Ransomware as a service

Ransomware as a service (RaaS /sæs/) is a cybercrime business model, allowing ransomware developers to write and sell harmful code or malware to other hackers, often known as affiliates, for their own initiation of ransomware attacks through the use of their software.^[1] Affiliates typically do not need to have any technical skills of their own but can solely rely on the technical skills of their operators. They provide attackers with easier entry for those who may not have skills to develop their own tools, but rather be able to utilize and manage ready-made tools to perform attacks. Most of the time they involve some type of arrangement between the affiliate and the operator, making successful ransomware and extortion attacks profitable for both parties.^[2]

The "ransomware as a service" model is a criminal variation of the "software as a service (SaaS /sæs/)" business model.^[3] This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

Starting as early as 2012 with the first documented RaaS known as the Reveton ransomware,^[4] the intentions of using and developing ransomware expanded rapidly.^[5] Their motive of impersonating law enforcement to threaten targets with arrest or criminal charges in exchange for ransom made them highly successful, especially for something relatively new during that time. Other ransomware groups, such as "LockBit", were even able to launch more than 7,000 attacks globally just before their downfall between June 2022 and February 2024,^[6] impacting many different organizations, including healthcare, finance, manufacturing, and government agencies, resulting in significant consequences such as data breaches, operational disruptions, and even substantial financial losses.^[7] However, the downfall of one group leads to the rise of others. Other groups quickly filled the gap, with "Qilin", being one of the most active ransomware groups in 2025, as well as another group known as "Akira".^[6] According to Fortinet, Qilin was able to execute approximately 81 attacks in a single month, which was about a 47.3% increase compared to other groups who grew at slower pace or even declined.^[6]

Numerous cases were reported where around 950 companies and even institutions experienced some kind of ransomware incident in 2024. The economic damages caused from these cyberattacks were approximately €178.6 billion, an increase of €30.4 billion from the previous year's report.

Revenue models

Affiliates can choose from different revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing.^[8][9] In subscription-based models, affiliates are likely to pay a recurring fee in order to gain access to their ransomware platform, tools, and technical support provided from the operator. With one-time license fees, it is a one time payment for unlimited use of the ransomware tools. The most common model, however, is profit sharing, where the operator and the affiliate split the payments gained after each successful attack.^[9] This level of support and functionality is similar to legitimate SaaS products.^[10] A common profit sharing scheme is where the developer gets 20% and the affiliate gets the other 80%.^[11] Additionally, it would allow operators to earn a more consistent income while reducing their own risk, as affiliates would be held accountable for any incidents that happen during the attack. Offering multiple payment options not only helps RaaS developers make their platforms accessible to a wider range of cybercriminals, but also brings more attraction to their audience and ultimately increases the scale and frequency of ransomware attacks.^[12]

Step-by-step operation of RaaS^[13]

The RaaS market is considered to be highly competitive, with operators running marketing campaigns and developing websites that accurately mimic legitimate companies or businesses. The global revenue from ransomware attacks was approximately $20 billion in 2020, highlighting how successful RaaS can be financially.^[10]

In the first half of 2024, the average amount of ransomware claims per ransomware attack was more than $5.2 million, including a record victim payment of $75 million in March 2024.^[11]

Microsoft Threat Intelligence Centre (MSTIC) highlights on the comparison of RaaS as different from previous forms of ransomware, showing it no longer has a tight link between tools, initial entry vector and payload choices.^[12] They regard them as having a double threat - both encrypting data and exfiltrating it and threatening to publish it.^[12]

History and emergence

"Ransomware as a service" traces its roots all the way back to early 2010s, when other services like SaaS started to gain much more popularity. With SaaS's implementation and increase in popularity, cybercriminals have seen its structure as a way to adopt it for illicit use, such use that caused the uprise of what RaaS has been for many years.^[14] The first known RaaS case, "Reveton Ransomware", appeared around 2012, designed to service affiliates with ransomware tools and platforms in order to launch their own attacks. It included techniques such as impersonating law enforcement with threats of arrest or charges towards companies and businesses for a ransom, making it very successful for both the affiliate and operator financially.^[15] This early success encouraged other ransomware developers to build similar systems, which quickly led to a growing underground market where ransomware could be easily bought, sold, or even customized, causing RaaS to rapidly grow in the years that followed.

