RaaS: Attack of the Clones
In cyber wars, no weapon has proven as profitable as ransomware, and its latest iterations are more widespread than ever before. Like a horde of Stormtroopers, RaaS has created a legion of threat actors armed with near-identical tools, tactics, and playbooks. RaaS isn’t new, but it’s matured into a full-blown business model with affiliate programs, customer service and revenue-sharing agreements. How did we get here?
A long time ago…
In the early days of ransomware, enterprises were the primary target for attackers. From a cybercriminal’s point of view, these companies were high risk, high reward. If bad actors were going to manually breach a system, move laterally and stage encryption, they wanted to make it count. And thanks to their high-value data, convoluted IT environments and deeper pockets that could afford ransom demands, enterprises fit the bill.
Meanwhile, SMBs generally assumed they were too small to be noticed. Common sentiments from these companies likely included:
- “We don’t have anything valuable enough to steal.”
- “Hackers are only interested in big brands.”
- “We’re under the radar.”
This “security through obscurity” mindset didn’t prevent SMBs from investing in basic defenses—antivirus, firewalls, etc.—and that worked for a while. But ransomware was scaling at a remarkable rate. In the background, a clone army was starting to form.
Ransomware cantinas
The tipping point for ransomware was its commodification. Today, cybercrime marketplaces and underground forums offer a one-stop shop for attackers. Ransomware kits come with everything needed to run an enterprise-grade attack, including:
- Pre-built malware payloads
- Clear step-by-step instructions
- Tools for lateral movement, privilege escalation and encryption
Just like with any competitive SaaS business, many now offer affiliate revenue models, with top operators giving attackers a cut of each ransom collected. Some even restructure payment flows to build trust with affiliates—mirroring the dynamics of a commercial partner ecosystem. RaaS has become the franchise model of cybercrime.
SMBs in the crosshairs
As these tools have become easier to use, attackers have shifted their focus to smaller prey. Less effort required in attacks means that a higher volume of attacks is possible.
SMBs are easier to compromise as they often lack 24/7 security and advanced endpoint detection. Since the companies are smaller, the ransoms are smaller. But this can also cause SMBs to be more willing to pay. And if the company doesn’t have backups, they might feel like there are no other options.
So the enemy’s logic has flipped. Instead of targeting massive Death Stars, ransomware actors are casting wide nets to snare starfighters, shuttles and spacetugs. If the attacks are plug-and-play, why not run 20 smaller campaigns at once instead of one risky mega-heist? We’re in an age of enterprise-grade attacks aimed at businesses large and small. There is no obscurity left.
The SMB strikes back
The same digital transformation that powered the growth of SMBs has also expanded their attack surfaces. Just as SMBs adopted cloud tools, CRM platforms and enterprise-grade SaaS to scale, they now need enterprise-grade security. Basic antivirus and firewalls won’t hold up against attackers using tools and playbooks designed for Fortune 500 targets. The playing field must be leveled.