{
	"id": "e454a3b3-7556-4c6a-951d-01ecca0d0688",
	"created_at": "2026-04-06T00:21:30.097852Z",
	"updated_at": "2026-04-10T03:21:10.536464Z",
	"deleted_at": null,
	"sha1_hash": "c56400286a525ec1ea593b4161b639ca8598df3a",
	"title": "Ransomware as a Service: Enabler of Widespread Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1174854,
	"plain_text": "Ransomware as a Service: Enabler of Widespread Attacks\r\nArchived: 2026-04-05 22:50:43 UTC\r\nBy Fyodor Yarochkin\r\nAdditional insights by Janus Agcaoili, Byron Gelera, and Nikko Tamaña\r\nRansomware as a service (RaaS) can be credited as one of the primary reasons that ransomware attacks are\r\nproliferating rapidly. Simply put, RaaS involves selling or renting ransomware to buyers who are called affiliates. \r\nIn the past, ransomware attacks were mainly launched by the ransomware operators themselves. When RaaS\r\nentered the picture, however, it made it easier for a variety of attackers, even those who have little technical\r\nknowledge, to wield ransomware against targets. \r\nEssentially, we observed an organized division of labor in groups using RaaS. As a result of this development, the\r\nparticipants of the cybercrime ecosystem gain higher proficiency and specialization with regard to specific tasks,\r\nwith some focusing on penetrating networks and others on running the ransomware or conducting ransom\r\nnegotiation with victims.\r\nSuch specialization, coupled with refined extortion techniquesnews- cybercrime-and-digital-threats and technical\r\nstrategiesnews- cybercrime-and-digital-threats, makes modern ransomware a notorious threat. With the threat’s\r\never-growing reach, it was predicted that ransomware attacks could cost billionsopen on a new tab in the next\r\ndecade.\r\nHow RaaS operates: the underground as a breeding ground\r\nWhile RaaSnews- cybercrime-and-digital-threats is based on the software-as-a-service (SaaS)open on a new tab\r\nmodel where software can be accessed online on a subscription basis, it also continues to evolve in its own ways,\r\nand this fully functional and independent ecosystemopen on a new tab thrives in the underground with its key\r\nplayers.\r\nAmong these key players are the operators, or those who develop and peddle ransomware. They are usually\r\norganized in a group and have designated roles such as leader, developers, and infrastructure and system\r\nadministrators. More advanced groups might also have other roles, such as recruiters, penetration testers (aka\r\npentesters), victim analysts, and negotiatorsopen on a new tab.\r\nSome roles and tools might also be outsourced or acquired through affiliate programs. For instance, some\r\noperators avail of access-as-a-service (AaaS), which can provide various means of access to targeted\r\norganizations. Meanwhile, other groups could have strong penetration testing teams but might also lack the\r\nnecessary ransomware software. Such penetration testing teams often participate as affiliates for RaaS and use\r\naffiliate program ransomware tools and infrastructure when a target is compromised. Affiliates might belong to\r\norganized gangs themselves or might operate independently.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 1 of 12\n\nFigure 1. Comparison of direct ransomware operations (left) and RaaS operators (right)\r\nWith regard to the RaaS operation model, the RaaS-operating criminal group first needs to develop or acquire the\r\nransomware software and infrastructure. They then proceed to recruit affiliates through online forums, Telegram\r\nchannels, or personal connections, with some operators investing as much as US$1 million for recruitment\r\neffortsopen on a new tab. Once enlisted, affiliates can then launch their own attacks.\r\nRaaS provides a win-win situation and a high payoutnews- cybercrime-and-digital-threats for both operators and\r\naffiliates while allowing higher specialization in dedicated tasks. Affiliates can earn payouts without having to\r\ndevelop the ransomware themselves, while operators can directly make a profit from their affiliates. The payouts\r\nare normally organized using a revenue model for RaaS subscriptions. The possible revenue modelsopen on a new\r\ntab besides subscription are one-time payments, profit sharing, and affiliate marketing. With such business\r\nmodels, the ransomware operators can fully focus on developing and improving their ransomware software and\r\noperations without needing to spend resources on other tasks, such as compromising targets or distributing the\r\nransomware themselves. Instead, these tasks are delegated to the RaaS affiliates.