Stats & Trends
The Barkly Team
Mar 2017

Ransomware-as-a-Service is Booming: Here's What You Need to Know

Photo by Miroslav Petrasko

Taking a page from the software-as-a-service playbook, ransomware-as-a-service (RaaS) is giving even novice cyber-criminals the ability to launch sophisticated — and profitable — attacks.

Ransomware is certainly nothing new in the cybersecurity business, with the first instances cropping up in Russia more than a decade ago. But, the rise of the RaaS distribution model is giving would-be criminals an extremely easy way to launch a cyber-extortion business with virtually no technical expertise required, flooding the market with new ransomware strains in the process.

In fact, the growth in RaaS platforms on the Dark Web is likely one of the primary drivers behind the huge spike in ransomware attacks over the last year. Network security provider SonicWall reports a staggering total of 638 million attacks over the course of 2016, more than 167x the number of attacks they registered in 2015.

Other reports indicate nearly half of businesses fell victim to some cyber-ransom campaign last year. At the same time, the number of new ransomware families surged 752 percent, costing businesses $1 billion worldwide.

What makes RaaS such a threat? It’s the simple, franchise-like deployment model. Instead of writing their own malicious code, aspiring cyber-criminals can now log in to their RaaS portal of choice, configure their deployment, and instantly distribute the malware to unwitting victims. Some RaaS providers even advertise their products in hacking forums, offering customizations and other enticements to drive subscriptions.

To help you get a better handle on the RaaS threat, let’s dive into some specific FAQs.

Ransomware-as-a-service FAQ

How does ransomware-as-a-service work?

RaaS authors host their ransomware code on a portal, where RaaS “affiliates” can easily deploy it from a dashboard. Affiliates can even configure time intervals at which the ransom increases, and some even get to see an estimate of their potential earnings before they sign up.

Many ransomware code packages are free to deploy with a profit-sharing model in which the author shares in the affiliates earnings, much like a legitimate software affiliate program. When victims pay (via Bitcoin) to unlock their data, payments are often delivered to the author’s account, who then distributes a shares to the affiliates. Affiliate shares can range from 60 to 80 percent, making it a very lucrative business for both authors and affiliates.

What are some examples of ransomware-as-a-service operations?


The dashboard for Satan ransomware-as-a-service. / Bleeping Computer

Cerber has become one of the most widely distributed RaaS packages, accounting for one-fourth of ransomware activity in December 2016-January 2017, and infecting more than 150,000 Windows systems in July 2016 alone. Its prolific spread (typically via phishing emails and exploit kits) has put it on track to generate $2.3 million in annual income for cybercriminals, with affiliates earning 40 - 60 percent of each ransom paid. Once deployed on the victim’s machine, Cerber uses RC4 and RSA algorithms to encrypt files, including database files. It even works offline, which means disconnecting an infected machine won’t help.

Satan is a basic encryption variant that’s free and easy to deploy, advertising that affiliates can create their own “ransomware in less than a minute,” and earn a 70 percent cut of ransoms paid. Satan is probably one of the most “user-friendly” RaaS out there, featuring an intuitive GUI that allows criminals to customize settings, provides tools for creating the distributable code and translates the ransom note into various languages. It even provides a metrics dashboard, where affiliates can track their “success.”

Hostman is a relatively new RaaS encryption-style offering that also includes worm capabilities. Unlike free products, this one costs affiliates $49.95 for unlimited use — a small price to pay considering the average ransom payment is $500 - $700. Like other RaaS platforms, Hostman also appears to offer auto-decryption, automatically decrypting files for victims once they pay, leaving the affiliate free to pursue other victims, rather than be bothered with sending decryption packages.

FLUX is similar to Hostman, but with an offline encryption capability that makes it a bit harder to detect. Because it doesn’t generate network noise, it’s less suspicious, but this also makes it possible for victims to share the decrypting tool or private key to unlock their data. FLUX also costs criminals relatively little, charging $45 for one build and $150 for the source code.

Atom (the ransomware previously known as Shark) offers affiliates a comparatively high 80 percent share on ransom payments with “fully customizable” file formats, using the Atom GUI. Atom creates a unique tracking ID for every build code, allowing cybercriminals to track and monitor their progress, and it claims to update the source code daily to avoid AV detection.

What does the rise of RaaS mean for companies?


In 2016 there was a 752% spike in new ransomware families. / Trend Micro

The problem with RaaS’s ease of access and deployment for enterprises is that it has the potential to flood the market with ransomware, dramatically increasing the threat potential.

The success of these platforms and the increasing demand is spurring ransomware authors to rush new distinct ransomware offerings to market. This increase in RaaS offerings combined with the wide customization options these platforms are providing means organizations are facing a ransomware onslaught — not just in terms of sheer volume, but in variety. It’s virtually impossible for conventional definition-based security suites to keep up and protect against every permutation.

How can companies protect themselves from ransomware?


Unfortunately, conventional anti-virus solutions can only protect against the threats they know. Each new ransomware variant criminals produce becomes a new unknown they have to identify and analyze before they can adapt their protection to successfully block it. The bad news is the only way that happens is if someone gets infected first.

With new ransomware variants being churned out at such an alarming rate, that’s a brutal cycle to be stuck in, as it truly does force organizations to consider ransomware infections a matter of when, not if.

Protecting your company against RaaS starts by educating your employees. Most ransomware is delivered via phishing emails, so training employees to be leery of suspicious messages and unknown attachments can be a crucial first line of defense.

Because you have to factor in human error and other ransomware delivery channels, you still need protection specifically designed to block ransomware. Barkly proactively monitors system activity in real time for suspicious activity and stops ransomware before any damage is done. Because Barkly blocks behaviors instead of file signatures, it’s able to stop even newly-created ransomware that’s never been seen before.

Learn more about how Barkly protects companies against RaaS here.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.