Online Privacy

Ransomware As A Service: Understanding the Risks

Internxt

10 min read
Ransomware as a service

As companies invest in cybersecurity to avoid fines and ransomware payouts, criminals are doing the opposite by turning ransomware into a full-blown business. With ransomware as a service (RaaS), cybercriminals are building revenue streams by selling ransomware kits online.

This model doesn’t require technical skills or deep knowledge of hacking. Instead, anyone with a little money and bad intentions can access ready-to-use ransomware, complete with instructions, dashboards, and even customer support.

Throughout this article, we will explore ransomware as a service in depth, including how it works, how it started, its impact, and how to protect against this growing threat to our devices and data.

Table of Contents

Ransomware definition

First, let’s start by defining ransomware to help us understand what ransomware as a service is.

Ransomware is a type of malicious software that locks or encrypts files, making them inaccessible to the user. To regain access to the files or device, the attacker demands that a ransom be paid within a certain deadline.

It mostly targets businesses, with the average cost of a ransomware attack, excluding the ransom itself, reaching $5.13 million.

Paying the ransom doesn’t necessarily mean your data will be restored, which is why many experts focus on preventing ransomware, which we will cover later in this article.

There are different types of ransomware. Some only lock your screen and display a ransom message, while others encrypt everything, including backups. Some advanced types can steal your data before locking it, threatening to leak your data, such as photos, passwords, and other files online if you don’t pay.

What is ransomware as a service?

Ransomware as a service (RaaS) is a business model used by cybercriminals to make ransomware available to attackers who don’t have the knowledge to develop ransomware software themselves.

Internxt pricing plans

RaaS works as a subscription or commission, and if the attack is successful, the developer will take a share of the ransom. RaaS is becoming popular because everything comes as a whole package with step-by-step guides, and the attacker and vendor can earn thousands if a breach is successful.

How does ransomware as a service work?

Ransomware as a Service (RaaS) creates a business model from ransomware attackers where developers create ransomware tools and lease them out to other criminals, known as affiliates.

Affiliates don’t know how to code, so they rely on RaaS as a service to buy the tools required to carry out the attacks.

Ransomware as a service cannot be found through normal search engines. Instead, it relies on being found via cybercrime forums on the dark web or encrypted messaging channels.

These apps allow people who know where to look to buy ransomware. Once they have found the right channel, they can join the RaaS platform for a subscription or flat fee. From there, they can buy the software and spread it via phishing emails, fake websites, etc.

If the victim pays, the ransom is split between the developer and affiliate, and the cycle continues.

The more successful the ransomware is, the more money the parties involved can make. As a result, developers continue to update the ransomware to adapt to new security updates and protocols, and include advanced features like data leaks or automated payment systems.

When did ransomware as a service start?

RaaS can be traced back to the late 1980s, with the first known example being the AIDS trojan in 1989. It was created by Dr. Joseph Popp, who sent floppy disks labeled as AIDS education software, but instead, it would encrypt file names and show a message demanding $189 be sent to a P.O. box.

While this is a less technically advanced form, it shows the basic concept of ransomware as locking away access to files and demanding payment for its return.

RaaS then became more prominent in 2015 and marked a turning point by lowering the barrier to entry of cyberattacks for people who wanted to get involved in ransomware without writing code.

One of the first platforms was Tox in 2015, which allowed anyone to create and distribute ransomware via a simple interface, with the developers taking a percentage of any ransom payments earned.

Why RaaS is growing in popularity

Ransomware as a service models are growing in popularity, mostly in part due to the prospect of earning a huge amount of money for both the developer and the buyer.

The vendors also make it extremely easy to spread and access the ransomware, as they often include user-friendly interfaces, detailed instructions, and in some cases, customer support. By making their software more attractive and easy to use, they make their services more appealing to people who want to get involved in cyberattacks.

Internxt post quantum encryption

RaaS platforms often include user-friendly dashboards, detailed instructions, and even customer support. This lowers the barrier to entry and allows less experienced criminals to get involved.

At the same time, developers earn money from each successful attack by taking a share of the ransom, so they keep improving the tools and making them more attractive to affiliates.

The rise in cryptocurrency is also a significant factor in the rise of RaaS, as it increases your anonymity online, encouraging more people to buy the software with the reduced risk of being caught by law enforcement.

As long as victims keep paying ransoms and attackers keep making money, RaaS will continue to spread and grow, which is why it’s important to prepare and prevent these kinds of attacks.

How ransomware is distributed

So what happens when someone buys this software?

They need to find a successful way to distribute the software and get as much money as possible to make their purchase worthwhile.

The sellers also help the buyers distribute ransomware through phishing email templates, which is the most common method to spread malware or spyware.

Ransomware can also be spread through malicious links, downloads, or outdated software. As the dark web is a vast network of hackers and cybercriminals, an individual doesn’t have to do much to get support and start distributing the ransomware.

Impact of ransomware

Ransomware has consistently been in the top three cyberattacks affecting individuals and businesses.

If you are targeted in a ransomware attack, you could lose access to your files, backups, device, financial, and personal information. Plus, if you panic and feel there is no choice but to pay the ransom, you could lose all your money, too.

For businesses, the effects can be catastrophic.  

Ransomware can shut down operations, halt production, and cut off access to important data. It often leads to lost revenue, expensive recovery efforts, and damage to the company’s reputation.

With regulatory bodies such as GDPR, businesses can also face huge legal fines for not implementing the necessary security protocols that could have prevented the ransomware attack.

For institutions such as healthcare, which are regularly targeted in cyberattacks, it can affect patient care, lose important medical records, and put lives at risk when systems go offline.

From a legal standpoint, anyone involved in ransomware as a service, such as writing, selling access to, or launching attacks, can face criminal charges relating to unauthorized access to systems, extortion, fraud, and money laundering.

Internxt Metadata Remover keeps your files anonymous

Famous examples of legal cases of ransomware include:

  • Daniel Christian Hulea: sentenced to 20 years in prison after pleading guilty to conspiracy to commit computer fraud and wire fraud. He extorted roughly 1,595 BTC (USD 21.5 million) and was also ordered to pay nearly USD 15 million in restitution.
  • Yaroslav Vasinskyi, a REvil affiliate, was sentenced to 13 years and seven months in U.S. federal prison for his involvement in over 2,500 ransomware attacks demanding more than USD 700 million.
  • In Canada, a LockBit affiliate from Ontario received a four-year prison sentence and was ordered to pay around USD 860,000 in restitution.

Notable ransomware as a service groups

Although some RaaS sellers are hiding in the dark, there are still famous and well-known ransomware groups that have become notorious for the scale of their attacks on major corporations.

REvil

REvil offered ransomware as a service models to its affiliates to distribute ransomware, which would threaten the victim with a message threatening to publish their private information on their page, Happy Blog, unless the ransom was received.

Revil was thought to be based in Russia, and in one high-profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products.

Revil has since been dismantled by the Russian Federal Security Service.

LockBit

LockBit was established in late 2019 under the name "ABCD" before rebranding as LockBit in early 2020 and establishing a control panel for affiliates to manage attacks.

LockBit rapidly became one of the most prolific ransomware operations globally, responsible for thousands of attacks across sectors such as healthcare, government, education, and logistics.

The group collected over $120 million in ransoms and accounted for a significant share of global ransomware incidents, including a targeted attack on the U.S. broker‑dealer subsidiary of the Industrial and Commercial Bank of China.

In February 2024, an international task force led by the UK National Crime Agency and the U.S. FBI launched Operation Cronos, dismantling LockBit’s infrastructure by seizing affiliate portals, cryptowallets, and arresting criminals linked to the group across Europe, the UK, and the US.

BlackCat

Finally, we have BlackCat, known as one of the most advanced and aggressive RaaS operations.  It combined Rust‑powered malware, which made it harder for security systems to detect, triple extortion tactics, which were:

  • Encrypting the data on the device.
  • Stealing sensitive data before encryption and threatening to leak it online.
  • Launching or threatening to launch Distributed Denial of Service attacks (DDoS) to pressure companies to pay the ransom.