\r\nThe cost of operations and its impact on ransom demands\r\nIt goes without saying that there are operational expenses for any ransomware group. As a ransomware group\r\nneeds to spend money on tools, skilled personnel and monthly operational costs, ransomware attacks can indeed\r\nbe expensive. A group leader thus needs to figure out how to cover the recurring cost of operation. In particular,\r\nthe rental of network infrastructure has its own cost, and many of the group members receive monthly salaries that\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 2 of 12\n\nneed to be paid even if the ransomware attack victims do not pay the ransom. A successful payout from an attack\r\nis therefore necessary to cover the recurring operational cost of keeping a ransomware group running.\r\nThe one-time purchases of tools naturally come with their own price tags. Ransomware groups and network\r\npenetration teams often do not develop the exploitation tools themselves but prefer to purchase tools for initial\r\naccess into organizations from third-party software vendors and underground market software developers who\r\noffer varying prices, either for on-hand or customized tools.\r\nFor groups following RaaS models and services with double extortion techniques, percentage payouts for kit\r\nsellers and RaaS partnership programs have risen, with some allocating for a full set of operations personnel such\r\nas pentesters, victim analysts, and negotiators, as advertised in ads in underground forumsnews- cybercrime-and-digital-threats.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 3 of 12\n\nFigure 2. Job posts in underground forums for pentesters and programmers capable of accessing enterprise\r\nnetworks and performing privilege escalation\r\nRegardless of successful payouts, most of these personnel require payment for services, whether such\r\nremuneration involves monthly salary or per-project payments.Estimating average monthly costs (such as salaries,\r\nservers, virtual private server rentals, service providers, tools, accesses, and infrastructure, among others), these\r\ngroups might spend at least US$100,000 upward to keep operations running. If these groups target 10 companies\r\nat a time but only one victim can pay, that single organization carries the brunt of all the expenses that the groups\r\nmake in addition to the profit they hope to have. \r\nHowever, many organizations still refuse to pay ransom demands, either because of their internal policies,\r\ngovernment regulations, or the assistance of authorities. Ransomware groups do not look kindly on these refusals\r\nfor payment, and they find ways to retaliate against these companies. For example, Mespinozaopen on a new tab\r\noperators threaten companies who refuse to pay, not just with the exposure of sensitive data but also with the\r\nthreat of reporting the victim’s illegal activities, such as tax fraud or evasion.\r\nAvoiding certain targets\r\nIn the underground, ransomware operators also gradually developed a strategy for determining which targets to\r\navoid. For instance, while the US remains one of the top targets for all kinds of malicious activities, some\r\nransomware operators discuss avoiding the country. In the wake of high-profile ransomware attacks, authorities\r\nhave been paying heightened attentionopen on a new tab to the threat. As a result, no-pay policiesopen on a new\r\ntab, government assistanceopen on a new tab to victims for ransom negotiation, and techniquesopen on a new\r\ntab to recover paid ransom could cause ransomware groups to have a harder time getting paid.\r\nAnd while some groups have turned their attention to Asia, ransomware groups generally avoidopen on a new tab,\r\nfor example, going after Taiwanese companies because of the strict anti-money laundering policies that make it\r\ndifficult to legally purchase cryptocurrency and keep organizations from paying the demanded ransom. \r\nOther factorsopen on a new tab that can keep threat actors from attacking a certain region are the operators’\r\npatriotism, countries’ poverty levels, or geopolitical situations that targets are in.  For such locations that are\r\nstruggling economically and politically, or for countries that operators feel a sense of loyalty to, threat groups opt\r\nto use other monetization activities, such as the sale or rental of compromised assets or the use of keyloggers for\r\nharvesting various credentials, which later on can be sold individually or through a “cloud of logsnews-cybercrime-and-digital-threats.”\r\nRecent updates on RaaS operations\r\nThis year, there were also momentary but noticeable changes in the underground. After DarkSide’s attack on\r\nColonial Pipeline, all topics related to ransomware were banned on many underground forums. Operators shifted\r\nto discreet advertising in underground forums for system administrators, pentesters, and other seemingly\r\nlegitimate jobs  without disclosing the purpose behind these ads. When it is discovered that the individuals behind\r\nthese post are actually hiring for the purpose of operating ransomware, their accounts are banned.