocker and Medusa.]

Meet the dark reflection of software as a service (SaaS): ransomware as a service (RaaS). Whereas legitimate SaaS companies offer subscriptions to software to help companies run legal operations, RaaS groups offer subscriptions to malware and a host of supporting services to cybercrime affiliates.  

“Ransomware as a service has exploded basically since cryptocurrency appeared in the market in 2009,” Joye Purser, field CISO at enterprise data management company Veritas, says. RaaS lowers the barriers to entry for would-be cybercriminals. Instead of needing to develop all of the technical skills necessary to write malware and gain access to a victim’s system, threat actors can buy ready-made ransomware and access.  

How does this professionalized model work, and who are some of the key players? 

The RaaS Economy  

A certain sense of trust needs to be fostered between threat actors and victims in order for ransomware to be lucrative. “If the victims thought for a second that by paying a $50 million, $30 million, $20 million ransom would not get them the keys back to unlock their systems, they would never pay it,” says Rob Lee, chief curriculum director and faculty lead at SANS Institute, a cybersecurity training company.  

Related:To Catch a Cybercriminal -- and the Fallout That Follows

Not all victims pay up, but many do. In 2023, ransomware hit a milestone $1.1 billion in cryptocurrency payments. RaaS groups build that trust because they are staffed by experts who code effective malware.  

“If everyone is coding their own stuff, then there's a high likelihood that you'll introduce bugs and the chance [of] something going awry is great,” explains Lee. “So, anything that is coded correctly and works functionally every single time has a higher chance of success in creating the trust that's needed in the environment for ransomware to succeed.” 

Different players come together to form the RaaS economy. Operators sell a variety of services from ransomware variants and victim reconnaissance to initial access and negotiation support. RaaS groups also typically operate leak sites and facilitate victim payments.  

The financial models for RaaS vary depending on the group. Affiliates may pay a monthly subscription fee, which can be relatively inexpensive, potentially $200 to $300, according to Carl Wearn, head of threat intelligence analysis and future ops at IT security company Mimecast.  

That monthly subscription fee may be accompanied by a profit-sharing agreement in which the affiliate pays a percentage of any ransom successfully exploited back to the RaaS group. “In the case that the affiliate successfully infects and actually receives cryptocurrency then the creator of the code then may receive a percentage … as high as 30 or even 33% of the proceeds of ransom paid,” says Purser.  

Related:Understanding the Ransomware Attack Fallout on China’s ICBC

Some groups may also offer ransomware variants for a one-time licensing fee.   

Dark web forums play a vital role in connecting the various parties operating in the RaaS economy. “Most of the main groups I would say use the dark web to kind of advertise their services and recruit affiliates,” says Paul Mansfield, lead analyst, cyber threat intelligence at professional services company Accenture. 

Health care and public health, critical manufacturing, and government facilities were the top three sectors hit by ransomware attacks last year, according to the Federal Bureau of Investigation (FBI) Internet Crime Report 2023. But ransomware groups and their affiliates are opportunistic. Organizations in other sectors are not exempt from the risk of ransomware.  

Major Players

LockBit has been the biggest name in RaaS over the past few years. In 2023, the group was responsible for about 25% of all ransomware leaks, according to cybersecurity company Trend Micro. The group has demanded hefty ransoms from some of its victims. Last year, it demanded $70 million from Taiwan Semiconductor Manufacturing Company (TSMC) and $80 million from IT products and services company CDW.  

Related:Why Cultural Institutions Are Rich Targets for Cyberattackers

An international takedown effort, Operation Cronos, disrupted the group earlier this year. That law enforcement activity has sent ripples through the ransomware landscape, resulting in arrests and fracturing a RaaS powerhouse.  

Clop garnered a lot of attention in 2023 with its link to the MOVEit breach. The ransomware gang exploited a vulnerability in the MOVEit Transfer and MOVEit Cloud file transfer tools, resulting in significant fallout.  

ALPHV/Blackcat is another big name in the RaaS space. “They've targeted lots of different organizations, and those targets … have been across [industries],” says Paul Laudanski, director of security research at cybersecurity platform Onapsis. 

The group made headlines earlier this year with an attack on Change Healthcare, a payment and claims system. The ramifications of that attack were widespread in the health care industry. Experts believe the group may have shut down its leak site as a part of an exit scam following that attack.  

“We are in a time of flux. Just by looking at dark web forums and the discussions that go on -- it really caused shockwaves,” shares Mansfield. “It … spread mistrust and fear among the community.” 

Emerging Groups 

While law enforcement action has been ramping up against ransomware groups, the RaaS ecosystem is alive and well with space for new players. Mansfield highlights three groups that have caught the attention of him and his team.  

New on the scene is RansomHub, a group that is claiming to have files from Change Healthcare. The group published some of those stolen records on its leak site, Cybernews reports.  

“Their signature that's on every of one of the posts … they allow affiliates to get paid into their own Bitcoin wallet first and they pay RansomHub last,” Mansfield shares. “They're offering a 90/10 split. So that's kind of unusual and … maybe a move to undercut opposition and attract affiliates.” 

