Measured Insurance Partners with Canopius and Long-time Backer SCOR to Expand Critical Cyber Insurance Solutions

Ransomware-as-a-Service and Other Ransomware Trends

Jack Vines
October 9, 2021
|Share this article:

Ransomware attacks are on the rise. More than 50% of all malware attacks are ransomware specific, meaning they will demand a ransom in exchange for your data or information. And there’s no sign of crime actors slowing down. In fact, since the beginning of the COVID-19 pandemic, attacks have increased 630%. Healthcare records are reportedly bought and sold on the dark web for $500 each and in Q3 of 2020, we saw a 50% increase in daily ransomware attacks compared to the beginning of 2020. The increase in attacks isn’t surprising, with more employees working from home, more vulnerable industries working overtime (healthcare and finance are great examples), and operational models maturing (models like ransomware-as-a-service).

The reality is this: cyber attacks, and more specifically, ransomware attacks, are part of a larger ecosystem.

Ransomware attacks start in the same way other malware attacks do—infecting your system with malicious software downloaded via a phishing email, a malicious website, or by taking advantage of a vulnerability in your network or device security (or even software or operating system). The goal of ransomware is to encrypt your data, removing your access, and then demanding a ransom in exchange for the release of the information.


In recent years, ransomware-as-a-service has seen a rise in popularity. Ransomware-as-a-service, or RaaS, is a business model in which ransomware crime actors recruit operators to use a specific tool set to exploit new victims (or known victims) to push out and deploy ransomware. In this scenario, both sets of crime actors gain an advantage—the ability to spread malware on a larger scale (and in some cases, the possibility of creating personalized malware attack) and both parties get a percentage of the profits.

Ransomware groups typically provide the recruits with everything they need—ransomware tools, a leak site, and even PR to encourage victims to pay the ransom. The RaaS business model further perpetuates the underground forums where many cyber criminals meet, collaborate, and learn how to be recruited.

The growth in RaaS attacks has propelled the crime actor industry to legitimize their businesses. This involves improving their reputation for future partnerships, marketing their offerings, providing customer service to the victims (or users, as the hacker groups would view them), and mitigating their own risk by vetting third-party malware. In some instances, these larger groups are marketing their offerings on the deep web (not the dark web) for broader access to new affiliates. The Janus group is known to use Twitter to communicate with victims about Petya and Mischa.

Data auctions

With the rise of new behind-the-scenes ransomware activity, a new scenario has emerged. In the past, if your business was a victim to ransomware, your data would be lost forever or held ransom until you met the payment demand. Now, crime actors have a new angle—selling your information in data auctions, further incentivizing you to make the ransom payment. The ransom is positioned as both a means to unlock your data and prevent your data from selling to the highest bidder.

We’ve seen this situation play out with both REvil and Sodinokibi ransomware. After a crime actor sees that a victim won’t be meeting the ransom demand, the data—whether it’s a portion or the entire data library that’s held for ransom—is prepped for a data auction. Bidders can show up anonymously and winners make their payment in Monero cryptocurrency (XMR). Among the victims of data auctions are law firms and food distributors.

Many victims, after paying the ransom demand, are stuck with the uncomfortable choice of trusting that crime actors won’t sell their information in a data auction anyway. Another option? Bidding on their own data. Every scenario is wrought with problems and legal and ethical dilemmas.

Publishing stolen information

Another scenario, growing in popularity with ransomware experts, plays out when an extortion payment isn’t made and crime actors publish the stolen data for everyone to see. Instead of selling it in a data auction or continuing to hold it for ransom, the crime actors simply release the information into the wild for all to see.

The Ragnar Locker Team, using Ragnar Locker malware, threatened to publish Campari Group’s data if a ransom demand wasn’t met in November of 2020. The Italian beverage company publicly acknowledged that “some personal and business data has been taken,” but the Ragnar Locker team fought back publicly with Facebook ads. The fraudulent ads stated, “We can confirm that confidential data was stolen and we talking about huge volume of data.” A new date was set for Campari to either pay up or see all of the two terabytes of stolen information published online.

How to prevent ransomware

Here are several steps you can take to mitigate your risk of ransomware: filter emails, require multi-step authentication, install anti-malware and antivirus software on all devices, and correctly configure your firewall.

95% of cyber security breaches are caused by human error. It’s important to educate your team, your organization, and yourself on best practices for cyber safety. Learn how to spot a malicious email, don’t click on unknown links, don’t download attachments from unknown senders, back-up your data, and stay up-to-date on known malware tactics and practices.

Need help assessing your business’s cyber risk? Check out our calculator here.