What is ransomware as a service?
Ransomware attacks are unfortunately a growing trend in cybercrime, threatening businesses and public authorities.
The reason for the sudden increase in ransomware attacks has been a shift from a linear attack model to more complex and business-oriented service ransomware model.
This shift has made using ransomware much more lucrative, as it is easy for the hackers behind ransomware as a service to make money quickly.
Read this blog post to learn how ransomware as a service works and how your business can best protect itself from ransomware attacks.
What are ransomware attacks?
Ransomware is a type of harmful software that locks important files or computer systems by encrypting them. The attacker demands a ransom to unlock the files, and sometimes they also threaten to leak sensitive information if the victim doesn’t pay.
In many cases, the ransom demand comes with a deadline. If the victim cannot pay the ransom in time, the attached files or encrypted data are gone forever or the ransom increases.
The financial implications of these attacks can be severe, with ransom payments often reaching significant sums. The victim can see that their computer has been infected because it is not possible to gain access and because a message typically appears on the computer screen describing the attack and the ransom.
In severe cases, you as an organisation could lose all your files or have to pay a lot of money.
The definition of ransomware as a service (RaaS)
Ransomware as a service (RaaS) is a business model that involves selling or renting ransomware (the malicious code) to buyers, called affiliates, who then use these tools to launch attacks. RaaS can be credited as one of the primary reasons for the rapid spread of ransomware attacks, as it has made it easier for a number of threat actors - even those without a great deal of technical knowledge - to launch ransomware attacks against businesses.
Ransomware as a service is inspired by the software as a service (SaaS) business model, which has been used by software companies for many years.
Previously, knowledge of coding had been a requirement for all successful hackers. But now, with the development of the RaaS model, this technical prerequisite has become secondary or, for some, unnecessary.
Like any other software as a service solution, RaaS users do not need to be skilled or even experienced to use the tool. RaaS solutions therefore allow even the most novice hackers to carry out highly sophisticated cyber attacks.
How RaaS differs from malware and ransomware
Ransomware as a Service (RaaS) is a distinct concept from malware and ransomware, although it is closely related to both. Malware refers to any type of malicious software designed to harm or exploit a computer system. Ransomware is a specific type of malware that encrypts a victim’s files and demands a ransom in exchange for the decryption key. RaaS, on the other hand, is a business model that provides ransomware tools and infrastructure to affiliates, who then use these tools to launch ransomware attacks.
The key difference between RaaS and traditional ransomware is the level of expertise required to launch an attack. With RaaS, affiliates do not need to have extensive technical knowledge or coding skills to launch a ransomware attack. The RaaS provider handles the development and maintenance of the ransomware, while the affiliate focuses on identifying targets and executing the attack.
If you're unsure about how malware operates and the risks it poses, dive into our blog post on malware to learn more.
Similarly, ransomware has evolved significantly, with cybercriminals leveraging it for large-scale attacks. With RaaS, even attackers with minimal technical knowledge can deploy powerful ransomware tools. To understand how ransomware works and why it remains a major cybersecurity threat, explore our in-depth guide on ransomware.
How does ransomware as a service work?
For the RaaS model to work, hackers must start with expertly coded ransomware developed by skilled ransomware operators. Ransomware developers typically need to be reputable to get buyers to sign up and spread the malware.
Operators typically work in organized groups, with members assigned specific roles such as managers, developers, and system or infrastructure administrators.
Some roles and tools may also be outsourced or acquired through affiliate programs. For instance, some operators use Access-as-a-Service (AaaS), which offers various ways to gain entry into targeted organizations.
Other groups may also have strong penetration testing teams, but may lack the necessary ransomware.
These penetration testing teams often act as ransomware affiliates, utilizing ransomware tools and infrastructure from affiliate programs once they breach a target. Affiliates may operate independently or as members of organised groups.
Recognised RaaS developers create software with a high chance of penetration success and a low chance of detection.