Reddit was targeted by BlackCat in 2023, where the group stole 80GB of data with a ransom demand of $4.5 million to delete the data and prevent it from being published online.

Internxt VPN lets you browse the web securely and privately.

In December 2023, an international law enforcement coalition executed a takedown of BlackCat’s infrastructure, although it’s believed remnants of the group still exist.

What to do if you have been attacked by ransomware

So, the worst has happened, and you’ve been targeted by a ransomware as a service attack. What next?

Here are the following recommendations to follow if you or your business has been targeted by ransomware.

Don’t pay the ransom

Paying the ransom will likely mean you will be hit by another ransomware attack in the future, as the group will see you as an easy target. It also doesn’t mean you will get the encryption key once you pay the ransom; you may not get all your data back, or you will be extorted for even more money.

It could also have legal consequences, as paying the ransom funds illegal activity and is illegal in some regions due to the links to terrorist organizations or hostile links, such as North Korea.

Report the attack to your local authority

Collect as many details as you can about the attack screenshots, ransom notes, and suspicious email addresses, and report them to the necessary authority.

For the US, you can report these attacks to the FBI’s Internet Crime Complaint Center (IC3) or CISA (Cybersecurity and Infrastructure Security Agency).

In the EU, ransomware incidents should be reported to your country’s Computer Emergency Response Team (CERT), Data Protection Authority, or the European Union Agency for Cybersecurity (ENISA).

Identify and decrypt

There are some platforms online that can help you identify and decrypt your files in the case of a RaaS attack.

Tools like No More Ransom can help you decrypt your files with detailed instructions and software to help you regain access to your files.

Be sure to remove malware from your device first with a reputable Antivirus software like the one included in your Internxt Drive account; otherwise, the software will continue to lock your files.

Restore backed-up files

Once you’ve used your antivirus to clean up malware from your device, the next step is recovering your backed-up files. File backups are copies of your files saved to the cloud, meaning that if your files are lost to ransomware, you can still regain access from the backed-up version.

Internxt also offers file backups in its cloud storage plans, so if you’re targeted in a ransomware attack, with Internxt Antivirus and backups, you can drastically limit the effects of ransomware with Internxt’s post-quantum encrypted cloud storage plans.

Notify affected parties

For businesses, notifying affected parties after a ransomware attack is necessary for legal, ethical, and reputational reasons, especially if personal data was accessed or stolen.

Internxt is a cloud storage service based on encryption and privacy.

The timeframe to notify users depends on the location, industry, and compliance laws of the states. In general, these are the timelines companies must follow after a ransomware attack or data breach:

  • European Union (GDPR): Notify the data authority within 72 hours and individuals without undue delay if there is a high risk to their rights.
  • United States: Timeframes vary by state. Most require notification within 30 to 60 days after discovering the breach.
  • HIPPA (healthcare): Notify affected individuals within 60 days.
  • California (CCPA): Notify individuals as quickly as possible and without unreasonable delay.
  • Canada (PIPEDA): Notify individuals as soon as feasible if there is a real risk of significant harm.
  • United Kingdom (UK GDPR): Same as EU. Notify the Information Commissioner's Office within 72 hours and individuals without undue delay if there is a high risk.

How to protect against ransomware as a service with Internxt Drive

Internxt subscription and lifetime plans offer the essentials you need to protect against ransomware, including post-quantum encrypted cloud storage, Antivirus to remove malware, and backups to recover files.

On top of this, Internxt also includes an encrypted VPN, a Device Cleaner, and Dark Web Monitor for Premium plans, and with Internxt’s Ultimate plan, you get access to all of these, including the upcoming Meet and Mail products.

Get started with Internxt from just €3/month, or choose from any of our affordable lifetime plans to protect against current and future ransomware as a service attacks.

Protect your privacy with Internxt