The Ransomware-as-a-Service (RaaS) Economy
The rise of Ransomware as a Service (RaaS) gangs mimics the more conventional Software as a Service business model in every meaningful measure. The ransomware economy involves multiple players who specialize in various aspects of the larger ransomware attack. These elements include:
Initial Access Brokers
Initial Access Brokers (IABs) are highly skilled specialists who are exceptionally good at penetrating and establishing a foothold within secure networks. IABs often sell access to these compromised networks to other threat actors, including ransomware affiliates. The deeper an IAB can penetrate a network, the more valuable their services become. Purchasing credentials and access is surprisingly easy and relatively inexpensive.
RaaS Platform Providers
Ransomware-as-a-Service (RaaS) operators provide the software platform and backend to launch attacks. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates, and more all for a slice of the profits.
RaaS Affiliates
The actual ransomware attack is managed and executed by an affiliate; a person or group who plans and carries out the attack campaign. They obtain access via an IAB (or create their own), use a platform or toolkit from a RaaS operator, execute the attack, and then move the ransom dollars around to stay below the radar.
Command and Control Providers (C2Ps)*
C2Ps are legitimate ISPs who lease the attack infrastructure to threat actors while turning a blind eye to abuse by hiding behind privacy policies. *These "C2Ps" are a net new facet within the RaaS Economy and were discovered and reported on in the, Cloudzy with a Chance of Ransomware, by Halcyon Research.
The overall maturity, level of organization, and specialization within the ransomware economy means we are dealing with an adversary whose tactics, techniques, and procedures (TTPs) are approaching the sophistication of some nation-state-sponsored attackers. In many cases, there has been documented overlap between nation-state attack elements and those of cybercriminal ransomware gangs. Today's ransomware attacks are more complex and difficult to defend against than ever before.