• Home
  • /Learn
  • /Trouble Ahead: Ransomware-as-a-Service on the Dark Web
background image


Trouble Ahead: Ransomware-as-a-Service on the Dark Web


A Cyber Security Venture report shared that cybercrimes cost US$ 6 trillion to companies worldwide in 2021. The losses will likely touch US$ 10.5 trillion annually by 2025. The cybercrime market is the world's third-largest economy after US and China (when the GDP is compared). According to experts, the situation will only worsen over time. 

As the digital age progresses, criminals use the internet and the dark web as a platform for nefarious activities like purchasing ransomware services. This article aims to explore how these malicious individuals can access black markets easily, allowing even novices with limited knowledge to launch attacks on enterprise infrastructure through malware.

What is RaaS?

Ransomware is malware that locks and encrypts the victim's computer and demands a ransom to decrypt and unlock the target system. Ransomware-as-a-Service (RaaS) is a subscription-based model that serves ransomware online. Attackers can subscribe to such services to utilize already-developed ransomware tools for attacking enterprises, manufacturing units, and IoT systems. 

It is basically a malicious variation of the cloud's Software-as-a-Service (SaaS) business model. Since the dark web is anonymous and private, numerous shady sellers peddle RaaS with impunity. RaaS model offers 24x7 services to its clients.

The ransom boom

As cybercriminals become greedier, the ransomware-as-a-service and ransomware market is growing exponentially. Roya Gordon of Nozomi Networks Labs says, "There are more players in the game because all of these tools are readily available, so you don't need to do anything. Cybercriminals are conducting reconnaissance on cyber insurance claims policies and tailoring their ransom requests to match the amount of a cyber insurance payout." 

Gordon added that anyone with a criminal mindset could access the online black market on the dark web and purchase the ransomware service. They do not even need to have technical skills to execute the ransomware. The ransomware-as-a-service operator will provide a dashboard with a simple interface so anyone can use it. 

Again, as per a 2022 report, security researchers found 475 pages of ransomware code for sale on the dark web. Cybercriminals also exploit vulnerabilities in enterprise systems through malware and tools available on the black market. Nation-state hackers and financially motivated cybercriminals use dark web tools and services like RaaS to target critical infrastructure for material gain. Researchers saw this during the Russia-Ukraine war, where politically motivated hacktivists contributed to the booming cybercrime economy. Again, as per Sophos' research report, the average ransom payment has gone up to US$ 812,360 per attack. All these facts show that the cybercrime market is scaling newer heights aided and abetted by different malware services on the dark web.

Attacks targeting IoT and IoT infrastructure

IoT systems are among the weakest links in the enterprise or manufacturing infrastructure chains. Attackers favour these IoT infrastructures as the pressure point to target using ransomware-as-a-service, DDoS-as-a-Service, and other exploits. Gordon says, "IoT devices aren't secure. Companies are just thinking of efficiency. How is this going to reduce manual labour and increase profits and revenue? They're not thinking about security. If threat actors are doing this, it's because they're successfully exploiting these IoT devices. A lot of the IoT firmware isn't updated. It's like people just buy it, deploy it, and then forget about it unless an attack happens." Threat actors also use botnet services to exploit IoT devices that contain default usernames and passwords.

Attack on critical infrastructure

Regarding operational technology, keeping multiple devices scattered across large campuses up-to-date can be a complicated task. Attackers take advantage of that and use malicious dark web services to target critical infrastructure. Power grid or petrochemical industries are sensitive infrastructures, and disabling their workflow by attacking them through ransomware can affect millions. 

Again, healthcare facilities have also become a target of such dark web-based ransomware attacks. Gordon noted, "In healthcare, an attack could mean loss of life. It is a little scary because now you have many threat groups to worry about instead of just one targeting critical infrastructure."


To protect against potential threats, organizations should take preemptive measures. Data security, gateway protection, end-point device safeguards, and firewalls and EDRs can drastically reduce the hazard. Additionally, keeping system firmware and safety patches current ensures safety over time. Lastly, Ransomware Penetration Testing to evaluate your preparedness and risk for a ransomware attack can provide further assurance.

Contact the Packetlabs team for a free, no-obligation quote for Ransomware Penetration Testing today!

Ransomware Penetration Testing

Ransomware penetration testing evaluates the preparedness and risk of a ransomware attack. In addition to a complete analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), and a technical assessment of security controls, a full penetration test is conducted to measure the robustness of your systems.