{ "id": "886c8c40-89cd-42fc-a012-342362e36038", "created_at": "2026-04-06T00:20:18.304654Z", "updated_at": "2026-04-10T03:35:52.918957Z", "deleted_at": null, "sha1_hash": "5d4379ce899df9a7bbb1d39de9791ebde45c7e34", "title": "Ransomware as a Service Innovation Trends to Watch", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64672, "plain_text": "Ransomware as a Service Innovation Trends to Watch\r\nBy Bill Siegel\r\nPublished: 2022-01-27 · Archived: 2026-04-05 21:39:27 UTC\r\nAs we enter 2022, the evolution of Ransomware-as-a-service (RaaS) continues to be a driving force in the growth\r\nand permanence of financially motivated ransomware attacks. As we think about where the RaaS model may go in\r\n2022, it is important to take a look backwards at the history of RaaS through a traditional economic / innovation\r\nframework.  As we have often discussed, RaaS developers and affiliates have much more behavioral similarities to\r\nrational business operations than hardened criminals. Since RaaS operations traverse the same economic forces\r\nthat legitimate business or industry would face as it matures, we can apply the Rogers Innovations Adoption\r\nCurve to think about where RaaS came from, and where it may go next.\r\nInnovators to the RaaS model focused on lowering barriers to entry (attracting new affiliates to carry out lots of\r\nattacks), and creating efficiencies on monetization (i.e. getting paid more often and with less friction). The early\r\nRaaS developers would give their ‘kit’ away to new affiliates for free which greatly lowered the barriers to entry\r\nand made carrying out attacks more streamlined for affiliates. The other key innovation was TOR sites, like the\r\none used by Locky ransomware. In 2016, this was one of the first RaaS operations to employ an auto generated\r\nransom note that directed victims to a simple TOR webpage. The page had simple features, such as a test\r\ndecryption portal and a “pay $300 in BTC here” button that provided a bitcoin wallet address. The page was also\r\nconfigured to release the decryptor once the ransom was paid to the correct wallet address. This automation\r\nallowed the RaaS developers to greatly scale their operations. Once they established an affiliate base of\r\ndistributors, they could earn their proportion of ransom payments without needing to carry out attacks, or perform\r\nmanual tasks. \r\nThis early version of RaaS was not without its issues though. One major complication was the affiliates’ inability\r\nto assist with common decryption issues. Since affiliates only handled the attack and payment elements of the\r\noperation, they rarely had the technical know-how to assess why files weren’t decrypting, or to determine what\r\nbug may be in the original malware that could be causing flaws in the encrypted file format. This also created a\r\nbrand issue for the RaaS platform itself, as the ones with the poorest performances would eventually develop a\r\nbad reputation and lead a subset of victims to opt out of paying entirely.\r\nAnother issue was dishonesty among new recruits (i.e. the RaaS operator not having quality gates on who they\r\nallowed to use their ransomware kits). As the barrier to entry into the ransomware market evaporated thanks to the\r\nease and availability of RaaS, so entered a new cohort of participants who did not care about the RaaS operations\r\nbrand, let alone a victim’s unrecoverable files. As we will see, this issue would be addressed further along the\r\ncurve. \r\nRaaS Early Adopters (2018-2019)\r\nRaaS operators in the early adopter phase saw new applications and opportunities for innovation. The GandCrab\r\nRaaS platform was one of the key operations to explore how RaaS could begin to impact larger companies, and\r\nhttps://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve\r\nPage 1 of 4\n\nleverage new attack vectors (like MSPs) in their operations. The personality of the GandCrab group was also very\r\nsimilar to the traditional definition of NON-criminal technology Innovators. The traditional definition of early\r\nadopters reads as being “eager to approach technological novelties but are more cautious of new trends due to\r\ntheir role as change leaders, which they do not want to lose. Early adopters are typically younger, have a higher\r\nsocial status, have more financial lucidity, advanced education, and are more socially forward than late\r\nadopters.” This definition fits the personality of the original GandCrab operators that were much more brash with\r\ntheir ego, vocalism, use of forums and social media. Other innovations that GandCrab introduced:\r\nInnovations in Extortion: Centralization of negotiations at the developer level via TOR. This allowed\r\nmany negotiations to be handled at the same time by the same operator. This also allowed the RaaS\r\ndevelopers to enact quality standards to the negotiations and track their own best practices.