What you should know about ransomware and phishing as a service

5 minutes reading

Many types of threats have become available as a service, which makes it possible even for those without sufficient technical knowledge to cause cyberattacks. Here is everything you should know to stay safe from Ransomware-as-a-Service (RaaS) and Phishing-as-a-Service (PhaaS).

Threats monetized

In the past, executing a sophisticated cyberattack was far from easy. A potential attacker needed to know how to code, develop functional sophisticated software, remain anonymous to the victims… Nowadays, the situation has changed and there are platforms offering ransomware or phishing-as-a-service to anyone interested in using these threats against someone or earning money through criminal means. RaaS and PhaaS models are quite similar to the software-as-a-service (SaaS) business model: an operator develops software and sells it to an affiliate who can have little to no knowledge of coding and development – only in this case, the software is malicious.

Apart from creating the malware, the operators may also offer technical support to the affiliate and a step-by-step guide for launching the attack. They often present their product online, look for affiliates on dark web forums, and promote their product with elaborate reviews. While some operators only recruit affiliates with advanced technical skills to make their chances of profit higher (such as the Circus Spider cybercrime group), other RaaS and PhaaS owners look for anyone willing to use their product and pay enough money.

Ransomware or phishing-as-a-service can be bought based on different revenue models. The affiliate may pay a one-time price for the service or pay a monthly fee to keep using the malware. In the case of RaaS, some operators may also demand a percentage of the paid ransom. Given the fact that the average ransom payment was around $228,125 in 2022, it only takes a few successful attacks to make the service profitable for both the operator and the affiliate.

Cybercriminals have also realized that they can make more money by executing human-operated attacks and targeting businesses directly. By aiming their attacks at specific companies, they can get to know their targets better and launch the attacks at moments when the companies are at their most vulnerable, for instance on holidays or weekends.
As a result, ransomware attacks are not only accessible to nearly anybody – they are also increasingly more successful.

Digital crime as a business model

There are many different operators offering their malware online, and each year, more are launching their businesses. Most of them are far from cybercriminal amateurs. RaaS and PhaaS are often offered by highly developed cybercriminal groups with a network of employees that take care not only of the coding and development, but also customer service, negotiations, and more.

Among some of the well-known gangs, there is the CARBON SPIDER group, associated with the DarkSide RaaS operation, or the PINCHY SPIDER group, which sells the common REvil (or Sodinokibi) ransomware, known for the highest demanded ransom of $70 million. Some famous ransomware comes from unknown sources – for instance the Dharma attacks, which have been associated with an unknown Iranian criminal group, or the Ryuk ransomware, which mainly targets public entities, such as US schools.

Percentage of the top 10 types of reported ransomware

1. REvil / Sodinokibi – 14.2%

2. Conti V2 – 10.2%

3. Lockbit – 7.5%

4. Clop – 7.1%

5. Egregor – 5.3%

6. Avaddon – 4.4%

7. Ryuk – 4%

8. DarkSide – 3.5%

9. Suncrypt – 3.1%

10. Netwalker – 3.1%

Source: Cloudwards, 2021

As for the PhaaS attacks, most of them focus on Western services, but there is also the Caffeine platform that targets Russian and Chinese markets and collects login credentials from the victims by faking a Microsoft login page. Caffeine exemplifies the latest accessibility of threats, as the platform’s services are available to just about anyone with an email address.

How to stay secure

How to protect yourself and your employer from phishing and ransomware? Here are some basic rules every employee should follow:


1. Stay alert when reading emails. Learn to recognize phishing, and whenever you receive a message from someone you don’t know, or an email that seems suspicious to you, react cautiously. If you are unsure about the authenticity of an email, don’t click on any links or open any attachments, and consult the situation with your IT team.

2. Know – and follow – the basics of password hygiene. Use different password for each of your accounts and always try to create a complex password that is difficult to guess but easy to remember, or even better, use a passphrase. Use a reliable password manager recommended by your IT specialists to help you remember all your credentials.

3. Always back up data. Each employee should know how to back up their documents and which online as well as offline storages they can use to keep their files safely.

4.Stay informed. Get to know some of the common threats that you may come across and learn how to react to them. Likewise, get to know your company’s policy and crisis plan so that you are prepared to act if you fall victim to phishing or ransomware. Try to keep your knowledge up-to-date with the rapid development of technology, as there are constant changes in the potential threats as well as the ways you can protect yourself from them.

5. Opt for a reliable solution. To stay protected from RaaS and PhaaS, use a solution that shields your devices from both ransomware and phishing. With the combination of proper education, beneficial security habits, and software protection, it will be difficult for cyber-attackers to turn you or your company into their victim.