A decade ago, when we used to hear about a ransomware attack and thought about its origin, we could imagine someone highly technical breaking a sweat to write code, using phishing or exploit kits to distribute it, and negotiating with the victim after a successful attack. However, after hearing a lot about the ‘as-a-service’ model, malicious actors thought, ‘Why should good guys have all the fun?’ Enter ransomware-as-a-service (RaaS). Let’s call it ‘Cybercrime For Dummies’. No technical or coding skills required. One can simply subscribe to ransomware “kits” just like you’d sign up for any streaming service. Simply pick a plan, launch an attack, and wait for the magic (ransom payments) to happen.
So…What is Ransomware-as-a-Service (RaaS)?
Ransomware-as-a-Service (RaaS) is exactly what it sounds like: ransomware for rent. Consider it a full-fledged business model designed and operated by cybercriminals where they build and sell ready-to-use ransomware tools to other malicious actors who lack the skills to create their own.
Let’s Talk Stats
The Annual Cyber Threat Monitor Report released by the NCC Group in January revealed that the number of annual ransomware cases reached an all-time high (5263) in 2024 since the group started monitoring ransomware activity in 2021. 79% of these attacks targeted North America and Europe.
The Data Breach Investigation Report 2025 by Verizon shows that the presence of Ransomware, with or without encryption, saw significant growth with a 37% increase from their 2024 report. It was present in 44% of all the breaches that were reviewed. However, the silver lining was that the median amount paid to ransomware groups had decreased (from $150,000 in 2024 to $115,000). This could be because about 64% of the victim organizations did not pay the ransoms, compared to 50% in 2023. If we talk about the targeted businesses, Ransomware was a component of 39% of breaches in larger organizations, while small and medium businesses experienced approximately 88% Ransomware-related breaches.
In June 2023, the Kaspersky Digital Footprint Intelligence team conducted research on 97 malware families that were distributed on the dark web and revealed that ransomware was the most widespread Malware-as-a-Service (MaaS) over the past seven years.
How Raas Works?
Before diving into how RaaS works, let’s understand a few terms:
Operators: The threat actors who operate or develop the Malware-as-a-Service platform. Basically, they are the ‘service providers’ of MaaS.
Affiliates: These are the ‘clients’ or those who purchase the services. They do the dirty work and enjoy their cut of the profits.
Targets: ‘Innocent victims’ usually unaware of the impending doom that is to befall them. Basically anyone.
Initial Access Brokers (IABs): These are the ‘smarty pants’ of the cybercrime world. They are specialists with high technical skills that they gain through years of black hat hacking. These cybercriminals gain unsanctioned access to secure networks and data, which they then sell on the dark web.
Now, let’s see how RaaS works:
- Developing the Malware
It starts with the operator or developer designing the ransomware payload with desired features. It includes the encryption algorithms that would be used to lock victim data, the techniques used for self-deletion, evasion methods for bypassing antiviruses and EDRs, and the built-in C2C channels, among others. These functionalities decide the pricing of the ransomware kit. Some basic ransomware kits start as low as $5, while the reputed ones can go up to $100 or more.
- Hosting the RaaS Platform
Once the developer feels ‘voila’ about their malware, it is packed and made available through darknet marketplaces or private forums. The platforms could make legitimate SaaS sites jealous. They have everything from user-friendly dashboards to payment portals, update rollouts, and even support forums and customer service portals for troubleshooting (that too 24×7). Some professionalism that is!
- Recruiting Affiliates
Affiliates are the less skilled cybercriminals who aid in spreading ransomware through their access. Platforms like Telegram or Jabber, and dark web forums are used for the recruitment process. Sometimes, invitations or private messages are also sent to join private groups. The recruited affiliates sign up for the service, discuss profit sharing, and get access to the ransomware, related documentation, and tools.
- Payload Delivery
The affiliates then get to business. They distribute the ransomware using multiple sources, such as phishing emails with malicious attachments, exploit kits, and vulnerability exploitation. They also coordinate with Initial Access Brokers (IABs) to gain access to compromised networks or data.
Affiliates have progressed and come up with new extortion techniques. Sometimes, affiliates deploy a double extortion technique where they first steal data before encrypting it and threaten to publish it if the victim doesn’t pay the ransom. Add DDoS, harassment, and emails to the victim’s customers/ partners to the mix, and we have multiple extortion. Remove the encryption, and we have pure extortion where the threat is to leak the stolen data if the ransom is not paid.
- Dealing with the victim for payment
Payment instructions are usually displayed on the encrypted systems via a message. The payment method is cryptocurrency (for obvious reasons). The ransom note doubles as a guide for victims on how to use TOR and crypto wallets. Links of negotiation portals (hosted on TOR) are provided. Afraid of FOMO, some RaaS groups automate the price negotiation conversations using chatbots, while others still rely on human operators.
