Gone are the days of easy-to-track, stand-alone ransomware groups who carried out attacks with their own tools and once taken down, bowed out of the game. Enter ransomware-as-a-service (RaaS).

RaaS is a cybercrime business model where affiliate groups lease malware to conduct a cyberattack. The notorious RaaS groups such as Lockbit and Black Basta leverage these affiliates to expand their reach and increase profits while inflicting harm on businesses around the world. The RaaS groups run the infrastructure and do the heavy lifting. The affiliates use the RaaS groups’ encryptor and services, find the victims and carry out the attack.

It’s useful to understand how RaaS models operate and their impacts on ransomware attacks and cyber insurance. But more importantly, organizations are advised to have in place the recommended security protocols to proactively mitigate risk.

The Evolution of Ransomware as a Service and Freedom of Movement

While RaaS groups are not new, their freedom of movement and specialization in ransomware attacks (with the help of the affiliates) is increasing – and therefore so are the impacts. Affiliates can easily jump ship and move to new groups at any given time, which makes them incredibly difficult to track.

The RaaS groups and their affiliates generally have a symbiotic relationship. However, due to the availability of many RaaS groups, the success of any individual RaaS largely depends on the affiliates’ trust in its stability and efficacy. When a large RaaS group is compromised, affiliates may shift their allegiance to more secure criminal networks, undermining the original group’s prominence.

This has been the case with Lockbit, the largest RaaS provider. Lockbit was established in 2019 and flourished until February 2024 when, according to The Global Initiative Against Transnational Organized Crime, the UK’s National Crime Agency (NCA) took control of the group’s infrastructure. With cryptocurrency accounts frozen, services and accounts taken down and law enforcement actively pursuing affiliates, we saw a drastic decline in Lockbit’s activity and a subsequent upswing in other RaaS groups. It was clear that affiliates were spooked and distanced from Lockbit. Many thought this would be the end of the group, but given the flexibility RaaS models deliver, Lockbit has persevered. The role of law enforcement disruption is still critical, but it’s clear that RaaS models offer cybercriminals a way to remain resilient.

It’s important to point out that the ransomware ecosystem has largely been shown to stabilize after interruptions to individual RaaS group operations.

To understand the impact, let’s highlight the reach of Black Basta, among the most prominent RaaS groups. In May, the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the FBI, the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory. The advisory informs cybersecurity defenders about the tactics, techniques and procedures that known Black Basta ransomware affiliates use, as well as indicators of compromise. From our  joint research with blockchain analytics firm Elliptic, we know that Black Basta has extracted well over $100 million in ransom payments. The group’s affiliates have targeted more than 500 private industry and critical infrastructure entities, including healthcare organizations, across North America, Europe and Australia. Given the highly protected (and therefore valuable) nature of health data, healthcare has become a favorite target for RaaS groups and their affiliates.

Offense is the Best Defense

We know that the best defense when it comes to RaaS groups is always offense. Having strong security protocols in place is the best protection for any organization in a world where powerful RaaS groups and their affiliates are a constant threat.

Three ways organizations can strengthen their security posture:

• Vulnerability Management
• Multi-Factor Authentication (MFA)
• Endpoint Detection and Response (EDR)

Vulnerability management is the practice of identifying, evaluating, remediating and reporting on security vulnerabilities in software and the systems it runs on. New software vulnerabilities have been largely exploited in 2024, including Screen Connect software used for remote desktop access. As companies run custom software and more applications, both testing and patching become an important focus.

Strong forms of MFA are frequently mentioned, but this doesn’t lessen their critical role in security. A multi-step account login process that requires users to enter more information than just a password helps to establish strong access controls. It’s simply limiting access to those who need it to do their jobs and enforcing MFA protocols.

EDR strategies and solutions continuously monitor end-user devices to enable the detection and response to cyber threats, including ransomware and malware. Building a defense around networks and endpoints is critical to guarding against threat actors.

The security vulnerabilities that persist reinforce the need for steadfast cybersecurity practices, particularly vulnerability management, MFA and EDR. RaaS groups and their affiliates will continue to prey on weaknesses and adapt their practices to do so. These proactive defense measures remain critical in the ongoing battle against RaaS groups and bad actors.