United States

Ransomware-as-a-service: A new business model for cybercriminals

The sale of ransomware secrets creates an explosion of cyberattacks


Ransomware has become the most significant cybersecurity threat today, affecting large multinational organizations and the smallest of entities. A ransomware attack represents a low-risk, high-reward opportunity for criminals, as little effort is required to access sensitive information and demand bounties that can cause extensive harm to businesses—especially small- to medium-sized companies.

The RSM US Middle Market Business Index 2021 Cybersecurity Special Report found that 42% of middle market executives know of a company targeted by a ransomware attack, and 11% of executives experienced more than one attack in 2020. In the current environment, inaction is not an option, and companies must take proactive steps to address expanding and evolving ransomware risks.

To add to the evolving threat landscape, cybercriminals have taken advantage of the exponential growth of ransomware-as-a-service (RaaS), a service model where sophisticated threat actors develop and sell ransomware platforms to other threat actors. Now, cybercriminals no longer need to be highly technical to launch a cyberattack on an organization, so potentially lucrative ransomware attacks are rapidly increasing.

How does the RaaS model work?

The RaaS model provides the purchaser with extensive training, reference materials and malicious code that can be used to launch a ransomware attack. Here are some key takeaways for understanding how RaaS works.

RaaS providers typically use several different purchase models

  • Subscription: The RaaS provider receives a predetermined cryptocurrency payment for a finite period of usage.
  • Affiliate: The RaaS provider receives a recurring fee plus a percentage of the ransom payment.
  • Purchase: The RaaS provider sells a kit to the purchaser.

The attacks leverage well-established hacking tools (i.e., Mimikatz), while employing current vulnerability and penetration testing tools (i.e., Cobalt Strike).

These attacks are designed to not only exploit well-known, existing vulnerabilities but also take advantage of new zero-day vulnerabilities

Threat actors have developed elaborate social engineering and intelligence-gathering methods to cause significant devastation for a victim when a ransomware attack is launched.

How to protect your organization from ransomware attacks

The reality is that ransomware will continue to be an ongoing threat to organizations, and there is no way to completely remove the risks. However, the following actions can help reduce the potential success of an attack.

Stay informed about new vulnerabilities

The National Institute of Standards and Technology (NIST) published information to help protect against threats and recover from a potential ransomware attack. In addition, the US-CERT—CISA regularly posts updates on new vulnerabilities and attacker tactics, techniques and procedure (TTP) trends.

Make sure you have backups

It is important to have backups not just for business continuity and disaster recovery, but also to be able to restore critical data if a ransomware attack occurs. The trusted, age-old 3-2-1 backup rule will help protect backups from attackers. Don’t forget that attackers also work nights, weekends and holidays, so you should have regular and frequent backups.

Implement advanced endpoint detection and antivirus protection

While attackers use established TTPs, they are also attacking new vulnerabilities and constantly updating their tool sets. Have a robust and properly configured defense system in place to identify and minimize potential attacks before they gain traction and affect your environment.

Have an incident response plan

Develop a strategy that outlines how your organization will respond if you suffer an attack. A ransomware situation is a chaotic event; the longer it takes you to respond to an attack, the more costly it will be.

Ransomware has always been a concern, but the rapidly changing threat landscape is increasingly affecting companies of all types and sizes. Every organization should create a security approach that includes strategies to both prevent and remediate ransomware attacks. A strong security plan can limit financial exposure and reduce downtime.

Related Insights

Ransomware: Protecting your business against evolving risks


Ransomware: Protecting your business against evolving risks

Ransomware attacks are increasing and threatening organizations of all sizes. The RSM cybersecurity report reveals new ransomware data.

RSM US Middle Market Business Index Cybersecurity Special Report 2021


RSM US Middle Market Business Index Cybersecurity Special Report 2021

Cybersecurity threats have continued to increase in the middle market, with record levels seen for several types of attacks.

Cyber insurance trends and best practices: An evolving landscape


Cyber insurance trends and best practices: An evolving landscape

Cyber insurance policies are more stringent as risks like ransomware attacks increase. Learn the changes in the cyber insurance marketplace.


Cybersecurity and Vulnerability
Resource Center

Cybersecurity and Vulnerability Resource Center

Modernize your business and proactively address threats >>

Subscribe to Risk Bulletin newsletter

Receive quarterly news and information for risk professionals by email.