Ransomware as a service and the RaaS operators
Once the ransomware is developed, it is modified into a multi-end user infrastructure. The software is then ready to be licensed to multiple buyers (affiliates). These buyers often launch a ransomware campaign, targeting multiple organizations to maximize their profits. The revenue model for RaaS solutions mirrors SaaS products and buyers can, for example, either sign up with a one-off fee or a monthly subscription.
Ransomware buyers are supported with onboarding documentation that includes a step-by-step guide to launching ransomware attacks with the malware. Some RaaS distributors even provide affiliated buyers with a dashboard solution to help them monitor the status of each attempted ransomware infection.
To find potential buyers, the hackers behind RaaS post on forums on the dark web. Some ransomware groups, like Circus Spider, only want buyers with specific technical skills because of their greater chances of successfully targeting large and well-known companies. If you want to understand how these hidden marketplaces operate, explore our blog post on the dark web.
Other ransomware groups are only interested in rapid distribution and have very few requirements for buyers.
Each new affiliate is given a custom exploit code for their unique ransomware attack. This custom code is then sent to the website hosting the RaaS software for the buyer.
With the affiliate hosting site updated, RaaS users are ready to launch their ransomware attacks.
RaaS affiliates and their role
RaaS affiliates are individuals or groups that purchase or subscribe to RaaS services from a provider. They play a crucial role in the RaaS ecosystem, as they are responsible for identifying potential targets, launching the ransomware attack, and managing the post-attack communication with the victim.
RaaS affiliates typically have a financial incentive to launch successful attacks, as they receive a percentage of the ransom payment from the victim. This creates a lucrative business model for both the RaaS provider and the affiliate, as they can generate significant revenue from successful attacks.
Revenue Models in Ransomware-as-a-Service (RaaS)
Ransomware-as-a-Service (RaaS) operates under several revenue models, each offering different levels of commitment and profit-sharing for affiliates. The four most common models include:
-
Monthly subscription: Affiliates pay a fixed fee for access to ransomware tools.
-
Affiliate program: Instead of a fixed fee, affiliates share a percentage of their earnings, typically 20-30%, with the ransomware developers.
-
One-Time license fee: Affiliates pay a single upfront cost without sharing future profits.
-
Pure profit sharing: Developers take a percentage of the ransom payments instead of charging any upfront fees.
These models typically involve stealing and encrypting sensitive data to pressure victims into paying a ransom.
RaaS portals and features
Leading RaaS operations provide sophisticated web portals where affiliates can track infection rates, ransom payments, and encrypted files. Affiliates can easily sign up, pay in cryptocurrency, specify their desired malware features, and launch attacks with minimal effort.
Subscribers to RaaS services also gain access to customer support, user communities, documentation, and regular feature updates—similar to legitimate Software-as-a-Service (SaaS) platforms.
The Business of RaaS
The RaaS market is highly competitive. Operators not only offer user-friendly portals but also run marketing campaigns and maintain professional-looking websites. They produce promotional materials, create tutorial videos, and even engage on social media platforms like Twitter.
RaaS is a booming industry—total ransomware revenue reached approximately $20 billion in 2020, a significant increase from $11.5 billion the previous year.
Some well-known RaaS kits include Locky, Goliath, Shark, Stampado, Encryptor, and Jokeroo, though many others exist. RaaS groups frequently shut down, reorganize, and reappear with more advanced ransomware strains, keeping the threat constantly evolving.
Examples of RaaS attacks and groups
Darkside
DarkSide is a RaaS group that initially targeted Windows systems but has since expanded to Linux. Their ransomware primarily attacks enterprise environments with unpatched VMware ESXi hypervisors, and they also steal vCenter credentials. On May 10, 2022, the FBI confirmed that DarkSide ransomware was involved in the Colonial Pipeline attack. Reports later revealed that around 100 GB of data was stolen, and Colonial Pipeline allegedly paid nearly $5 million to a company linked to DarkSide.
In many cases, these attacks result in significant ransom payments, further incentivizing the criminal activities of these groups.
REvil
REvil, also known as Sodinokibi, is a ransomware strain linked to one of the largest ransom demands in history—$10 million. It is distributed by the cybercriminal group PINCHY SPIDER, which operates under an affiliate model, typically taking 40% of the profits.
