Ransomware-as-a-service (RaaS)

Recent years have seen increased ransomware attacks, infecting computers and forcing users to pay fines to get their data back. As new ransomware tactics such as double extortion prove successful, criminals demand bigger ransom payments. Ransom demands averaged $5.3 million in the first half of 2021, up by 518% over the same period in 2020. Since 2020, the average ransom price has climbed by 82 percent, reaching $570,000 in the first half of 2021 alone.

RaaS, or Ransomware-as-a-Service, makes this attack even more dangerous by allowing anyone to launch ransomware attacks on any computer or mobile device with a few clicks. As long as they have an internet connection, they can take control of another computer, even one used by your boss or employer! But what exactly does RaaS mean? 

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-service (RaaS) has become a popular business model in the cybercrime ecosystem. Ransomware-as-a-service allows cybercriminals to easily deploy ransomware attacks without any knowledge of coding or hacking needed.

A RaaS platform offers a range of features that make it easy for criminals to launch an attack with little to no expertise. The RaaS provider will provide the malware code, which the customer(attacker) can customize to fit his needs. After customization, the attacker can deploy it instantly via the platform’s command and control (C&C) server. Often, there is no need for a C&C server; a criminal can store the attack files on a cloud service such as Dropbox or Google Drive.

The RaaS provider also provides support services that include technical assistance with payment processing and decryption support after an attack.

Ransomware-as-a-Service explained in plain english

If you have heard about Sofware-as-a-Service and know how it works, understanding RaaS should be a no brainer since operates on a similar level. PowerDMARC is also an SaaS platform as we assume the role of problem-solvers for global businesses helping them authenticate their domains without putting in the manual effort or human labour. 


This is exactly what RaaS is. Technically gifted malicious threat actors over the internet form a conglomerate that operates in the form of an illegal business (usually selling their services over the dark web), selling malicious codes and attachments that can help anyone over the internet infect any system with ransomware. They sell these codes to attackers who do not want to do the more difficult and technical part of the work themselves and are instead looking for third parties who can assist them. Once the attacker makes the purchase he can go on to infect any system. 

How does Ransomware-as-a-Service Work?

This form of revenue model has recently been gaining much popularity among cybercriminals. Hackers deploy ransomware on a network or system, encrypt data, lock access to files, and demand a ransom payment for decryption keys. The payment is typically in bitcoin or other forms of cryptocurrency. Many ransomware families can encrypt data for free, making their development and deployment cost-effective. The attacker only charges if victims pay up; otherwise, they don’t make any money from it. 

The Four RaaS Revenue Models:

While it may be possible to build ransomware from scratch using a botnet and other freely available tools, cybercriminals have an easier option. Instead of risking getting caught by building their tool from scratch, criminals can subscribe to one of four basic RaaS revenue models: 

  • Affiliate programs
  • Monthly subscriptions
  • Bulk sales
  • Hybrid subscription-bulk sales

The most common is a modified affiliate program because affiliates have less overhead than professional cybercriminals who often sell malware services on underground forums. Affiliates can sign up to make money by promoting compromised websites with links in spam emails sent to millions of victims over time. After that, they only need to pay out when they receive ransom from their victims.

Why is RaaS Dangerous?

RaaS enables cybercriminals to leverage their limited technical capabilities to profit from attacks. If a cybercriminal has trouble finding a victim, he can sell the victim to a company (or several companies).

If a cybercriminal finds attacking online targets challenging, there are now organizations that will sell him vulnerable targets to exploit. Essentially, anyone and everyone can launch a ransomware attack from any device without using sophisticated methods by outsourcing their efforts through a third-party service provider, making the entire process effortless and accessible.

How to Prevent Ransomware-as-a-Service Exploits?

In a ransomware-as-a-service attack, hackers rent out their tools to other criminals, who pay for access to the code that helps them infect victims’ computers with ransomware. The sellers using these tools get paid when their customers generate revenue from the infected victims.

Following these steps can help you prevent ransomware-as-a-service attacks:

1. Know the Attack Methods

There are several different ways ransomware can infect your organization. Knowing how attacks are conducted is the best way to protect yourself from them. Knowing how you’ll be attacked can focus on what security systems and protections you need, rather than just installing antivirus software and crossing your fingers. 

Phishing emails are a common path for many cyberattacks. As a result, employees must be aware not to click on embedded links or open attachments from unknown senders. Regularly reviewing company policies around email attachments can help prevent infection by phishing scams and other malware delivery methods like macro viruses and trojans.

2. Use a Reliable System Security Suite

Make sure that your computer has updated security software installed at all times. If you don’t have antivirus software, consider installing one right away. Antivirus software can detect malicious files before they reach their target machines, preventing any damage from being done.

3. Back up Everything Regularly

Having all your information backed up will help prevent the loss of important information if your system becomes infected with malware or ransomware. However, if you get hit by virus or malware attacks, the chances are all of your files will not get regularly backed anyway — so make sure you have multiple backups in different locations just in case one fails!

4. Opt for Phishing Protection with Email Authentication

Phishing emails are extremely common and potent attack vectors in ransomware exploits. More often than not, hackers use emails to try and get victims to click on malicious links or attachments that can then infect their computers with ransomware. 

Ideally, you should always follow the most updated security practices in the market and only download software from trusted sources to avoid these phishing scams. But let’s face it, when you’re a part of an organization with several employees, it is foolish to expect this from each of your workers. It is also challenging and time-consuming to keep a tab on their activities at all times. This is why implementing a DMARC policy is a good way to protect your emails from phishing attacks.

Let’s check out where DMARC falls in the infection lifecycle of RaaS: 

  • Attacker purchases malicious attachment containing ransomware from a RaaS operator 
  • Attacker sends a phishing email impersonating XYZ incorporation  with the purchased attachment to an unsuspecting victim 
  • The impersonated domain (XYZ inc.) has DMARC enabled, which initiates an authentication process by verifying the indentity of the sender 
  • On verification failure, the victim’s server deems the email as malicious and rejects it as per the DMARC policy configured by the domain owner

Read more about DMARC as the first line of defense against ransomware here. 

  • DNS Filtering

Ransomware uses command and control (C2) servers to communicate with the platform of RaaS operators. A DNS query is often communicated from an infected system to the C2 server. Organizations can use a DNS filtering security solution to detect when ransomware attempts to communicate with the RaaS C2 and block the transmission. This can act as an infection-prevention mechanism. 


While Ransomware-as-a-Service (RaaS) is a brainchild and one of the most recent threats to prey on digital users, it is critical to adopt certain preventative measures to combat this threat. To protect yourself from this attack, you can use powerful antimalware tools and email security protocols like a combination of DMARC, SPF, and DKIM to adequately secure every outlet.