BlackHunt 2.0 is another group on Mansfield’s radar. It is positioning itself as a professional RaaS group. “They've aimed their advertisement at people who are tired of low ransom amounts and scams and unprofessional work,” says Mansfield. “They say they're reliable and professional.”  

MedusaLocker has been around since 2019, primarily targeting the health care sector, according to a Health Sector Cybersecurity Coordination Center (HC3) report. Medusa, a similarly named but distinct group, has recently stepped up its activity, according to Mansfield.  
Medusa began targeting victims in June 2021, according to BleepingComputer. Its approach to affiliate payment may make them an attractive partner for cybercriminals. “They do … a percentage payment model, starts at 70/30 for smaller ransoms, like half a million and then … the sliding scale up to 90/10 for ransoms above a million,” Mansfield shares. “Obviously, they are incentivizing attacks against bigger companies.”
Affiliates that hit more than $1 million in payments get additional benefits from Medusa, such as 24/7 support and distributed denial-of-service (DDoS) attacks performed on their victims, according to Mansfield.  

Groups leveraging traditional RaaS models aren’t the only emerging players. Cybersecurity company Sophos revealed that is tracking 19 “junk gun” ransomware variants designed to disrupt the RaaS model. Attackers are selling these unsophisticated variants for a one-time fee, rather than leaning into the affiliate model, according to the report. 

RaaS Affiliates  

Who are the people who pay for RaaS? 

“Potentially, you could get involved in cybercrime and ransomware without any unique skills yourself just by hiring the ransomware, purchasing the access from another threat actor via Telegram let's say, and then accessing user accounts and uploading your ransomware. It could be as simple as that,” says Wearn.  

RaaS does lower the barrier to entry into the world of cybercrime, but that doesn’t necessarily mean all ransomware affiliates are unskilled threat actors. RaaS groups have a reputation to uphold, and many of them have criteria that affiliates need to meet.  

“They [affiliates] might need to provide information on their team composition because affiliates can obviously be more than one person,” explains Mansfield. “They might need evidence of work with other affiliate programs, other RaaS programs. They might need evidence of a cryptocurrency wallet balance.”  

Financial gain is an obvious motivation for the people who pay for RaaS, but it is also possible that other factors, like hacktivism or political sentiment, are at play.  

“We may determine that an attribution might go to a particular ransomware group, but … it would not be far-fetched for a nation state actor to be able to go through a ransomware as a service group to be able to add that extra layer of obfuscation about who they really are,” says Laudanski. 

Disrupting RaaS Groups 

Operations Cronos was a big win for law enforcement. The taskforce seized LockBit’s data leak website, froze cryptocurrency accounts, and orchestrated the arrest of two individuals.  

But taking down RaaS groups remains a challenge. Following the takedown, LockBit reemerged. ALPHV/Blackcat was hit with a disruption campaign in December 2023. It hit back with the Change Healthcare attack just months afterward.  

Arrests, while meaningful, are challenging to carry out. Often threat actors operate in places, such as Russia, that do not have extradition agreements with countries like the US and the UK. Threat actors can scatter and regroup under the same banner, or they can take their skills to other ransomware groups.  

Law enforcement alone is not enough to combat ransomware activity. Collaboration with the private sector is vital. Purser was a Cybersecurity and Infrastructure Security Agency (CISA) regional director when the Colonial Pipeline ransomware attack occurred in 2021, and she recalls the importance of that collaboration.  

“I remember very vividly multiple US federal agencies working very smoothly together with Colonial Pipeline to conduct rapid forensics to help [them] get back online and to actually claw back some of that money that was paid for random,” she shares.  

The fight against RaaS, as well as other forms of cybercrime, is an ongoing battle fought by law enforcement and potential victims.  

Managing RaaS Risk  

How can enterprise leaders manage the risk associated with RaaS? “Your main defense against ransomware is resiliency of your network and fallback capabilities, which just don't seem to be up to the job for many companies at the moment,” says Wearn.  

Achieving the requisite resiliency at an enterprise means that security needs to have the attention of senior leadership. “You have to empower the security professionals to be able to do proper risk analysis. You have to empower the security professionals, the CISO and the CISO’s team, to be able to [implement] a security framework,” Laudanski argues.  

Security teams need to understand what an enterprise is using across its technology stack and where its risks lie, both internally and throughout its supply chain. Adopting cybersecurity protocols like multi-factor authentication, regular patching, zero trust, and data backups can mitigate those risks.  

Staff training also plays an important role in defending an organization against ransomware threats. Everyone in an organization needs to know about these threats, including executives. “It's useful to train executives on how the deal with extortion attempts because that's a real trend that we're seeing lately … ransomware groups going [after] the executives,” Mansfield shares.  

Awareness of RaaS can prepare organizations, and law enforcement is chipping away at cybercriminal activity, but RaaS remains lucrative for threat actors. This means the groups and affiliates in this ecosystem are going to continue targeting victims.