Over the years, the model of RaaS became more organized and efficient, leading to a growing number of other ransomware groups like Hive, DarkSide, REvil, Dharma, LockBit, and more.^[16] These groups conducted operations that has led to the expansion of the model worldwide, performing thousands of attacks against organizations and businesses in sectors they assume is profitable.

Extortion methods

Ransomware threat actors use different techniques to extort money from victims. Some of the main methods include:

Double extortion

In a double extortion ransomware attack, the threat actors first encrypt the victim's data. They then threaten to publicly release exfiltrated data if the ransom is not paid. This puts additional pressure on the victim to pay the ransom to avoid having sensitive data leaked.^[17]

According to analysis from cybersecurity firm Zscaler, 19 ransomware families adopted double or multi-extortion approaches in 2021. By 2022, this number grew to 44 families using this technique. Groups like Babuk and SnapMC pioneered double extortion ransomware. Other actors like RansomHouse, BianLian, and Karakurt later adopted it as well.^[17]

Multiple extortion

Multiple extortion is a variant of double extortion. In addition to encrypting data and threatening to leak it, threat actors also launch DDoS attacks against the victim's website or infrastructure. This adds another element to pressure victims into paying.^[17]

Pure extortion

In a "pure extortion" or "encryption-less ransomware" attack, the threat actors exfiltrate sensitive data but do not encrypt any files. They threaten to publish the stolen data online if the ransom is not paid. This approach allows threat actors to skip the complex technical work of developing encryptors.^[17]

Groups like LAPSUS$ and Clop have used pure extortion techniques in high-profile attacks. Since victims' systems are not locked, this method tends to cause less disruption and draws less attention from authorities. However, the financial impact on targeted organizations can still be severe.^[17]

Prevention

Organizations and individuals can take multiple precautions in order to help reduce the probability of being affected by cyber attacks, especially RaaS attacks. Some of the common precautions that everyone should practice to stay protected from RaaS are by utilizing a "multi-layered" defense strategy, including:^[18][19]

• User Awareness
• Signature Mapping
• Behavioral and Heuristic-based Detention
• Patching and Updates
• Compliance
• File Integrity Monitoring
• Offline Backups

The operation of RaaS leads to significantly reducing the barriers for entry into cybercrime, eventually allowing attackers of all skill levels to be able to launch their own cyber attacks and devastating campaigns.^[19] With RaaS being able to perform well-organized operations and affiliate networks and profit-sharing models, their evolution and growth will continue to thrive.^[18]

Notable groups

Several well-known examples have shaped the cybercrime ecosystem include:

• Hive: This group is known for their double-extortion tactics before their end by the international law enforcement.^[20]
• DarkSide: This group is known for their professional branding, PR statements, and even a code of conduct.^[21][22]
• REvil (also known as Sodinokibi): This group often offered detailed dashboards for their affiliates and made negotiations of ransoms on their behalf right before they disbanded.^[21] They were also considered one of the most active RaaS groups, responsible for majority of the attacks.^[23]
• Dharma: This group has been long-running, typically known for their volume of attacks and widespread use of recruiting lower-skilled affiliates.^[24]
• LockBit: This group is still currently active, known for their aggressive tactics and their leaking websites being publicly displayed.^[21] They mainly conducted rapid encryption, recruitment for affiliates, and global targeting through many different industries.^[25]

These operators continually evolve and create new iterations of ransomware to maximize their impact.^[26]

Examples of RaaS kits include Locky, Goliath, Shark, Stampado, Jokeroo and Encryptor.^[26]

Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The US Department of Justice seized two servers belonging to Hive, disrupting their operations.^[26]

DarkSide primarily targeted Windows machines but has expanded to Linux systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate.^[26]

REvil is associated with PINCHY SPIDER and became known for demanding one of the largest ransoms on record: $10 million.^[26]

See also

• As a service
• Initial access broker
• Cybercrime
• Malware
• Ransomware
• Cyber threat intelligence
• Reveton Ransomware