Full Report
How intuitive, low-cost ransomware-as-a-service platforms are ushering in a new generation of threat actors
Analysis Summary
# Threat Actor: Ransomware-as-a-Service (RaaS) Operators and Affiliates
## Attribution & Identity
The summary focuses on the **RaaS model** and the actors utilizing it, rather than a single specific named threat group, detailing both the sophisticated RaaS **operators** and the lower-skilled **affiliates** ("Regular Joes," "newbies").
## Activity Summary
* RaaS has existed since the mid-2010s, providing toolkits to affiliates for a fee or profit share.
* In 2024, **RansomHub** facilitated over 600 attacks as the most active RaaS group of the year.
* RaaS groups operate like corporations, often offering multi-extortion schemes (delaying data exposure, downloading, or destruction).
* The rise of "junk gun" ransomware—affordable, low-grade kits (e.g., **Kryptina ransomware** initial offering was a $20 kit)—has lowered the barrier to entry for less skilled attackers.
## Tactics, Techniques & Procedures
* Utilizing exploit kits and automated malware deployments provided by the RaaS backbone.
* Employing **multi-extortion schemes**.
* **Low-Level/Opportunistic Attacks:** Affiliates leverage cheap, plug-and-play ransomware kits.
* **Living-off-the-Land (LotL) attacks** were mentioned as a technique against which defenses should be deployed.
## Targeting
* Sectors: Healthcare, Finance, and Government sectors (targeted by RansomHub).
* Geography: Not explicitly detailed, but global operations are implied by the nature of RaaS.
* Victims: Prime targets are **Small to Midsize Businesses (SMBs)** due to their limited monitoring infrastructure and fewer formal reporting processes, making them "irresistible prey."
## Tools & Infrastructure
* **Malware families used:** General "plug-and-play ransomware kits," specifically mentioned **Kryptina ransomware**.
* **Infrastructure:** Not specified by specific domains or IPs; the focus is on the *sharing and reusing* of source codes and tools among the criminal ecosystem.
## Implications
The RaaS business model has become highly organized, scaling up cybercrime operations globally. The availability of cheap, low-grade ransomware ("junk guns") is flooding the market, increasing the volume of attacks against vulnerable, poorly monitored organizations like SMBs. The maturation of RaaS cartels necessitates enterprise-grade defenses even for smaller entities.
## Mitigations
* Expand **visibility** across networks, users, endpoints, and applications (using EDR).
* Implement **default/deny** application control to stop unauthorized software execution.
* Defend against **Living-off-the-Land (LotL) attacks**.
* Leverage **AI/NLP** for rapid incident investigation and identification of suspicious behavior.