Understanding Ransomware as a Service (RaaS): The Complete Guide to How Cybercrime Becomes a Business

Ransomware as a Service (RaaS) has fundamentally transformed the landscape of cybercrime, turning what was once a highly technical, niche criminal activity into a scalable, accessible, and disturbingly profitable business model. In the past, launching a ransomware attack required deep programming expertise, knowledge of encryption algorithms, and the ability to build and maintain command-and-control infrastructure. Today, RaaS has democratized ransomware, allowing even low-skilled individuals—often referred to as “affiliates”—to launch sophisticated attacks with minimal technical effort. This shift has led to an explosion in the frequency and severity of ransomware incidents worldwide. Understanding RaaS is not just important for cybersecurity professionals; it is critical for business leaders, IT managers, and anyone responsible for protecting digital assets. This comprehensive guide will dissect every aspect of Ransomware as a Service, from its definition and business model to the step-by-step attack lifecycle, prevention strategies, and frequently asked questions. By the end, you will have a deep, actionable understanding of this cybercrime phenomenon and how to defend against it.

The core concept of RaaS is borrowed directly from legitimate software-as-a-service (SaaS) models. In the legitimate world, companies offer software on a subscription basis, handling infrastructure, updates, and support. RaaS mimics this structure entirely—only the product is malicious. The developer (or “operator”) creates the ransomware code, builds the encryption mechanisms, sets up payment portals, and provides a dashboard for affiliates. Affiliates, who may be novice cybercriminals, simply sign up for the service (often through dark web forums or Telegram channels), receive access to the ransomware build, and then launch attacks. In return, the operator takes a percentage of any ransom paid—typically between 20% and 40%, with the affiliate keeping the rest. This symbiotic relationship has proven incredibly lucrative. For example, the infamous REvil (Sodinokibi) gang reportedly operated a classic RaaS model, raking in millions before law enforcement disruptions. The ease of entry has led to a surge in attacks: instead of a handful of elite criminal groups, there are now hundreds of different RaaS strains active at any given time, each with its own affiliate network, target preferences, and negotiation tactics.

Article illustration

How Ransomware as a Service Differs from Traditional Ransomware

To fully grasp the significance of RaaS, it is helpful to compare it with traditional ransomware operations. In the early 2010s, most ransomware was created and deployed by individual developers or small, tight-knit groups. These operators handled every aspect: writing the code, distributing it via phishing campaigns or exploit kits, managing the decryption keys, and collecting payments. This required a broad skill set and high technical competence, which limited the number of active groups. The ransomware itself was often relatively simple, encrypting only the victim’s local files and demanding a few hundred dollars in Bitcoin. The business model was linear: one group, one attack chain.

RaaS flips this model on its head. The ransomware developer now acts as a core technology provider, analogous to a software vendor. They invest in making their ransomware more robust—using advanced encryption (often AES + RSA), implementing features like file exfiltration before encryption (the “double extortion” model), and even offering customer support to victims. The affiliate is responsible for gaining initial access to the target network, often through purchased credentials, phishing, or exploiting vulnerabilities in exposed services. The developer provides the “platform,” while the affiliate does the dirty work of infection. This specialization drives efficiency: top developers can focus on improving the malware, while affiliates can focus on finding high-value targets. The result is a massive increase in both the number of attacks and the scale of ransoms demanded, which now often reach millions of dollars per incident.

The RaaS Business Model: Roles, Revenue Splits, and Marketplaces

Understanding RaaS requires anatomy of its business model. At the top are the developers (operators) who create and maintain the ransomware kit. They typically operate on a “profit-sharing” basis, taking a percentage of each ransom paid by the affiliate’s victims. The split varies: some operators charge a flat monthly subscription fee (like a SaaS subscription) and let affiliates keep 100% of ransoms, but this is less common because it doesn’t align incentives. The dominant model is the 70/30 or 80/20 split (affiliate gets the larger share). For example, the LockBit ransomware group has been known to offer affiliates up to 80% of the ransom for direct negotiations with victims. Operators also provide supporting services: a user-friendly affiliate panel, documentation, encryption keys, payment portals, and often technical support. Some even offer “customer service” to victims—helping them negotiate payments and providing decryption tools after the ransom is paid, which ironically increases victims’ trust.

Affiliates range from small-time hackers to sophisticated penetration testers who sell access to networks. They identify targets using tools like Shodan, Censys, or by purchasing initial access from other criminal marketplaces (initial access brokers). Once they have a foothold in a target network (e.g., through a weak RDP password or a phishing email), they deploy the ransomware. The affiliate’s main job is to move laterally across the network, escalate privileges, steal sensitive data, and then execute the ransomware. The stolen data is used for double extortion: if the victim refuses to pay, the affiliate threatens to leak the data publicly or sell it on the dark web. This has become standard practice because many organizations have backups and can restore data without paying, but they cannot risk sensitive data exposure. The RaaS infrastructure handles the encryption key exchange, the payment website (usually hosted on Tor), and the communication between the victim and the attacker.

