Ransomware isn’t a new threat. It first rose to prominence back in 2016, when Hollywood Presbyterian Medical Center shelled out $17,000 in bitcoin after an attack took the hospital offline. Since then, ransomware has only become more popular, especially for hackers targeting the healthcare industry or government organizations. Used to be, launching a ransomware attack required at least some technical prowess; at a minimum, hackers had to possess sufficient coding skills to write a ransomware program. Then, ransomware-as-a-service (RaaS) came on the scene and changed the game.

What is ransomware?

Before delving into RaaS, let’s quickly review ransomware. Ransomware is malware that encrypts all or part of a system, rendering it inoperable until a ransom fee, usually demanded in bitcoin, is paid to the hacker, who will then supposedly provide a key to unlock the encryption. As opposed to data breaches, which seek to steal credit card information, Social Security Numbers, and other sensitive data, ransomware doesn’t access files or data. It just locks everything down.

Paying the ransom is a dicey bet. Even after getting the money, hackers may not send a key, or they may send one that doesn’t work, or that doesn’t fully work.

What is ransomware-as-a-service (RaaS)?

At its simplest, RaaS is a criminal offshoot of software-as-a-service (SaaS), the myriad of cloud-hosted software solutions sold by legitimate vendors to both people and businesses. Just like SaaS applications, RaaS is sold on a cloud-based subscription model to anyone who can ante up the subscription fee. In some cases, there is no subscription fee; many RaaS developers use “affiliate” models where the developer collects all of the ransom money extorted by affiliates, takes out some percentage as commission, and passes on the remainder.

While RaaS applications vary in complexity, in general, they are designed to be very easy to use. They’re deployed using online portals with simple user interfaces, and no coding is required. Many enterprising RaaS “vendors” even offer online customer service, just like an SaaS developer would, to help subscribers get their ransomware campaigns up and running.

The dangers of ransomware-as-a-service

The biggest danger of RaaS is that it made it possible for just about anyone to become a cyber extortionist. Undoubtedly, the advent of RaaS contributed greatly to the exponential growth of ransomware attacks.

RaaS gives users all the benefits of a regular ransomware attack, without the hassle of writing their own code. Ransomware took off because it tends to be much more lucrative than data breaches. Once hackers breach a system and steal data, they must procure a buyer and negotiate a price. This can take time, and the data may not be worth as much as the hacker thought it would be. Ransomware and RaaS attacks come with built-in “buyers”: the businesses who are locked out of their systems, who are often not in a position to negotiate on price.

Preventing RaaS attacks

RaaS attacks are launched just like regular ransomware attacks; usually, through a phishing email. The same proactive measures employed to prevent ransomware are also used to prevent RaaS, including:

* Using email filters to prevent phishing emails from reaching employees’ inboxes.
* Using reliable anti-virus programs and other security software.
* Keeping operating systems and application software up to date.
* Educating employees on cyber security hygiene, including how to recognize phishing emails and the steps to take if they receive a suspicious email.

Organizations must also regularly back up systems and data so that they can be restored in the event of an RaaS attack, as well as have an incident response plan and business continuity and disaster plans in place. In addition to shielding your organization from some of the fallout of a ransomware attack, these measures will also mitigate the damages from other cyber attacks, real-world crime or vandalism, or a natural disaster.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.