Ransomware as-a-Service (RaaS)

Ransomware is one of the biggest threats to enterprise cybersecurity, and it continues to grow. In Q3 2020 alone, ransomware attacks increased by 50% worldwide compared to the previous quarter. One of the biggest drivers behind ransomware’s continued success is the adoption of Ransomware as a Service (RaaS), a ransomware distribution model similar to cloud-based “as a Service” offerings where a provider maintains infrastructure or services and sells access to them to customers.

Request a Demo Ransomware Prevention eBook

The Ransomware as-a-Service (RaaS) Economy

In the RaaS economy, the service provided is the infrastructure required to perform a ransomware attack. RaaS operators maintain the ransomware malware, offer a payment portal for victims, and may provide the “customer service” that victims might need (since many ransoms are demanded in Bitcoin or other cryptocurrencies). Their affiliates are responsible for spreading the ransomware, and any ransoms paid are split between the operators and the affiliate (typically with the operator receiving 30-40%).

This arrangement provides benefits to both sides of the deal. The operator gains a scale that they are unlikely to be able to achieve in-house and can focus on maintaining the backend infrastructure. The affiliate, on the other hand, receives access to the ransomware and its back-end infrastructure and can focus their attention on infiltrating networks and infecting computers.

This ability to specialize is a major benefit for cybercriminals as few are accomplished at both malware development and network penetration. The RaaS model is one of the main reasons why ransomware attacks have been able to continue growing steadily in recent years.

Top Known Ransomware as-a-Service Variants

Many of the biggest names in ransomware are also the leading RaaS operators as well. Some of the most prolific and dangerous RaaS variants include:

  • Ryuk: Ryuk ransomware is one of the most prolific and expensive ransomware variants in existence. Estimates say that Ryuk is responsible for about a third of ransomware infections in the last year. The ransomware is also effective at convincing targets to pay its ransom demands and has made an estimated $150 million  to date.
  • Lockbit: Lockbit has been around since September 2019, but it has only recently entered the RaaS space. It focuses on rapidly encrypting the systems of large organizations, minimizing the defenders’ opportunity to detect and eliminate the malware before the damage is done.
  • REvil/Sodinokibi: REvil competes with Ryuk as the greediest ransomware variant. This malware is spread in various ways, and REvil affiliates have been known to exploit unpatched Citrix and Pulse Secure VPNs to infect systems.
  • Egregor/Maze: The Maze ransomware variant made history as the first to introduce “double extortion”, which involves stealing data as part of a ransomware attack and threatening to breach it if a ransom is not paid. While Maze has since ceased operations, related ransomware variants – like Egregor – are still operational and run under the RaaS affiliate model.

These are only a few of the ransomware variants utilizing the RaaS model. Many other ransomware groups work with affiliates as well. However, the scale and success of these ransomware groups means that they have the pull to attract specialists to spread their malware.

Protecting Against RaaS Attacks

The ransomware attack is continuing to grow, and RaaS means that cybercriminals can specialize as either malware authors or network penetration specialists. Organizations must deploy endpoint security solutions capable of detecting and remediating ransomware infections before critical files are encrypted.

Check Point SandBlast Agent provides comprehensive endpoint security protections. It incorporates a wide range of anti-ransomware functionality, including:

  • Complete Attack Vector Coverage: Ransomware can be delivered in a number of ways, including via phishing emails, drive-by downloads, compromised user accounts, and more. SandBlast Agent provides complete protection against all potential ransomware delivery vectors.
  • Behavioral Guard: Ransomware can be identified based upon some of its core behaviors, including file encryption and deletion of OS backups. SandBlast Agent monitors for these anomalous behaviors, enabling it to terminate an infection before the malware can encrypt valuable data.
  • Automated Remediation: SandBlast Agent offers runtime protection against ransomware, even in runtime mode. This includes full remediation of the entire ransomware attack chain, eliminating all traces of the malware.
  • Secure Backup and Restore: Ransomware commonly deletes OS backups such as shadow copies of files. SandBlast Agent stores backups in memory accessible only to Check Point programs, enabling it to restore files even if OS backups are deleted.
  • Threat Hunting Support: Threat hunting allows security teams to proactively search for indications of malware infections on their systems. SandBlast Agent collects, organizes, and analyzes critical data, making threat hunting more efficient and effective.

Ransomware protection should be part of any organization’s security strategy, and SandBlast Agent provides peace of mind in the face of the ransomware threat. To learn more about SandBlast Agent and its capabilities, check out this solution brief. You’re also welcome to request a personalized demo to discuss how Check Point can help to improve your organization’s ransomware defenses.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.