The underground marketplace for RaaS is active and organized. Affiliates find RaaS programs on dark web forums like Exploit, XSS, or specialized Telegram channels. Some of the most notorious RaaS families include LockBit, BlackCat (ALPHV), Royal, Clop, Hive, and REvil (even after law enforcement takedowns, new variants emerge). These groups compete for affiliates by offering better terms, more features, and better reputation. For instance, LockBit has been called the “McDonald’s of ransomware” because of its user-friendly affiliate dashboard and 24/7 support. The competition drives innovation—ransomware now includes features like self-propagation using tools like PsExec, disabling antivirus software, and even customizing ransom notes with victim branding.

Step-by-Step Guide: How a RaaS Attack Unfolds

To understand RaaS, you must know the operational steps from the affiliate’s perspective. This is the attack lifecycle. Each step presents opportunities for defenders to detect and stop the attack.

Step 1: Initial Access – Getting a Foot in the Door

The first step for the affiliate is to gain access to the target organization’s network. This is the hardest part for low-skilled affiliates, which is why many RaaS operators encourage affiliates to use “initial access brokers.” These brokers specialize in obtaining remote desktop credentials, VPN access, or email credentials through phishing campaigns, brute-force attacks, or by exploiting unpatched vulnerabilities. Common methods include: scanning the internet for exposed RDP ports (port 3389) and trying weak passwords; sending spear-phishing emails with malicious attachments (e.g., a Word document with a macro that downloads a payload); or buying compromised credentials from data breaches. Once the affiliate has a valid username and password, they log into the network.

Step 2: Persistence and Reconnaissance – Explore and Establish a Hold

After logging in, the affiliate needs to ensure they can maintain access and expand their presence. They deploy persistence mechanisms such as scheduled tasks, registry modifications, or backdoors. Then, they perform reconnaissance using built-in Windows tools like netstat, nslookup, and PowerShell scripts. The goal is to map the network: identify domain controllers, file servers, databases, backup servers, and—most importantly—find the crown jewels: sensitive data and critical systems. They also look for any security tools (EDR, antivirus) and try to disable or bypass them. Some RaaS platforms include a “recon module” that automates this scanning process, making it even easier for affiliates.

Step 3: Lateral Movement and Privilege Escalation – Spread Like Wildfire

With an initial foothold, the affiliate moves laterally across the network using stolen credentials, pass-the-hash attacks, or exploiting vulnerabilities. They aim to reach high-privilege accounts (Domain Admin) to gain control over all machines. Tools like Mimikatz are commonly used to extract password hashes from memory. Once they have Domain Admin privileges, they can deploy the ransomware payload to all endpoints via Group Policy, PsExec, or Windows Admin Center. At this stage, the affiliate also sets up Cobalt Strike or similar command-and-control (C2) tools to maintain stealthy communication with the infected machines. The RaaS dashboard typically provides a default binary that affiliates can customize with their campaign name, ransom amount, and payment address.

Step 4: Data Exfiltration – The Double Extortion Preparation

Before triggering the encryption, the affiliate exfiltrates sensitive data. This is a critical shift from older ransomware: today, almost every major RaaS strain includes a data theft component. The affiliate uses tools like Rclone, FileZilla, or custom scripts to upload stolen files—often pulling from file servers, databases, and SharePoint—to cloud storage services like Mega, Dropbox, or rented servers. This stolen data becomes the leverage: if the victim doesn’t pay, the affiliate will publish the data on a “leak site” on the dark web, causing regulatory fines (e.g., GDPR) and reputational damage. The RaaS operator often provides the leak site infrastructure, ensuring the data is publicly accessible.

Step 5: Encryption Execution – The Attack Goes Live

Once the data is exfiltrated and the affiliate is confident about network control, they deploy the ransomware payload. The payload executes on all targeted systems, encrypting files with a strong symmetric key (AES-256) and then encrypting that key with an RSA public key stored in the payload. The victim’s files are renamed with extensions like .lockbit, .blackcat, or .royal, and ransom notes are dropped in every folder. The ransom note instructs the victim to contact the attacker via a Tor-based chat site and pay a specific amount in Bitcoin or Monero. The RaaS operator’s infrastructure generates a unique victim ID and tracks payment status. If the victim pays, the operator decrypts the data using the private key they hold. In many cases, the affiliate and operator negotiate the ransom amount; the victim may also engage a professional ransomware negotiator.

