Cybersecurity insights from industry experts.

Extortion Economics: Ransomware's New Business Model

Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialized roles in service of ill-gotten gains.

Microsoft Security, Microsoft

November 8, 2022

4 Min Read
malware or ransomware attack concept padlock with money
Source: the lightwriter via Alamy Stock Photo

Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cybercriminals have become emboldened by the underground ransomware economy.

And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialized roles and consolidated the cybercrime economy, fueling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cybersecurity defenders in the process.

Microsoft Security doesn't just rely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We track ransomware attacks across the entire arc of the event — from incursion and exfiltration to ransom demand. This has allowed us to identify patterns in cybercriminal activity and turn cybercrime into a preventable business disruption. Following are some of our top tips.

Understanding How RaaS Works

Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cybercriminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.

This flourishing RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.

So what does this mean for enterprises?

Fresh Insight From a New Business Model

This industrialization of cybercrime has created specialized roles in the RaaS economy. When companies experience a breach, multiple cybercriminals are often involved at different stages of the intrusion. These threat actors can gain access by purchasing RaaS kits off the Dark Web, consisting of customer service support, bundled offers, user reviews, forums, and other features.

Ransomware attacks are customized based on target network configurations, even if the ransomware payload is the same. They can take the form of data exfiltration and other impacts. Because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. For example, infostealer malware steals passwords and cookies. These attacks are often viewed as less serious, but cybercriminals can sell these passwords to enable other, more devastating attacks.

However, these attacks follow a common template. First comes initial access via malware infection or exploitation of a vulnerability. Then credential theft is used to elevate privileges and move laterally. This templatization has allowed prolific and detrimental ransomware attacks to be performed by attackers without sophisticated or advanced skills.

Strategies for Businesses to Deploy

Now that we understand the mechanics behind RaaS, let's examine several preventative measures that companies can take.

  • Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. Failure to implement credential hygiene is one of the biggest security misconfigurations that we observe, and yet this simple tool can be a major factor in preventing threat actors from moving laterally and distributing a ransomware payload across the company. 

  • Audit credential exposure: Audit your credential exposure to better prevent ransomware attacks and cybercrime at large. IT security teams and security operations centers (SOCs) can work together to reduce administrative privileges and understand the level at which their credentials are exposed.

  • Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.

Ultimately, carrying out a ransomware attack is easier than ever thanks to the commoditization of ransomware toolkits. But by implementing foundational security best practices and monitoring their credentials, companies will be less likely to fall victim to a ransomware attack.

Read more Partner Perspectives from Microsoft.

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security


Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights