View All R&D Articles

Europol: Ransomware-as-a-Service Operations Are Losing Users

July 25, 2024

Cybercriminals are moving away from popular ransomware-as-a-Service (RaaS) platforms thanks to major efforts from law enforcement agencies, per a recent threat assessment published by Europol.

RaaS is a business model in which cybercriminals provide ransomware software and infrastructure to other criminals on a subscription basis. The model allows criminals to launch ransomware attacks without having to develop their own malware.

Historically, that has meant a higher level of sophistication for ransomware attacks — but that may be changing. 

“2023 saw [law enforcement agencies] deal heavy blows to the cybercriminal underground through the successive arrests of RaaS affiliates and operators and well-coordinated disruption of the cybercriminal infrastructure,” the report reads.

“The susceptibility to LE disruption may be one of the reasons why high-level affiliates are attempting to lessen their dependence on ransomware service providers’ infrastructure by utilizing leaked builders to develop their own malware variants and carry out attacks more independently.”

Notably, Europol suggests that the shrinking user base of RaaS services could be perpetuated by the increased quality of AI tools, which cybercriminals can use to quickly assemble and debug their code.

While RaaS is becoming less profitable, that won’t necessarily translate to less ransomware.

High-profile ransomware attacks have persisted through 2024, and there’s no indication that malicious actors are using ransomware less frequently — or less disruptively.

There is some good news, however: Less reliance on RaaS platforms will almost certainly limit the sophistication of ransomware attacks.

That means that ransomware recovery services could have greater capabilities for addressing attacks. Poor code leads to lackluster results, and at Datarecovery.com, we’ve encountered ransomware variants that were easily mitigated due to a lack of sophistication. 

The Europol report contains other conclusions with implications for the future of RaaS. According to the report:

  • LockBit was the most prolific RaaS provider on the market in 2023. 
  • However, LockBit was disrupted “at every level” in February 2024 via a coordinated law enforcement action involving 10 different countries.
  • Other groups of note include Cl0p and Akira, both of which were described by Europol as potential “increasing threats.” 
  • While noting that it’s “likely” that new RaaS brands will emerge, Europol predicts that their longevity will largely depend on the experience and sophistication of those actors. 

Related: Lockbit Ransomware Group Announces Breach of U.S. Federal Reserve

If you’re dealing with ransomware, an experienced cybersecurity partner can help. Datarecovery.com provides a range of services to help organizations fight back. 

From ransomware recovery to penetration (PEN) testing, disaster recovery deployment, and ransomware investigation and remediation, we’re dedicated to providing solutions supported by decades of experience. To learn more, submit a case online or call 1-800-237-4200 to speak with an expert.