Step 6: Collection and Negotiation – The Final Stage

After encryption, the affiliate (or the RaaS operator) communicates with the victim through the Tor chat. This is where the psychological manipulation happens: the attacker sets a deadline, often 3-7 days, and threatens to increase the ransom or leak the data. Some RaaS groups offer a “do it yourself” decryption portal—if the victim pays, they get a decryption tool automatically. Others require manual intervention. The split of the ransom is handled automatically by the RaaS platform: when a payment is detected in the Bitcoin wallet, the platform divides it between the operator’s wallet and the affiliate’s wallet based on the predetermined percentage. The business model self-executes.

Tips and Best Practices for Defending Against RaaS Attacks

Tip 1: Implement a Zero-Trust Architecture and Multi-Factor Authentication

Since RaaS affiliates often gain initial access through stolen credentials or weak RDP configurations, the single most effective defense is to enforce multi-factor authentication (MFA) everywhere—especially for VPNs, RDP, and email access. Combine this with a zero-trust model that limits lateral movement: restrict administrative privileges, segment your network, and use micro-segmentation to prevent an attacker from moving from a compromised workstation to a server. Never allow direct RDP from the internet; use a VPN with MFA. Additionally, monitor for anomalous access patterns, such as a user logging in from an unusual geographic location or at odd hours, which could indicate a compromised credential.

Tip 2: Maintain Air-Gapped and Immutable Backups

While double extortion makes backups less effective (because data can still be leaked), having reliable backups is still crucial for recovery without paying. However, you must ensure backups cannot be encrypted or deleted by the attacker. Implement the 3-2-1 rule: three copies, two different media types, one off-site. But go further: use immutable backup storage (e.g., AWS S3 Object Lock, where data cannot be deleted for a set period) and maintain an air-gapped copy (disconnected from the network). Test your restore process regularly. If your backups are secure, you can refuse to pay the encryption ransom, though you still face the extortion of leaked data.

Tip 3: Detect and Block Lateral Movement and Exfiltration

RaaS attacks rely on long dwell times—days or weeks between initial access and encryption. Use Endpoint Detection and Response (EDR) solutions to detect suspicious behaviors such as credential dumping (Mimikatz), abnormal SMB traffic, or large data transfers to unfamiliar external IPs. Deploy EDR with behavioral analytics that can flag the use of remote admin tools like PsExec or WMI. Also, implement data loss prevention (DLP) policies that block uploads to cloud storage services unless explicitly allowed. Network segmentation and proper firewall rules can limit the attacker’s ability to reach backup servers and high-value data. Consider using deception technology: deploy honeypots that mimic critical systems to lure attackers and trigger alerts.

Frequently Asked Questions About Ransomware as a Service

Q1: What exactly is Ransomware as a Service (RaaS)?

RaaS is a cybercrime business model where ransomware developers sell or lease their malicious software to affiliates who then conduct the actual attacks. The developer provides the ransomware code, payment infrastructure, and often technical support, while the affiliate gains access to the victim’s network and deploys the ransomware. Profit is split between the two parties, usually with the affiliate receiving the larger share. This model has dramatically increased the number of ransomware attacks because it lowers the barrier to entry for would-be cybercriminals.

Q2: Who are typical affiliates in RaaS operations?

Affiliates come from a wide range of backgrounds. Some are experienced penetration testers or former security professionals who use their skills for criminal purposes. Others are low-skilled individuals who purchase initial access from brokers or use automated tools to find exposed RDP servers. There have even been cases of disgruntled employees leaking credentials to RaaS affiliates. Because the affiliate is the “boots on the ground” in the victim’s network, they often have knowledge about the target’s vulnerabilities. The RaaS model allows anyone with the will to pay for access to become a ransomware attacker.

Q3: Is it legal to monitor dark web RaaS forums?

Law enforcement and intelligence agencies routinely monitor dark web markets for illegal activities, including RaaS operations. For private companies, it is generally legal to monitor publicly accessible dark web forums (via Tor) for intelligence purposes, as long as they do not engage in illegal hacking activities themselves. However, accessing these forums can be risky because of the presence of malware and scams. Many organizations use threat intelligence services that do the monitoring for them. It’s best to consult with legal counsel before any direct engagement with criminal forums.

Q4: Should a company pay the ransom if hit by a RaaS attack?

This is a complex decision. The FBI and many cybersecurity agencies strongly advise against paying ransoms because it funds criminal enterprises and does not guarantee data recovery. However, in situations where the encrypted data is critical for operations and backups are insufficient, and the leaked data could cause catastrophic reputational damage, some organizations choose to pay. The decision should involve senior leadership, legal, and a professional ransomware negotiator. Paying increases the likelihood of being targeted again (the “recidivism” problem). There is also a risk that the RaaS operator may not provide a working decrypter. Ultimately, it’s a calculated risk.

Q5: How can small businesses defend against RaaS if they lack a dedicated security team?

Small businesses are common targets because they often have weaker defenses. Key steps include: use a reputable endpoint protection solution with anti-ransomware features (some EDR solutions are affordable and cloud-managed); enforce MFA on all accounts, especially email; train employees to recognize phishing attempts; keep all software patched (especially remote access services); and use cloud services that include built-in backup and encryption. Consider subscribing to a managed security service provider (MSSP) that monitors for threats 24/7. Even basic measures like routinely changing passwords and disabling unused services can reduce risk significantly.

Q6: What are the most prevalent RaaS groups in 2024-2025?

As of early 2025, some of the most active RaaS groups include LockBit (despite law enforcement disruption), BlackCat (ALPHV), Royal, Clop, and Akira. However, the RaaS landscape is highly volatile. Groups disband, rebrand, or get taken down by authorities. For example, Hive was shut down in 2023 but its code may resurface. Following threat intelligence feeds (e.g., from CISA, CrowdStrike, or Recorded Future) is essential for staying up-to-date. Below is a table comparing some prominent RaaS groups based on publicly available data.

RaaS Group Affiliate Split (approx.) Notable Features Primary Attack Vector Status (2025)
LockBit 70-80% to affiliate Self-propagating, fast encryption, leak site with auction RDP brute force, phishing Still active despite takedowns
BlackCat (ALPHV) 75-90% to affiliate Rust-based, cross-platform (Windows/Linux), custom builder Exploits, compromised VPNs Highly active
Royal Variable, often 70% Uses “callback phishing”, manual deployment Phone scams, RDP Active
Clop 50-70% to affiliate Known for exploiting zero-days in file transfer software (e.g., Accellion, GoAnywhere) Vulnerability exploitation Active after legal troubles
REvil (Sodinokibi) 60% to affiliate Double extortion, high ransom demands, VIP victims Phishing, supply chain Dismantled in 2022, but new variants emerge

Additional Reference: Typical RaaS Ransom Amounts and Payment Methods

To provide context on the financial impact of RaaS attacks, the following table summarizes average ransom demands and preferred payment methods based on incident reports from 2023-2024.

Target Size Average Initial Ransom Demand Typical Payment Method Negotiation Outcome (avg.)
Small Business (<50 employees) $5,000 – $50,000 Bitcoin Often paid in full
Mid-Market (50-500 employees) $50,000 – $500,000 Bitcoin or Monero Reduced by 30-50%
Large Enterprise (500+ employees) $500,000 – $5,000,000+ Monero (preferred), Bitcoin Often negotiated down to 40-60%
Healthcare or Critical Infrastructure $100,000 – $2,000,000 Bitcoin (sometimes Monero) Higher likelihood of payment due to downtime costs

Conclusion: The Future of RaaS and What You Must Do Now

Ransomware as a Service is not a passing trend—it is a mature, industrialized corner of the cybercrime economy. The business model mirrors legitimate software companies, complete with subscription tiers, affiliate bonuses, and even customer support. As long as organizations continue to pay ransoms, the RaaS ecosystem will thrive and evolve. We are already seeing the emergence of “RaaS 2.0” with features like automatic negotiation chatbots, multi-extortion (adding DDoS threats), and even “as-a-service” for initial access and money laundering. The ease of entry means that every business, regardless of size, is a potential target.

Your best defense is a combination of technology, processes, and awareness. Implement MFA, maintain immutable backups, segment your network, and train your staff. Stay informed about the latest RaaS groups and their techniques through threat intelligence feeds. Do not assume that being a small company makes you safe; many RaaS affiliates specifically target smaller organizations because they have weaker security. If you are hit, have an incident response plan that includes legal counsel, communication strategies, and a backup restoration plan. Paying the ransom should be a last resort, and only after weighing all risks.

Ransomware as a Service has turned cybercrime into a business. Your job is to make sure that business model fails when it comes to your organization. With the knowledge from this guide, you are better equipped to recognize the threats, understand the attackers’ playbook, and implement robust defenses. The fight against RaaS is ongoing, but by staying vigilant and proactive, you can significantly reduce your risk and ensure that if an attack does occur, it becomes a minor disruption rather than a catastrophic event.

sarah antaboga
Author: sarah antaboga

Leave a Reply

Your email address will not be published. Required fields are marked *