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 4 of 12\n\nRansomware operators have also become more selective of their targets. We observed discussions in public and\r\nprivate groups about being more careful when choosing potential victims and specifically avoiding political and\r\ncritical infrastructure as well as the healthcare sector as targets. \r\nProfit division has also changed. Profits used to be usually divided into 70% and 30% in favor of the affiliate\r\nwhen ransom demands were between five to six figures. Now, groups collecting up to seven figures allot a\r\n20% “finder’s fee” for access, while lateral movement and penetration testing are now done within the salaried\r\ngroup. This was the observed behavior for groups like Nefilim. Based on growing popularity\r\nin forum discussions, hiring more pentesters to become part of the salaried group and the continued\r\nprofessionalization of AaaS might likely continue to keep more of the profit intact and inside the main group.\r\nThe latest attacks also provide insight into where this is all heading. Based on REvilnews article (aka Sodinokibi)\r\nand DarkSide’s previous attacks on Linux-based VMware ESXi servers and network-attached storage\r\n(NAS), there is a likelihood that other RaaS groups will be expanding their targets and attacks to non-Windows\r\nservers, targeting other operating systems such as Linux CentOS, Linux RedHat, and other UNIX flavors, all of\r\nwhich are Portable Operating System Interface (POSIX) compliant.\r\nRansomware families used by RaaS operators and affiliates\r\nMost modern ransomwarenews- cybercrime-and-digital-threats families have adopted the RaaS model. In our\r\nmidyear cybersecurity report, we found the top 10 most detected ransomware families. Interestingly, eight of these\r\nfamilies have been used by RaaS operators and affiliates at some point. Some families, such as Lockyopen on a\r\nnew tab, Cerberopen on a new tab, and GandCrabopen on a new tab, have been used in previous instances of RaaS\r\noperations, although these variants have not been actively employed for attacks recently. Nevertheless, they are\r\nstill being detected in affected systems:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 5 of 12\n\nFigure 3. First half of 2021 data for most detected ransomware families that have been RaaS-operated at some\r\npoint \r\nBased on this list, here are some of the ransomware families used by RaaS operators and affiliates to launch\r\ncritical attacks this year:\r\nREvil\r\nBefore suddenly disappearing, REvil consistently made headlines this year due to its high-profile attacks,\r\nincluding those launched on meat supplier JBSopen on a new tab and IT company Kaseya. It’s also the fourth\r\noverall most detected ransomware in our 2021 midyear data, with 2,119 detections. After disappearing for about\r\ntwo months, this group recently brought their infrastructure back and demonstrated signs of renewed\r\nactivitiesopen on a new tab.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 6 of 12\n\nThis year, REvil demanded huge ransoms: US$70 million for the Kaseya attackopen on a new tab (said to be\r\nrecord-breakingopen on a new tab) and US$22.5 million (with US$11 million paid) for the JBS attackopen on a\r\nnew tab.\r\nFigure 4. REvil affiliate recruitment in underground forums\r\nTechniques\r\nWhile most techniques used by ransomware gangs remain the same from our most recent updatenews-cybercrime-and-digital-threats, they also employed some new techniques, such as the following:\r\n Download and execution\r\nAn attachment (such as a PDF file) of a malicious spam email drops Qakbot into the system. The malware\r\nwill then download additional components and the payload.\r\nCVE-2021-30116open on a new tab, a zero-day vulnerability affecting the Kaseya VSA servers, was used\r\nin the Kaseya supply-chain attack.\r\nDiscovery\r\nAdditional legitimate toolsnews- cybercrime-and-digital-threats, namely AdFind, SharpSploit,\r\nBloodHound, and NBTScan, are also observed to be employed for network discovery.\r\nDarkSide\r\nDarkSide has also been prominent in the news lately due to its attack on Colonial Pipeline. The targeted company\r\nwas coerced to pay US$5 millionopen on a new tab in ransom. DarkSide ranked seventh with 830 detections in\r\nour midyear data on most detected ransomware families.\r\nOperators have since claimed that they will shut down operationsopen on a new tab due to pressure from\r\nauthorities. However, as with the case of some ransomware families, they might just lie low for a while before\r\nresurfacing, or come out with the threat’s successor.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 7 of 12\n\nTechniques\r\nAs discussed in our earlier report, some of the notable techniques utilized by DarkSide are the following:\r\nReconnaissance\r\nFor this phase, DarkSide abuses various toolsnews- cybercrime-and-digital-threats, namely PowerShell,\r\nMetasploit Framework, Mimikatz, and BloodHound.