Talking about SODs, affiliates are responsible for deploying the ransomware, delivering the ransom note, establishing initial communication, and handling negotiation, while the developer has the backend, payment verification, and decryption keys distribution as their KPIs.
6. Profit Sharing
If the victim agrees to pay the ransom, the funds are distributed according to their agreement. The developer gets the decided amount while the affiliate keeps the rest of the amount.
RaaS has a Business Model too
Yep, it seriously does. Just like OTTs, the RaaS model offers some exciting plans:
- Monthly Subscription-based: Pay a fixed monthly fee for access to the ransomware kit (support and updates included).
- Affiliate Programs: The affiliates pay a subscription fee, but developers take a share from each ransom (usually 20-40%).
- One-time license: Buy unlimited access to the malware by paying a flat fee (you lose the support, but keep all the profit).
- Pure Profit Sharing : You do not pay any upfront cost. Profit is shared only when the attack hits its mark (is successful).
RaaS Hall Of Fame
Here are some ransomware gangs that have been in the limelight:
REvil (Sodinokibi): Highly active from 2019 to early 2022, Revil was a Russian‑speaking RaaS operation known for high‑impact attacks following a double‑extortion model. The group was reported to be dismantled in early 2022 by law enforcement agencies, though the techniques and the RaaS model continued in copycats and rebrands.
DarkSide: This ransomware group made waves after the Colonial Pipeline attack (double extortion model), reportedly stealing approximately 100GB of data from their network, and the organization allegedly paid almost $5 million USD.
Hive: This RaaS operation was active from 2021 until January 2023. The group targeted sectors like healthcare, energy, and education using double extortion attacks. It was disrupted after the FBI infiltrated its infrastructure, seizing servers and distributing decryption keys to victims.
Lockbit: A nefarious ransomware-as-a-service (RaaS) operation active from 2019 to 2024. The group was known for fast encryption, aggressive double-extortion, and had a large affiliate network. It was seized and shut down in February 2024 by Operation Cronos. However, its activity and rebrands persisted with periodic comebacks until one of its developers was arrested in August 2024, and later in May 2025, a chat log of over 4,400 negotiation messages exchanged between affiliates and victims between December 2024 and April 2025 was leaked. Karma did bite back hard.
BlackCat/ALPHV: This strain emerged in late 2021 and is written in Rust. It uses multiple extortion tactics. This group was responsible for the infamous Change Healthcare attack in February 2024 (the largest hack involving the personal records of individuals), where more than 100 million users’ personal information was stolen.
Protection
Preparedness is the key.
Step up your game with Managed Endpoint Detection and Response (MEDR): Consider MEDR like a security team keeping an eye on your network 24/7 for you. MEDR secures you by providing real-time threat monitoring, proactive threat hunting led by experts, and behavioural and heuristic-based detection.
A backup in need is a backup indeed: Perform frequent and regular backups. Take multiple backups and store them on separate devices (offline) in different locations (off-site). Do test backups regularly to ensure they are not rendered useless when required.
Patch, Scan, Repeat: Unpatched software is an affiliate’s goldmine. A strong and systematic patch management program for all devices and software (don’t miss third-party tools) goes a long way in protection from known and unknown vulnerabilities. Leverage automation for updates. Perform regular scanning and penetration testing to check and resolve vulnerabilities.
Divide so that ransomware cannot rule: Segmentation restricts proliferation. It avoids full network encryption by isolating critical systems into different segments.
Clarity in Chaos: A robust incident response capability gives you more control. A good incident response plan can aid in managing and mitigating the impact of an attack. To put it in simple terms:
Incident + Panic = Chaos; Incident + Plan = Clarity
We have an entire article for you on this one.
Old is not gold anymore: Traditional protection techniques fail against current ransomware. Implement advanced anti-phishing protection.
Strengthen your tribe: If cyberattacks were an award show, human error would have won the best lead and phishing the technique of the year every time. A lousy click is all it takes to bring down an entire network. Employees are the first line of defence against any attack, and it’s high time that organizations realize it. Embed cybersecurity training as a part of employee education to build a culture of security.
The RaaS franchise has emerged as one of the most significant developments in the modern threat landscape. With great power and no responsibility, the RaaS continues to mature. Organizations must develop their security strategies to not only address this evolving threat but also disrupt the entire business model itself. It’s a long way ahead that would require international cooperation on law enforcement, financial system controls on cryptocurrency transactions, and comprehensive organizational security programs that assume breach scenarios and prioritize resilience over prevention alone.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