Like TWISTED SPIDER’s approach, PINCHY SPIDER warns victims before leaking stolen data. They usually post a blog entry on their DLS with sample data as proof, then release the full dataset if the ransom is not paid within a set time.
REvil will typically also include a link to the blog post in the ransomware message that victims receive when their systems are hit by an attack.
The link shows what data will be leaked before it is leaked to the public. When a person clicks on the link, a timer starts showing how long until the data is leaked.
Dharma
Dharma ransomware has been linked to an Iranian threat group focused on financial gain. Active since 2016, this RaaS is commonly used in attacks that exploit remote desktop protocol (RDP) vulnerabilities. Ransom demands typically range from 1 to 5 bitcoins, targeting victims across various industries.
Unlike REvil and other RaaS kits, Dharma does not have centralized control. Its variants come from multiple sources, with many attack samples showing almost identical structures. The only differences are usually encryption keys, contact emails, and a few customizable details set through a RaaS portal. Because Dharma attacks are so similar, law enforcement struggles to trace the perpetrators or gain insight into their operations.
LockBit
LockBit has been in development since September 2019 and operates as a RaaS, primarily targeting Russian-speaking users or English speakers with connections to Russian-speaking cybercriminals. In May 2020, an affiliate using LockBit threatened to leak stolen data on a well-known Russian-language criminal forum.
In addition to the threat, the buyer provided evidence, including a screenshot of a sample document contained in the victim data. This is just one of many threats.
Once the deadline has passed, this buyer is known to post a link that can be used to download the stolen victim data. This affiliate has threatened to publish the data of at least nine victims.
The cost of ransomware attacks
The cost of ransomware attacks can be significant, both in terms of the ransom payment and the broader impact on the targeted organization. According to recent reports, the average ransom demand has increased to over $1 million, with some attacks demanding as much as $10 million or more.
In addition to the ransom payment, organizations may also incur significant costs associated with downtime, data recovery, and reputational damage. A recent study estimated that the total cost of a ransomware attack can be as high as $5 million or more, depending on the severity of the attack and the effectiveness of the organization’s response.
Preventing RaaS attacks through IT security
Recovering data from a ransomware attack can be difficult and expensive, and as a result it is best to prevent them completely by having strong IT security. Protecting sensitive data is crucial, as its exposure can lead to severe financial and reputational damage. The steps to prevent a RaaS attack, or avoid malware in general, are the same as preventing any ransomware attack, because RaaS is just user-friendly ransomware for anyone with bad intentions:
-
Use a robust and up-to-date endpoint protection system that leverages advanced algorithms and runs continuously in the background for automated security.
-
Take regular backups. If a backup is only performed every weekend, a ransomware attack can cost an entire week’s work.
-
Make multiple backups and store them on separate devices in different locations.
-
Test backups regularly to make sure they can be retrieved.
-
Maintain a rigorous patching program to protect computers from both known and unknown vulnerabilities.
-
Segment the network to prevent propagation across the environment.
-
Implement advanced anti-phishing protection.
-
Invest in awareness training and build a strong security culture.
The evolution of ransomware attacks
Ransomware attacks have evolved significantly over the past few years, with attackers becoming increasingly sophisticated and targeted in their approach. One of the key trends in ransomware attacks is the use of RaaS, which has made it easier for attackers to launch successful attacks without requiring extensive technical expertise.
Another trend is the use of phishing attacks to gain initial access to the targeted organization’s network. Phishing attacks involve sending targeted emails or messages that appear to be legitimate but actually contain malicious links or attachments. Once the attacker gains access to the network, they can use the RaaS tools to launch the ransomware attack and encrypt the victim’s files.
Threat actors are also becoming increasingly targeted in their approach, focusing on specific industries or organizations that are more likely to pay a ransom. This has led to an increase in targeted attacks, where the attacker uses social engineering tactics to gain access to the targeted organization’s network.
Overall, the evolution of ransomware attacks has made it more important than ever for organizations to prioritize cybersecurity and take proactive steps to prevent and respond to ransomware attacks.
This post has been updated on 05-02-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup