Skip to main content
Microsoft Security
placeholder text for image
ISSUE 2 - Cyber Signals

Extortion Economics

Ransomware’s new business model

August 22, 2022

Over 80 percent of ransomware attacks can be traced to common configuration errors in software and devices.1

Cybercriminals are emboldened by underground ransomware economy

While ransomware continues to be a headline-grabbing topic, there’s ultimately a relatively small, connected ecosystem of players driving this sector of the cybercrime economy. The specialization and consolidation of the cybercrime economy has fueled ransomware as a service (RaaS) to become a dominant business model, enabling a wider range of criminals, regardless of their technical expertise, to deploy ransomware.

Watch the Cyber Signals digital briefing where Vasu Jakkal, CVP of Microsoft Security, interviews top threat intelligence experts on the ransomware economy and how organizations can help protect themselves.

Threat Briefing

New business model offers fresh insights for defenders

Just as many industries have shifted toward gig workers for efficiency, cybercriminals are renting or selling their ransomware tools for a portion of the profits, rather than performing the attacks themselves.

The Ransomware as a Service economy allows cybercriminals to purchase access to Ransomware payloads and data leakage as well as payment infrastructure. Ransomware ”gangs” are in reality RaaS programs like Conti or REvil, used by many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs have 50+ “affiliates,” as they refer to the users of their service, with varying tools, tradecraft, and objectives. Just as anyone with a car can drive for a rideshare service, anyone with a laptop and credit card willing to search the dark web for penetration testing tools or out-of-the-box malware can join this economy

This industrialization of cybercrime has created specialized roles, like access brokers who sell access to networks. A single compromise often involves multiple cybercriminals in different stages of the intrusion.

RaaS kits are easy to find on the dark web and are advertised in the same way goods are advertised across the internet.

A RaaS kit may include customer service support, bundled offers, user reviews, forums and other features. Cybercriminals can pay a set price for a RaaS kit while other groups selling RaaS under the affiliate model take a percentage of the profits.

Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same. Ransomware culminates an attack which can include data exfiltration and other impact. Because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. Infostealer malware that steals passwords and cookies get treated with less severity, but cybercriminals sell these passwords to enable other attacks.

These attacks follow a template of initial access via malware infection or exploitation of a vulnerability then credential theft to elevate privileges and move laterally. Industrialization allows prolific and impactful ransomware attacks to be performed by attackers without sophistication or advanced skills. Since the shutdown of Conti we’ve observed shifts in the ransomware landscape. Some affiliates who were deploying Conti moved to payloads from established RaaS ecosystems like LockBit and Hive, while others simultaneously deploy payloads from multiple RaaS ecosystems.

New RaaS like QuantumLocker and Black Basta are filling the vacuum left by Conti’s shutdown. Since most Ransomware coverage focuses on payloads instead of actors, this payload switching is likely to confuse governments, law enforcement, media, security researchers, and defenders about who is behind the attacks.

Reporting on ransomware may seem like an endless scaling problem; however, the reality is a finite set of actors using the set of techniques.


Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement.

Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed.

Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands on keyboard activity.

Download Cyber Signals 2

1. Methodology: For snapshot data, Microsoft platforms, including Defender and Azure Active Directory, and our Digital Crimes Unit provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the 43 trillion daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and our Compromise Security Recovery Practice and Detection and Response teams.

left arrow

Cyber Signals: Issue 1

Defending against attacks

right arrow