How to Defend against the Rising Threat of Ransomware-As-A-Service

Ransomware-as-a-service (RaaS) is a growing industry and a major threat to all organizations. Find out how the RaaS model works, how some of the most profitable RaaS groups operate, and discover the best security practices to minimize the chances of a successful RaaS attack. 

By Diana
5 min read

As cybercriminals refine their methods and widen their scope of attack, many are turning to ransomware-as-a service (RaaS). RaaS groups were responsible for 60% of the ransomware attacks that happened during the past 18 months. With the popularity of RaaS growing, these criminal groups pose a significant threat to businesses across all industries. To protect their people and processes from this growing threat, organizations first need to understand how these groups operate.

The Ransomware-As-A-Service Model

Ransomware-as-a-service is a model in which attackers, or affiliates, pay a service provider for access to ransomware tools. In a certain sense, the model mirrors the software-as-a-service (SaaS) paradigm. As with SaaS, a RaaS client pays for a technology service that they’d like to outsource. The service providers then supply the needed software so that the affiliates can launch their own attacks.

The providers are responsible for developing a RaaS kit and getting it licensed to a ransomware affiliate. Once they’ve developed a capable malware system, they start looking for affiliates interested in using the technology. The affiliates, meanwhile, are free to focus on tasks such as compromising targets or distributing the ransomware, without having to worry about the malware development side of the operation.

Some affiliates pay for the service on a monthly basis. Others simply give the RaaS provider a commission of their profits, and the percentages are usually pre-determined upon the license purchase. Once the deal has been settled, the affiliate receives all the onboarding information they need to weaponize the malware against their victims.

Top RaaS Organizations

A number of criminal groups have established themselves as major RaaS providers in recent years. By developing malicious software and selling it to affiliates, these groups have earned significant profits.

Prominent groups include:

  • DarkSide/BlackCat/ALPHV
  • REvil/Sodinokibi
  • Conti
  • LockBit
  • Maze/Egregor


With distinct programs and practices, each group represents a unique threat to an organization. By learning about how these criminal enterprises operate, companies can improve their security posture and safeguard against RaaS-based attacks.

1. DarkSide Rebranded BlackCat/ALPHV

For years, DarkSide was a major RaaS provider with a long list of victims around the world. The group was noted for using phishing emails with embedded links and malicious attachments as an attack vector. Once the DarkSide malware gained access to a target environment, it could gather key credentials and exfiltrate sensitive and valuable data from the business.

After the notorious attack on the Colonial Pipeline, a major U.S. fuel pipeline, DarkSide was believed to have disappeared once its servers were seized and its cryptocurrency funds drained. Many of its developers later resurfaced as BlackCat/ALPHV. The new group developed its malware in the Rust programming language. The cybercriminals’ latest approach includes a host of novel, sophisticated features, such as the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi VMs, and wipe ESXi snapshots automatically to stop recovery.

In early 2022, ALPVH’s methods were used to launch an attack on Swissport, an aviation services company that provides logistical support for airports in over 50 countries. The bad actors extracted considerable amounts of sensitive data and threatened to release the information if a ransom wasn’t paid. They also announced that they are willing to sell the entire 1.6 TB of data to a prospective buyer.

2. REvil/Sodinokibi

In many ways, the REvil malware resembles most other RaaS programs. Once it has successfully infiltrated an organization’s network, most commonly through phishing, brute-force attacks, and server exploits, it captures and encrypts key pieces of data. REvil also mimics other RaaS groups in operating a leak site where sensitive data can be posted to increase the pressure on the victim and force the prompt payment of a ransom. Only in the first six months of 2021, their average payment request was approximately $2.25 million.

What sets REvil apart is its set of special features designed to escalate privileges and extract more data. The malware often spams users with an administrator login prompt or reboots into Windows Safe Mode to encrypt files.

Traditionally, REvil’s affiliates used spam campaigns to deliver malicious documents and exploit kits targeting known vulnerabilities on unpatched machines. In recent months, some bad actors have started using spam campaigns to drop the Qakbot worm.

3. Conti

Conti first appeared in early 2020 and has since helped its affiliates to extort several million dollars from over 400 organizations. Their most common attack vectors include stolen or cracked remote desktop protocol (RDP) credentials, phishing emails with malicious links or attachments, and exploiting software vulnerabilities.

Its developers, who are assumed to have worked with Ryuk malware in years past, have produced a malicious program that’s as quick as it is comprehensive. The malware encrypts victim data with the AES-256 encryption key, and further uses a multithreaded approach to make the execution much faster than that of other malware families.

The speed of the Conti RaaS program has made it especially popular among cybercriminals. Once the initial infiltration has taken place, the encryption can spread from one device to another before cybersecurity experts have time to respond.

4. LockBit

LockBit 2.0, the latest version of the notorious RaaS provider, is known for successfully weaponizing double-extortion techniques. The malware can quickly encrypt devices across Windows domains by abusing Active Directory (AD) group policies, allowing attackers to demand high ransoms. The cybercriminals also keep a darkweb site where they list recent victims and how much time remains before their data will be released. If the countdown has expired, the stolen data is made available to download.

In one prominent case, the bad actors demanded $50 million from global consulting firm Accenture. Countries most targeted by LockBit attacks include Italy, Taiwan, Chile, and the United Kingdom.

5. Maze/Egregor

For years, the Maze group was at the forefront of new developments in the world of RaaS. They were the first threat actors to implement a special leak site and employ double-extortion tactics, a practice that has since become common for RaaS organizations. The group’s affiliates most commonly delivered the malware through phishing campaigns that had downloaders which installed Cobalt Strike Beacon.

After announcing its intention to shut down operations in September 2020, the Maze group rebranded as Egregor. With technology that mirrors Conti’s approach, Egregor has created a highly successful criminal operation. Like Conti, affiliates use email phishing campaigns with malicious documents to drop the Qakbot worm, and they often supplement this approach with external exploits against RDP.

How to Prevent RaaS Attacks

Preventing RaaS-related compromises requires a proactive approach to cybersecurity. First of all, organizations need to recognize that most incidents begin with a malicious email. Malware can only wreak havoc if it manages to infiltrate an organization’s network, and email represents a principal attack vector. Mitigating this risk requires both human and technology-based solutions. By training their employees to identify suspicious messages and shoring up their defenses with machine-learning security programs, organizations can better defend against RaaS-based attacks.

For employee awareness training to be effective, it must be continuous. Bad actors are constantly tweaking their methods, and companies need their employees to be up to date on the latest threats. Organizations can also consider which employees are most likely to be targeted by phishing attacks, and then sign them up for additional training.

To ensure they have the protection they need, companies should also supplement their employee training with machine-intelligent email security programs. Such programs can identify any deviations from typical patterns of communication within an organization, and thus identify and stop email threats before they reach employee inboxes. With continuous employee security awareness training and top-of-the-line email security systems in place, organizations can deter potential ransomware attacks.

To learn about how xorlab’s machine-intelligent software can protect your organization against ransomware attacks, request a demo today.