\r\nLateral movement\r\nFor lateral movement, DarkSide aims to gain Domain Controlleropen on a new tab (DC) or Active\r\nDirectory access. This is used to harvest credentials, escalate privileges, and gather valuable assets that will\r\nbe exfiltrated.\r\nThe DC network is then used to deploy the ransomware to connected machines.\r\nNefilim\r\nNefilim is the ninth most detected ransomware for midyear 2021, with 692 detections. Attackers that wield the\r\nransomware variant set their sights on companies with billion-dollar revenues.\r\nLike most modern ransomware families, Nefilim also employs double extortion techniquesnews- cybercrime-and-digital-threats. Nefilim affiliates are said to be especially vicious when affected companies don’t succumb to\r\nransom demands, and they keep leaked data published for a long time.\r\nTechniques\r\nNefilim makes use of a variety of techniques such as the following:\r\nInitial access\r\nNefilim can gain initial access through exposed RDPs.\r\nIt can also use Citrix Application Delivery Controller vulnerability (aka CVE-2019-19781open on a new\r\ntab) to gain entry into a system.\r\nLateral movement and defense evasion\r\nNefilim is capable of lateral movement via tools such as PsExec or Windows Management Instrumentation\r\n(WMI).\r\nIt performs defense evasion through the use of third-party tools like PC Hunter, Process Hacker, and Revo\r\nUninstaller.\r\nLockBit\r\nLockBit resurfaced in the middle of the year with LockBit 2.0, targeting more companiesopen on a new tab as\r\nthey employ double extortion techniquesnews- cybercrime-and-digital-threats. Based on our findings, Chile, Italy,\r\nTaiwan, and the UK are among the most affected countries. In a recent prominent attack, ransom demand went up\r\nas high as US$50 million.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 8 of 12\n\nLockBit 2.0 claims to have one of the fastest encryption techniques among other ransomware. It also shows\r\nsimilarities with prominent ransomware families, Ryuk and Egregor.\r\nFigure 4. LockBit affiliate recruitment in underground forums\r\nTechniques\r\nSome of the updated ransomware’s techniques are the following:\r\nExfiltration\r\nOperators provide StealBit (detected by Trend Micro as TrojanSpy.Win32.STEALBIT.YXBHM), a tool\r\nthat can automatically exfiltrate data, to their affiliates to help the latter harvest assets.\r\nDefense evasion\r\nTo terminate processes and services, the following batch files are used:\r\ndelsvc.bat (detected by Trend Micro as Trojan.BAT.KILLPROC.D) makes crucial processes (such as\r\nMySQL and QuickBooks) and services (such as Microsoft Exchange) unavailable.\r\nAV.bat (detected by Trend Micro as Trojan.BAT.KILLAV.WLDX) uninstalls the antivirus program ESET. \r\nLogDelete.bat (detected by Trend Micro as PUA.BAT.DHARMA.A) clears Windows event logs. \r\nDefoff.bat (detected by Trend Micro as Trojan.BAT.KILLAV.WLDX) disables Windows Defender features\r\nsuch as real-time monitoring.\r\nImpact\r\nDevices are automatically encrypted across Windows through the abuse of Active Directory group policies.\r\nConti\r\nConti is probably one of the largest ransomware groups operating today. It is often said to be the successor of the\r\nRyuk ransomware, as the former shares some similarities with the latter. For example, with regard to tactics, both\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 9 of 12\n\nConti and Ryuk are distributed via  Emotet, Trickbot, and BazarLoader. In our midyear roundup report data, Conti\r\nwas the tenth most detected ransomware, as it amassed 610 detections.\r\nRecently, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released an alert noticeopen on a\r\nnew tab with regard to a surge in Conti ransomware attacks. Conti penetration-testing documents, which provide\r\ndetailed information on the operators’ preferred techniques, were also leaked.open on a new tab\r\nTechniques\r\nSome notable techniques of the Conti ransomware are as follows:\r\nInitial access\r\nConti can use malspam to gain entry into the system.\r\nIt can also exploit known vulnerabilities for initial access.\r\nDiscovery, lateral movement, and persistence\r\nConti can use open-source and off-the-shelf commercial tools, such as PowerSploitopen on a new\r\ntab, Metasploit, ADFind, and Cobalt Strikeopen on a new tab for discovery and lateral movement. \r\nOther commercial tools, such as AnyDesk, can also be used by Conti to maintain persistence on\r\ncompromised targets.\r\nExfiltration\r\nMega cloud storage can be used for the information exfiltration phase.\r\nDefense evasion\r\nDefense evasion can be performed through the use of third-party tools like PC Hunter, Process Hacker, and\r\nRevo Uninstaller.\r\nConti also disables some security tools found in compromised systems.