Ransomware-as-a-Service: Ransomware Operators Find Ways to Bring in Business

Successful ransomware attacks continue to make headlines as profits gained by cybercriminals increase. In 2015, a ransomware family called CryptoWall brought in an alarming US$325 million for its operators—a tidy sum for a single family.

Ransomware works quite effectively, typically infecting computers through spam email or infected web sites. Once installed, ransomware encrypts files in the victim's system and then asks victims for a certain amount for a decrypt key needed to restore access to the files. If the ransom is paid, the ransomware operator will supposedly send the needed key—though there is no guarantee.

The increasing cases of ransomware infections could be partly due to the ransomware-as-a-service (RaaS) business model. This particular strategy has been proven to be highly lucrative for cybercriminals, allowing malware creators to earn from their ransomware by enlisting a network of distributors. The scheme works because one type of ransomware can be sold and spread by multiple distributors, with the creator getting a cut from their profit. Potential distributors don’t even need much capital or technical expertise to start; even those without coding experience can launch a ransomware campaign.

Thanks to the easy buy-in, the business model has allowed ransomware to enter the mainstream and grow. A recent study by Trend Micro tracked a 172% increase in new ransomware families discovered in the first half of 2016 alone. More ransomware options mean more choices for distributors, which has led operators into using unique business strategies that will let them stand out from the pack. 


Shark (detected by Trend Micro as Ransom_SHARKRAAS) is one of the more recent RaaS variants seen. Seen in early August, this specific strain targets a wider and less tech-savvy base of distributors.

RaaS operators typically use anonymous networks like Tor to host their files, mostly because they are perceived to offer anonymity. For operators, these online networks are more private and secure, but not readily available to casual internet users. Shark operates differently though. As news outlets have reported, Shark is hosted on a public WordPress site and is accessible to the internet at large. From the Shark site, interested distributors can download a zip file containing everything they need to start a distribution op: the ransomware configuration builder, the ransomware executable files, and important warnings in a ReadMe.txt file.

This ransomware is particularly attractive because it can be customized easily without the need for advanced coding skills. The operators provided a base ransomware executable that allows distributors to change the configuration: the types of files to target, the countries to target, the folders to encrypt, and other specifics. The Shark operators also went out of their way to make the process easy, providing detailed examples of how to configure and customize the ransomware, as well as suggestions on how much to charge victims in different countries. As seen in other reports, the payment is fully automated, with the operators receiving the full amount before dividing it. Operators take a 20% cut of the profit, while the distributors get 80%.

Shark operators are looking for new opportunities outside traditional ransomware distributors, who already have many options with other RaaS variants. By targeting distributors who have little-to-no experience with coding or malware, they are able to reach a larger client market. And as their client/distributors grow, so do their profits.

These ransomware operators are evolving the current business model and mirroring legitimate businesses with the way they attract clients. They’re putting more thought into user interface, making the service easier to use, and outsourcing to a broader base of distributors.


The Stampado ransomware (detected by Trend Micro as RANSOM_STAMPADO.A) offers a “lifetime license” at an astonishingly low price—just US$39. The bargain comes at a time when other ransomware variants like Locky or the newer Goliath can go for thousands of dollars. It makes Stampado an attractive package for distributors with low-capital. Like Shark, the creators have designed their product to appeal to a broader market.

Closer inspection shows that Stampado has many of the same qualities as the rampant Jigsaw ransomware: it deletes files after a certain period to force victims to pay, and it uses AES to lock down computers. However, the design and coding are not as sophisticated as Jigsaw, and it is easier to decrypt and analyze.

Stampado could be an inexpensive imitation sold at a bargain price—a familiar business scheme seen everywhere from the tech sector to major fashion brands. While not necessarily a ransomware "service" because it's sold as a single purchase, it's an effective business model nonetheless. For many distributors, the affordability of the ransomware will take priority over the quality.      


Encryptor RaaS (detected by Trend Micro as RANSOM_CRYPRAAS.SM) is an older variant of ransomware that was first discovered in mid-2015. The infection numbers of this particular ransomware are not very high; in fact, compared to other popular variants, it has a small audience and limited success. Reports show that the rate of infected users who actually pay the ransom is only .44%. Nevertheless, it is still up and running.

The latest updates show that Encryptor RaaS is continuously being upgraded by its authors. Until now, it is still being actively developed to evade detection from security products. It seems low adoption (and an even lower success rate) isn't a deterrent for the designers, as they still continue to refine and improve their product.     

Other ransomware operators are also improving their business models, even providing customer service to ransom victims. Support pages are popping up, as well as ransomware call centers that guide victims on payment plans. These operators have learned that smoother transactions will make the payment process easier, and the victims could be more amenable to cooperating if they see how easy it is to pay. Profit-hungry cybercriminals are willing to do almost anything to increase their success rate, so it is no surprise that their business operations are changing to fit with what works.     

But as these criminals make it easier for victims to pay, it highlights why enterprises should say No to Ransomware. Ransomware operators are leeching millions of dollars from businesses around the world, and the number is still projected to grow. As long as they find victims willing to pay, the ransomware "industry" is expected to continue flourishing.

Here are more reasons why victims shouldn’t pay:

  • There is no guarantee that victims will get their files back
  • Paying the ransom is like funding these criminal operations
  • Knowing that a victim will pay makes them a more attractive target

Instead, find comprehensives security solutions that prevent the problem before it starts, such as a multi-layered defense strategy that can consistently block ransomware threats. Trend Micro protects enterprises’ gateway, endpoints, networks and servers with Trend Micro  Deep Discovery Email Inspector and InterScan Web Security. These solutions block ransomware at the exposure layer and the most common delivery vector of ransomware—web sites and email.    

At the endpoint level, Trend Micro Smart Protection Suites detect and stop suspicious behaviors and exploits associated with ransomware via behavior monitoring, application control, vulnerability shielding, and Web reputation features.

SMBs can stay protected with Worry-Free™ Services Advanced’s cloud security, behavior monitoring, and real-time Web reputation for devices and emails.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.