Ransomware Damage. PHOTO: Cybercrime Magazine.

Who’s Buying And Selling Ransomware Kits On the Dark Web

RaaS powers a spike in cyberattacks during the COVID-19 pandemic

Kumar Ritesh, founder and CEO of CYFIRMA

Singapore – Mar. 13, 2021

Ransomware continued its upward trajectory over the past year and it’s expected to attack a business every 11 seconds in 2021, according to Cybersecurity Ventures. A lot of that has to do with the digitalization rush caused by the COVID-19 pandemic. While companies were innovating and overhauling their business models, cybercriminals were developing their own software to make it easier to hold your data hostage.

We saw a 195 percent growth in acceptance of RaaS by cybercriminal communities in 2020 and the trend is still going strong. These financially motivated cybercriminals have had an incredibly successful year, which is only going to motivate them to continue developing and making it easier every day for your data to be compromised.

In 2020, we saw a massive change in how ransomware campaigns were executed. Cybercriminals would infect the victim’s network with malware, and exfiltrate data before leaving behind a ransom note with threats to name-and-shame the victim organization in public forums.

This year, we will see more attacks that include an added step where hackers will leave residual malware in the system and re-enter the network at will. Ransomware attacks have proven to be highly profitable for hackers and this has fueled the underground economy with a new business model and ecosystem.

Introducing Ransomware-as-a-Service (RaaS)

Ransomware as a Service (RaaS) is a business model in which developers sell or lease compact, easily deployable, and scalable malware toolkits to individuals and groups who want to stage cyberattacks. It’s promoted and sold on the dark web using the same marketing and sales tactics that legitimate businesses use on the regular web.

If you were to enter the dark web, you’d find display ads in underground forums promoting RaaS kits with different price points and varying degrees of service, just like the ads you encounter on social media and elsewhere on the web. There are bundles, discounts, 24-hour support, user reviews, and all the other web marketing elements you might see employed by a Software as a Service (SaaS) business. 

How easy is it to launch a cyberattack with RaaS

Buying a Ransomware as a Service kit or service package is as easy as buying any Software as a Service product, without the need for deployment and implementation.

RaaS malware and other tools can be purchased online and used directly on the target as a payload to execute the cyberattack. It’s so easy, almost 44 percent of the RaaS kits available on breach forums across the dark web are eventually launched against targets by buyers. RaaS is essentially a gift-wrapped cyberattack for anyone with a target and enough money to purchase the appropriate kit.

How much does RaaS cost

Prices for RaaS kits vary wildly depending on the sophistication of the software and the level of service provided in the package.

There are Ransomware as a Service systems for less than $100 that cater more to individuals and small targets and there are some that cost tens of thousands of dollars. The most expensive system we’ve come across in our research is the Maze Ransomware Kit. That package will set back a cybercriminal by $84,000.

At that price, you have to wonder what level of damage the buyers intended to inflict to get a decent return on their investments. In 2020, there were several ransomware attacks that each caused tens of millions of dollars in damage.

The second-largest software vendor in Germany fell victim to the Clop in October, which disrupted their internal network that set them back $20 million. The ransom demanded was $23 million. An updated version of Ryuk cost Sopra Steria $50 million. In April, Cognizant suffered $50 to $70 million in damages, and ISS World lost $74 million in February.

Who is buying RaaS

Ransomware as a Service can be purchased by any individual or group that wants to launch a cyberattack, and they can easily find a package to suit their needs for any target.

In our 2020 research, we’ve seen non-state individuals, financially motivated groups, and in some cases, state groups. Around November of 2020, we started noticing RaaS being discussed by cybercriminals who were interested in committing corporate espionage to exfiltrate sensitive information, including intellectual property.

Which hacker groups are selling and buying RaaS

From what we’ve uncovered in our investigations, the Ransomware as a Service 2020 movement seems to be predominantly led by Russian cybercriminal groups APT 28/28 and FIN 7/11, as well as the Korean cybercriminal group Lazarus and its affiliates.

There are also several non-state groups capitalizing on RaaS, buying and selling for financial gain. We’ve recently noticed Chinese and Vietnamese groups using RaaS as well but in a different way. They seem to be implementing the RaaS system as an element to hide their primary cybercrimes.

How to prevent ransomware attacks?

Avoid falling victim to ransomware attacks by ensuring the four pillars of cyber hygiene are taken care of — people, technology, process, and governance.


  • Provide authentic, real-world, and relevant cybersecurity awareness training to employees, suppliers, and partners. Ensure training programs can simulate actual attacks, and provide practical tips on handling these social engineering tactics in phishing campaigns


  • Incorporate layered-defense approach by having data, endpoint security, and gateway-based security solution
  • Use reputable anti-virus, web control, data loss protection and VPN solutions
  • Deploy solutions that can detect abnormal system, application and user behaviors


  • Perform threat profiling, create threat segmentation and zoning, and risks containerization
  • Ensure operating systems and software are patched regularly to minimize vulnerabilities
  • Keep core content encrypted
  • Ensure data is carefully tiered and the most important assets are stored in separate network or vault
  • Ensure data backups take place with clear definition on RTO (recovery time objective) and RPO (recovery point objective) to minimize business impact
  • Enforce strict control on who can access sensitive data and restrict the movement of this information within and outside the organization

Everyone has a role to play in keeping ransomware at bay, and this includes suppliers and partners. Mitigate third-party risks by ensuring suppliers and partners who need to connect to the organization’s systems comply with corporate cybersecurity standards.

Deploy threat intelligence to understand the external threat landscape and build situational awareness to sharpen investment decisions. And never forget that cybercriminals are highly agile and creative; this means your cybersecurity strategy must be dynamic and always relevant to the current threat landscape.

CYFIRMA Archives

Kumar Ritesh is the Founder and CEO of CYFIRMA


Headquartered in Singapore and Tokyo, CYFIRMA is a leading threat discovery and cybersecurity platform company. Its cloud-based AI and ML-powered cyber intelligence analytics platform helps organizations proactively identify potential threats at the planningstage of cyberattacks, offers deep insights into their cyber landscape, and amplifies preparedness by keeping the organization’s cybersecurity posture up-to-date, resilient, and ready against upcoming attacks.

CYFIRMA works with many Fortune 500 companies. The company has offices and teams located in Singapore, Japan and India.