\r\nHow to defend systems against ransomware\r\nFor enterprises to protect themselves from ransomware attacksnews- cybercrime-and-digital-threats, it would help\r\nto establish ransomware defense plans. These can be based on security frameworks, such as those from the Center\r\nof Internet Securityopen on a new tab (CIS) and the National Institute of Standards and Technologyopen on a new\r\ntab (NIST). These guidelines can help with prioritization and resource management for prevention, defense, and\r\nrecovery from ransomware.\r\nBeyond the technical means, it is important to understand that attackers will use any identified weakness within a\r\ntarget organization (such as customer data, mishandled personal identifiable information [PII], or accounting\r\nmistakes) as pressure points to leverage the ransom negotiation value and make the victim pay. Enterprises should\r\ntherefore take these issues into account when evaluating their organizational readiness to protect themselves from\r\nransomware attacks.\r\nSome of the best practicesnews- cybercrime-and-digital-threats from these frameworks are as follows:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 10 of 12\n\nAudit events and take inventory.\r\nTake note of the following:\r\nAvailable assets and data\r\nAuthorized and unauthorized devices and software\r\nSecurity events and incidents\r\nConfigure and monitor.\r\nManage and keep track of the following:\r\nHardware and software configurations\r\nAdmin privileges and access\r\nActivity in network ports, protocols, and services\r\nNetwork infrastructure devices, such as firewalls and routers, and their security configurations\r\nPatch and update.\r\nRegularly perform the following for software and applications:\r\nVulnerability assessments\r\nPatching or virtual patching\r\nVersion update\r\nProtect systems and recover data.\r\nImplement the following:\r\nData protection, backup, and recovery measures\r\nMultifactor authentication (MFA)\r\nSecure and defend layers.\r\nEmploy the following:\r\nThe defense in depth (DiD) principle. This is done by creating multiple layers of defense against\r\npotential threats. One example of this is by blocking unused services not just on afirewall but alsoon actual\r\nservers.\r\nNetwork segmentation and the least-privilege principle. It is paramount to follow these when granting\r\npermissions to system users, services, and roles.\r\nEmail static and dynamic analysis. Both of these work to examine and block malicious emails.\r\nThe latest version of security solutions to all layers of the system. These layers include email, endpoint,\r\nweb, and network.\r\nMonitoring for early signs of an attack. Identifying the questionable presence of various toolsnews-cybercrime-and-digital-threats in the system can save organizations much time and effort in staving off\r\npossible attacks.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 11 of 12\n\nAdvanced detection technologies. In particular, technologies powered with AI and machine learning offer\r\nfortified protection.\r\nTrain and test.\r\nConduct the following regularly:\r\nSecurity skills assessment and training\r\nRed team exercises and penetration tests\r\nTrend Micro Vision One™products  helps detect and block suspicious activity, even those that might seem\r\ninsignificant when monitored from only a single layer, through multilayered protection and behavior detection. It\r\nhelps spot and block ransomware wherever it might be on the system.\r\nTrend Micro Cloud One™ –  Workload Securityproducts ensures real-time protection from both known and\r\nemerging threats that exploit vulnerabilities. This is made possible through virtual patching, machine learning\r\ntechniques, and global threat intelligence.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts performs custom sandboxing and advanced analysis\r\ntechniques. These effectively deter potential ransomware attacks that are coursed through malicious emails.\r\nTrend Micro Apex One™products, with the help of modern techniques, provides automated endpoint protection,\r\nthreat detection, and quick response against a variety of security issues, including ransomware and fileless threats.\r\nUpdated on October 11, 2021 with additional details on most detected ransomware families that used RaaS\r\npreviously or at present.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-at\r\ntacks\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks"
	],
	"report_names": [
		"ransomware-as-a-service-enabler-of-widespread-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434890,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c56400286a525ec1ea593b4161b639ca8598df3a.pdf",
		"text": "https://archive.orkl.eu/c56400286a525ec1ea593b4161b639ca8598df3a.txt",
		"img": "https://archive.orkl.eu/c56400286a525ec1ea593b4161b639ca8598df3a.jpg"
	}
}