The Ransomware-as-a-Service market within the darknet

For the past few years, ransomware has been one of the fastest-growing cybercrimes. The current trend is that organizations such as businesses, universities, hospitals and even municipalities are becoming the primary targets, whereas regular citizens are, to a lesser extent, being hit.

Because of ransomware success, ransomware-as-a-service (RaaS) has grown in popularity.  RaaS is available on the darknet to people without programming skills. Sellers can provide tailored ransomware to buyers’ needs in different formats, such as source code that the buyer compiles himself, pre-compiled binaries or an interface where the buyer inputs information about the victims.

In this article, Per Hakon Meland and his colleagues set to better understand the darknet market for RaaS by addressing the following research questions: How severe is the RaaS threat? What are the value chains related to this market? Their study spanned over two years, with four phases of data collection:

  • Phase 1: The authors started their investigation with a small number of sites to gain a better understanding of the structure and operation of the darknet.
  • Phase 2: They expanded their research sample with additional sites, historical data and published interviews with stakeholders.
  • Phase 3: The researchers updated their sample of sites to capture the latest trends and developments regarding RaaS.
  • Phase 4: By the end of the data collection phase, several of their previous data sources were shut down, the researchers had to update their sample once more.  .

The findings of the study highlight several aspects of the RaaS market. First, the authors noted strong vendor resilience. The takedown of the dominant darknet markets Alphabay and Hansa after a Europol operation led to the rapid growth of the Dream market. One of the reasons this market has been able to take over is mainly due to its performance compared to its competitors at the time. Another reason can be related to a rapid establishment of trust between stakeholders. Indeed, Dream had a specific feature that allowed vendors to present their previous rating from Alphabay and Hansa on their profile page. This feature helped vendors to maintain their existing reputation, and buyers could base their trust on trade ratings from the shutdown markets.

The market size for Raas was rather small. The most popular goods sold on darknet markets are drugs. RaaS items are usually found under the Digital Goods or Services categories, where the most popular items are carding or credit card fraud.

The researchers also found several indications of scams regarding the selling of RaaS. Most of the renowned RaaS vendors had gained their high rating from credit card or drug related sales and not because of RaaS. Also, the descriptive RaaS information tended to be copied from other RaaS items and numerous data in the feedback fields, including aliases and ratings, seemed to be artificially created since they were identical and registered at the same time.

Finally, regarding the RaaS target market, the authors found that, based on the items description, most of the RaaS available were targeted to experts while a little bit more than a third were accessible to novices. Moreover, popular items tended to include links to detailed guides and tutorial videos with step-by-step instructions.

This article sheds light on RaaS activities on the darknet. RaaS seems to be a small market within the darknet, and vendors are quite resilient in the face of numerous takedowns.

To cite: Meland, P. H., Bayoumy, Y. F. F. and Sindre, G.. (2020). The Ransomware-as-a-Service economy within the darknet. Computers & Security, 92.