Cybercrime-as-a-service explained: What you need to know

What is cybercrime-as-a-service?

Cybercrime-as-a-service (CaaS) is a business model that follows the same basic principles of legitimate SaaS models, adopting a service model that makes cybercrime tools accessible through subscriptions.

With SaaS, instead of a user deploying and running software on a local device to execute an operation, all the required software runs as a service, typically via a cloud platform. Access to the service is often done using a subscription mechanism.

CaaS offers all the required components to execute cybercrime instead of regular software. Those components can include hacking tools that enable a would-be attacker to exploit users. CaaS also includes the infrastructure and support needed to successfully execute cybercrime operations.

Instead of using the public cloud for operations, CaaS tends to be deployed on dark web platforms. Like SaaS, CaaS also tends to have subscriptions. But instead of using fiat currency, these operations tend to use only cryptocurrency for payment to provide a degree of anonymity.

Common types of CaaS offerings

Just like there are many types of SaaS offerings, there are many different types of CaaS. Among the most common include the following:

• Ransomware-as-a-service (RaaS). RaaS provides access to ransomware operations. Instead of a straight subscription model, there is also an affiliate model component where proceeds of crime from a ransom payment are shared between the RaaS operator and the affiliate. Some notable examples of RaaS include DarkSide, which was responsible for the Colonial Pipeline attack; and REvil, which was behind the Kaseya attack affecting more than 1,500 organizations.
• Malware-as-a-service (MaaS). This is a general set of CaaS operations that provide subscription access to malware software and tools -- including information stealers, cryptojackers and other common forms of malware.
• Phishing kits. With phishing kits, operators provide the tools and templates that allow attackers to execute phishing campaigns.
• Distributed denial of service-as-a-service. Distributed denial of service (DDoS) attacks flood victims with a massive volume of traffic to overwhelm a service and disrupt operations.
• Botnets-as-a-service. Botnets can be used as part of DDoS and other attacks against users and devices.
• Hacking-as-a-service (HaaS). This is contracted hacking services for tasks such as social media account access and network attacks.

Why cybercrime-as-a-service operations are becoming more prevalent

There are many reasons why CaaS operations are becoming more prevalent. Key reasons include the following:

• Accessibility and ease of use. Some might also refer to this as "democratization" hacking, making tools that once were only the domain of elite hackers accessible with point-and-click ease. CaaS eliminates the need for technical expertise, letting individuals with little or no actual technical skills execute technically sophisticated and impactful attacks.
• Sophistication of tools. CaaS providers continually update their offerings, using advanced techniques to help exploit victims. The advanced tools often outpace defensive capabilities and can evade detection.
• Profitability. Simply put, criminals also go where the money is -- and there is money to be made in CaaS. For individuals who use the services, there is the promise of high financial rewards with relatively low risk. The potential for extortion through ransomware or data breaches -- especially targeting sensitive data -- drives this profitability, with losses estimated at billions annually.
• Anonymity. CaaS operations are generally set up to keep participants anonymous, using cryptocurrency and avoiding things that might enable law enforcement to identify an individual.
• Global reach. As the internet is borderless, CaaS works worldwide, providing threat actors with a global pool of potential victims at any hour of any day.

Emerging trends in cybercrime-as-a-service

As CaaS evolves, several trends are shaping the future of cybercrime, presenting new challenges for cybersecurity professionals.

AI and machine learning

Cybercriminals are using AI in various ways to make attacks more successful.

AI-powered attacks happen in many ways. Here are some examples:

• Deepfakes can be created for social engineering.
• Generative AI tools help with phishing attacks, enabling attackers to write well-crafted lures to hook unsuspecting victims.
• AI can power real-time attack optimization, where the system uses sentiment analysis to adjust a ransom demand based on victim financial disclosures.
• Reinforcement learning models can test network defenses and pivot attack vectors to find exploitable targets.

Triple extortion ransomware

Ransomware continues to evolve in sophistication and the risk it poses to organizations and individuals. Among the disturbing trends with RaaS is the emergence of triple-extortion ransomware.

Triple extortion ransomware is a sophisticated cyberattack that adds a third layer of extortion to traditional ransomware tactics. After encrypting a victim's data and threatening to leak stolen information, attackers introduce a third threat -- such as DDoS attacks or direct intimidation of customers, employees and stakeholders. This multi-layered approach aims to compel victims into paying multiple increasing ransoms by maximizing pressure and potential damage.

Supply chain attacks

CaaS services have been increasingly implicated in supply chain attacks in recent years. Attackers target suppliers or third-party vendors to gain access to larger organizations, exploiting weaknesses in the supply chain to cause data breaches.

Dark web marketplaces

These platforms are becoming more organized. They offer a range of cybercrime tools and services with sophisticated interfaces and customer support, facilitating the commercialization of cybercrime.

How to fight cybercrime-as-a-service

CaaS doesn't necessarily present any specific new threats to individuals and organizations. What it does represent is a significantly increased scale of attacks on existing threat vectors such as DDoS, malware and social engineering.

The way to fight CaaS is much the same as what organizations should be doing to defend against all cyber threats. Core best practices include the following:

• Deploy a zero-trust architecture. A zero-trust security model can limit organizations' attack surfaces by enforcing least-privilege access to services.
• Implement strong access controls. Going beyond basic zero-trust, organizations should enforce multi-factor authentication across all systems. That will make it more difficult for attackers to gain access.
• Deploy security tools. Deploy unified endpoint management, threat intelligence, and extended detection and response technologies to identify and defend against potential risks properly.
• Automate patching. CaaS platforms, just like any other type of cyber attacker activity, go after easy targets first -- which are unpatched systems and software. Consider deploying an automated patching technology to help reduce the risk.
• Develop robust backup and recovery. With ransomware-as-a-service in particular, data theft and destruction are core objectives. By implementing strong data protection, backup and recovery capabilities -- even in the event of a breach -- the organization will be able to recover.
• Create and test incident response plans. Prevention will only go so far, and with the sophistication of CaaS, some attacks will still get through. The ability to respond quickly can significantly reduce the effect. Having detailed incident response plans that address various CaaS attack scenarios is essential. It's also important to conduct regular tabletop exercises to ensure everyone knows their responsibilities during an incident.

How governments and law enforcement can combat cybercrime-as-a-service

While individuals and organizations can take steps to limit the risk of cybercrime, the government and law enforcement are also taking actions to help combat the problem. The same issue that makes CaaS attractive to attackers -- large-scale operations -- also makes it easier for law enforcement to go after a specific platform. Instead of needing to go after hundreds or thousands of individual attackers, law enforcement can shut down just a single CaaS operation.

Global law enforcement collaboration

For law enforcement, working together worldwide is critical as the location of the CaaS operations and vendors are distributed. One example is Operation Cronos, which saw law enforcement come together to disrupt and dismantle the LockBit ransomware-as-a-service operation.

Cryptocurrency tracking

CaaS operations rely on cryptocurrency. Though it can be difficult to trace, ransomware payments are often made to known exchanges, which law enforcement can track and shut down.

Cyber extortion bans

The government also has a role in enacting policies and regulations. For example, the U.S. CIRCIA Act (2024) prohibits critical infrastructure operators from paying ransoms, reducing CaaS profitability.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.