{
	"id": "29b1352b-d017-45c6-ac24-f9fbcb8473c5",
	"created_at": "2026-04-06T00:09:47.983027Z",
	"updated_at": "2026-04-10T03:21:05.89986Z",
	"deleted_at": null,
	"sha1_hash": "83dd9fcf89ae09a02b43124bef2a2a230718f100",
	"title": "The rise of ransomware as a service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48101,
	"plain_text": "The rise of ransomware as a service\r\nBy David Strom 25 Mar 2021\r\nArchived: 2026-04-05 13:41:03 UTC\r\nThe RaaS model means that almost anyone can enter the market and leverage the coding prowess of others\r\nRansomware continues to be a blight across the security landscape. Due to the pandemic, it has gotten new life\r\nand a growing collection of capabilities to make malware operators more formidable.\r\nWhile the use of both cloud computing (also known as ransomware as a service, or for short, RaaS) and extortion\r\ntechniques aren’t new, they're being deployed more often and in more clever and targeted ways than ever before.\r\nThis has brought a rise in overall ransom attacks and in demanded payouts. \r\nRaaS uses a combination of a software subscription service, similar to other cloud service providers, and an\r\naffiliate program to sign up malware distributors. The affiliates earn commissions, just as they would if they were\r\nselling books on Amazon or crafts on Etsy. Typically, the commissions range from 10% to 40% of any successful\r\nransom payouts received. The biggest difference from the legit world is that they are typically made in\r\ncryptocurrencies. \r\nThe RaaS model means that almost anyone can enter this market and leverage the coding prowess of others. The\r\naffiliates don’t have to worry about building and maintaining any malware infrastructure — each affiliate is given\r\na custom identifier code, similar to how the legit programs work. This ensures that the affiliate is given credit and\r\ncollects the appropriate commissions for their attacks. \r\nIn a nutshell, the various RaaS groups can be categorized into three groups:\r\n1. Emerging crews that are just getting started and have just a few notable incidents. These include Exorcist,\r\nLolkek and Rush. \r\n2. Rising power centers which have had successful attacks and maintain blogs that advertise their services and\r\nshame their victims. This group includes Darkside, Thanos, and Clop.\r\n3. Top-tier organizations that have had numerous and well-publicized attacks and have been targeted by law\r\nenforcement, such as DoppelPaymer, Revil and Ryuk.\r\nA detailed look at Darkside\r\nThe Darkside group deserves special attention. It has three important characteristics:\r\n1. Very refined victim targeting, which seeks out the wealthiest data sources to extort\r\n2. A more “corporate-like” approach in their operations, including a well-developed affiliate operation\r\n(paying about 25% affiliate commissions)\r\n3. Customized ransomware delivery for each target and a fair amount of investigative work before selecting\r\ntargets.\r\nhttps://blog.avast.com/ransomware-as-a-service-avast\r\nPage 1 of 2\n\nDarkside states that that they won’t target hospitals or schools, but that hasn’t always been the case. They also\r\navoid Russian-language targets and have been recruiting Russian speaking programmers.\r\ndarkside\r\nImage via bankinfosecurity.com\r\nDarkside announced their creation thanks to a \"press release\" published on Tor back in the summer of 2020. This\r\nploy is quite clever because releases tend to attract IT press coverage and also can be used to tout the provenance\r\nof any stolen data. (The Revil groups also uses this tactic.) Of course, accepting what they promise is probably not\r\na good idea.\r\ndarkside2\r\nImage via bankinfosecurity.com\r\nThe release is just one part of how “corporate” that Darkside appears — they also provide text chat support to\r\ntheir affiliates and create customized data storage mechanisms to hide the stolen data of their targets. Darkside\r\nalso has developed both Windows and Linux-based exploits. Their initial compromise of Windows PCs installs a\r\nPowerShell script that immediately deletes Volume Shadow Copies and prepares various database and email\r\nrepositories for encryption and copying offsite. The malware typically enters an organization through a\r\ncompromised third-party account and tries to access a Virtual Desktop session. \r\nDarkside also tried to donate funds to two charities last summer, but these donations are typically returned and\r\naren’t legal in most jurisdictions, since they rely on stolen funds. Speaking of stolen funds, one report has\r\nDarkside using Iranian hosting facilities for their criminal network, where command and control servers and\r\nstolen data are hosted. This helps keep their network out of the hands of authorities in the US and EU that are\r\nlikely to try to stop their activities. \r\nThe group has had a spike in activity between October and December 2020, when the amount of Darkside sample\r\nsubmissions had more than quadrupled. Past ransom demands have ranged from $200,000 to $2 million,\r\ndepending on the size of the compromised organizations. \r\nHowever, they are once again picking up steam: In March 2021, the managed services vendor CompuCom fell\r\nvictim to a Darkside attack. The company eventually revealed in a FAQ posted to its customers that Darkside was\r\nthe suspected origin. \r\nIf you are compromised by Darkside, prepare yourself as you would against other forms of ransomware: Ensure\r\nyour backups are intact and accurate, intensify phishing awareness and education, and lock down your accounts\r\nwith MFA.\r\nSource: https://blog.avast.com/ransomware-as-a-service-avast\r\nhttps://blog.avast.com/ransomware-as-a-service-avast\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.avast.com/ransomware-as-a-service-avast"
	],
	"report_names": [
		"ransomware-as-a-service-avast"
	],
	"threat_actors": [],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83dd9fcf89ae09a02b43124bef2a2a230718f100.pdf",
		"text": "https://archive.orkl.eu/83dd9fcf89ae09a02b43124bef2a2a230718f100.txt",
		"img": "https://archive.orkl.eu/83dd9fcf89ae09a02b43124bef2a2a230718f100.jpg"
	}
}