Ransomware 'business' is hot as attacks surge

Healthcare and utilities sectors are most targeted

Ransomware has become a hot business model.

The number of organizations affected by ransomware has jumped 102% compared to the beginning of 2020 and "shows no sign of slowing down," according to a research note last month from IT security firm Check Point, adding that the number of organizations impacted by ransomware globally has more than doubled in the first half of 2021 compared with 2020.

The healthcare and utilities sectors are the most targeted sectors since the beginning of April 2021, according to the note.

Motorists use gas pumps at a refueling station on May 12, 2021 in Benson, North Carolina. Most stations in the area along I-95 were without fuel following the Colonial Pipeline hack.  (Sean Rayford/Getty Images)

Driving this surge is the Ransomware-as-a-Service (RaaS) model. Criminals favor RaaS because it leverages a partner program to execute cyberattacks, serving to shield the real actors behind the attacks, Check Point said.

The business model

Darkside, the group behind the Colonial Pipeline attack, had been the leading light in RaaS (though it claimed in May to be shutting down). And other groups have followed its lead.

"Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal enterprises operating in the digital world," Amit Yoran, CEO of cybersecurity firm Tenable, told FOX Business.


For a customer, it can be as simple as logging into the RaaS portal, creating an account, paying with Bitcoin, specifying the type of malware they want, and hitting the submit button, cybersecurity firm CrowdStrike explains in its primer on RaaS.

A "RaaS kit" may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate Software as a Service (SaaS) providers, CrowdStrike says.

Groups behind ransomware now offer help desks, technical support, payroll processing and subcontractors like a full-fledged business. (iStock)

The price of RaaS kits ranges from $40 per month to several thousand dollars. "Trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000 (and trending upward)," the primer says.

And the RaaS subscription-based model is simple to execute, effective, and promises profits, according to Palo Alto Networks’ Unit 42 Ransomware Threat Report 2021.

Profits are the biggest draw, as demonstrated by recent high-profile ransomware attacks.

JBS USA paid an $11 million ransom to cybercriminals who temporarily knocked out plants that process roughly one-fifth of the nation’s meat supply. And Colonial Pipeline paid hackers close to $5 million in ransom.

The four most common RaaS revenue models, according to CrowdStrike:

  • Monthly subscription for a flat fee
  • Affiliate programs, where a percent of the profits (typically 20-30%) going to the RaaS operator
  • One-time license fee with no profit sharing
  • Pure profit sharing


The total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency, according to Chainalysis 2021 Crypto Crime Report.

No other category of cryptocurrency-based crime had a higher growth rate, according to Chainalysis.