\r\nInnovations in Encryption: GandCrab developed an encryption scheme that allowed each unique box to\r\nhave its own encryption/decryption key. This enhanced their own security, but also allowed them to splice\r\nand split which machines a victim needed to decrypt. It also allowed for affiliates to innovate around more\r\ncatastrophic distribution methods, such as attacking an MSP in order to encrypt all of the MSP’s\r\ndownstream clients. This innovation also had its drawbacks, and producing all the unique keys was very\r\nlabor intensive for the RaaS developers. The GandCrab group would fix this issue when they moved to\r\nSodinokibi ransomware and rebranded as REvil.\r\nInnovations in ‘Customer Service’: Unlike the pioneers of the RaaS model, GandCrab took a certain\r\npride in making the decryption process as painless as possible for the victim. Not only did they remain on\r\nstandby to provide detailed troubleshooting assistance (including new builds of the tool, if needed), their\r\nmission statement explained that in the unfortunate event a victim accidentally reinfected themselves\r\nwithin 30 days of the original attack, the decryptor would be provided to them again, no additional charge.\r\nRaaS Early Majority (2019-2020)\r\nMaze was the first major RaaS operation to demonstrate the efficiency and practical benefits of adding data theft\r\nas a requisite step in the extortion life cycle. Their tactics dismayed traditionalists as the stolen data had no actual\r\nvalue (i.e. it could not be monetized by other cyber criminals easily, like credit card numbers or stolen identities).\r\nInstead, Maze found value in the increased payment conversion rates they experienced on marginal attacks (that\r\nwould have otherwise not paid any ransom but for the data theft aspect) when they mixed in the threat to damage\r\nthe victim's reputation by leaking information stolen during the attack. Unfortunately, this trend received a\r\ngroundswell of support from security media outlets that were eager to drive traffic by acting as distribution\r\npublicists for the RaaS operations. Bloggers and journalists began eagerly squatting on these leak sites, hoping to\r\nquickly amplify news of a new attack for their own benefit. This thrilled the community of RaaS operators, as now\r\nthey had a publicity platform on which to back their threats. These Early majority RaaS operators also\r\nexperimented with DDoS attacks against victims that were slow to negotiate. They would also enlist the help of\r\noutsourced call centers that would harass the employees or partners of victims that decided not to pay.\r\nLate Majority RaaS 2020 -  Present\r\nhttps://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve\r\nPage 2 of 4\n\nFollowing the unprecedented actions of the Russian FSB to constript into service arrest a large number of REvil\r\noperators, the risk profile of being a RaaS operator has shifted. The main takeaway from these arrests may be to\r\ncut a lower profile (i.e. don’t draw the IRE of the US government or other governments that may take disruptive\r\nor even kinetic actions against a group). The Conti group, while still quite brazen against US LEA, has tried to\r\nlearn the lessons from DarkSide (who was responsible for the Colonial Pipeline attack) and has conspicuously\r\navoided inflaming certain governments and industries (outside of their own) in their attacks. LockBit 2.0 has also\r\ntried to seize on some of the missteps of REvil. \r\nLate majority RaaS operations are relinquishing control of the attack life cycle by allowing affiliates to handle the\r\nentire attack. They are also relinquishing more control over the outcome and, by extension, whether the attack\r\nactually results in revenue. It is up to the affiliate to ensure the attack is successful, that backups are compromised\r\nand that the encryption spreads far enough to inflict meaningful damage. If they fail, the victim is better\r\npositioned to restore from secure backups. \r\nFurther RaaS Innovation Trends to Watch\r\nCeding control to affiliates: Coveware’s data shows that only 22.6% of victims in 2020 had viable backups,\r\nbut in 2021, this margin has jumped to 42% of victims. This data point is surely influenced by multiple variables,\r\nbut there has been a distinct drop in the number of cases where the threat actor was successful in rendering the\r\nbackups useless. In parallel, we note that the percentage of cases involving the threat to release data continues to\r\nclimb. We may deduce from these trends that threat actors are relying less on the operational disruption (harder\r\nfrom a technical perspective) of encrypted backups and more on the threat of sensitive data leakage to intimidate\r\nvictims into paying. \r\nRaaS operations like Conti and Lockbit 2.0 are ceding control over their ‘brand’ by allowing sloppy affiliates to\r\ncarry out attacks without the victim’s profile being vetted. While RaaS groups may SAY they don’t attack\r\nhospitals or charities, most of them still do. The cybersecurity community is acutely aware of which extortion\r\ngroups generally stick to their word, and which groups are routinely problematic and unreliable. In Coveware’s\r\nYTD examination of 2021 attacks, 78.3% of re-extortion events were attributed to RaaS actors, which is an\r\nincrease from 66.7% of re-extortion events in 2020. Re-extortion is a particularly nasty behavior wherein the bad\r\nactor signals to the victim that they agree to an offer, takes the money, and then informs the victim they need to\r\npay another sum or they will get nothing. This behavior is observed far less when dealing with non-RaaS\r\nransomware groups (such as closed RaaS or lone wolf groups). \r\nAnother equally damaging habit of RaaS affiliates is their propensity to prematurely leak victim information\r\nbefore negotiations have completed and sometimes before they’ve even had a chance to begin. Over 90% of\r\npremature data leaks observed in 2021 were attributed to RaaS actors. More concerning still is that of these\r\ndisclosures where the actor responsible was part of a RaaS organization, over 60% were from Closed RaaS\r\ngroups, which are historically more selective about who they allow in and - theoretically - should be more\r\nexperienced and professional. We infer from this trend that either the vetting process for Closed RaaS recruiting\r\nhas started to deteriorate and/or that contemporary ransomware actors do not place much value anymore on\r\npreserving their reputations as trustworthy hostage takers. Regardless, these increasingly volatile behavior patterns\r\nwill have a direct and lasting impact on future victims’ inclination to pay or not pay.\r\nhttps://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve\r\nPage 3 of 4\n\nThere have been other small innovations that RaaS operators are testing. Last month, security researchers reported\r\nthat the FIN7 hack group was dipping their toes into the ransomware business not by advertising to new affiliates,\r\nbut by trying to recruit legitimate IT practitioners under the guise of recruiting them to provide commonplace\r\npenetration testing services. As noted by Bleeping Computer, “By creating fake cybersecurity firms to conduct\r\nattacks, Gemini believes it is an attempt to hire cheap labor rather than partnering with affiliates who\r\ndemand a much larger 70-80% share of any paid ransoms.”\r\nInnovations in Affiliate Deception:  Not all innovation is for the good of the community.  In September 2021,\r\nYelisey Boguslavskiy of Advanced Intelligence reported that REvil leadership had planted a backdoor into victim\r\nTOR negotiation chats that would allow them to discreetly scam their own affiliates out of a payment without the\r\naffiliate realizing anything was amiss. REvil affiliates were entitled to 70% of each ransom but with this magic\r\ntrick, a REvil administrator could impersonate the victim and announce they were deciding not to pay, while\r\nsimultaneously setting up a secret mirrored chat with the real victim to finish the transaction. News of this\r\ncompelled the Lockbit 2.0 operations to advertise that THEIR affiliates could control 100% of the negotiation and\r\npayment, and only share proceeds on their own terms with the developers. \r\nBalancing brand and LEA attention: The original draw of ransomware to cyber criminals was its inherent\r\nnature of being a low risk/high return enterprise. The explosion of ransomware attacks over the past several years\r\nhas been fueled by innovation to the RaaS model. While the profitability has soared, the risk profile has\r\nsubstantially increased given the volume of LEA actions against RaaS groups and against infrastructure tools /\r\ntradecraft used by these groups.  All high profile seizures and shutdowns of ransomware gangs in 2021 and 2022\r\nwere RaaS affiliate-based groups as opposed to non-affiliate based groups. \r\nSource: https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve\r\nhttps://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve" ], "report_names": [ "ransomware-as-a-service-innovation-curve" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d4379ce899df9a7bbb1d39de9791ebde45c7e34.pdf", "text": "https://archive.orkl.eu/5d4379ce899df9a7bbb1d39de9791ebde45c7e34.txt", "img": "https://archive.orkl.eu/5d4379ce899df9a7bbb1d39de9791ebde45c7e34.jpg" } }