What is ransomware as a service?

Learn how ransomware as a service works and how your business can protect itself from ransomware attacks, so you avoid losing money from a cyber attack.

04-07-2022 - 9 minute read. Posted in: malware.

What is ransomware as a service?

Ransomware attacks are unfortunately a growing trend in cybercrime, threatening businesses and public authorities.

The reason for the sudden increase in ransomware attacks has been a shift from a linear attack model to more complex and business-oriented ransomware as a service model.

This shift has made using ransomware much more lucrative, as it is easy for the hackers behind ransomware as a service to make money quickly.

Read this blog post to learn how ransomware as a service works and how your business can best protect itself from ransomware attacks.

What are ransomware attacks?

Ransomware is a type of malicious software (malware) that threatens to disclose or block access to important data, documents or a computer system, usually by encrypting files or data until the victim pays a ransom to the hackers behind the attack.

In many cases, the ransom demand comes with a deadline. If the victim cannot pay the ransom in time, the attached files or encrypted data are gone forever or the ransom increases.

The victim can see that their computer has been infected because it is not possible to gain access and because a message typically appears on the computer screen describing the attack and the ransom.

In severe cases, you as an organisation could lose all your files or have to pay a lot of money.

The definition of ransomware as a service (RaaS)

Ransomware as a service (RaaS) is a business model that involves selling or renting ransomware (the malicious code) to buyers, called affiliates. RaaS can be credited as one of the primary reasons for the rapid spread of ransomware attacks, as it has made it easier for a number of threat actors - even those without a great deal of technical knowledge - to launch ransomware attacks against businesses.

Ransomware as a service is inspired by the software as a service (SaaS) business model, which has been used by software companies for many years.

Previously, knowledge of coding had been a requirement for all successful hackers. But now, with the development of the RaaS model, this technical prerequisite has become secondary or, for some, unnecessary.

Like any other software as a service solution, RaaS users do not need to be skilled or even experienced to use the tool. RaaS solutions therefore allow even the most novice hackers to carry out highly sophisticated cyber attacks.

How does ransomware as a service work?

For the RaaS model to work, hackers must start with expertly coded ransomware developed by skilled ransomware operators. Ransomware developers typically need to be reputable to get buyers to sign up and spread the malware.

Operators are usually organised into a group and have designated roles such as manager, developers and infrastructure and system administrators.

Some roles and tools may also be outsourced or acquired through affiliate programs. For example, some operators use access-as-a-service (AaaS), which can provide different access options to targeted organisations.

Other groups may also have strong penetration testing teams, but may lack the necessary ransomware.

These penetration testing teams often participate as RaaS affiliates and use ransomware tools and infrastructure for affiliate programs when a target is compromised. Affiliates may operate independently or as members of organised groups.

Recognised RaaS developers create software with a high chance of penetration success and a low chance of detection.

Ransomware as a service and the buyers

Once the ransomware is developed, it is modified into a multi-end user infrastructure. The software is then ready to be licensed to multiple buyers (affiliates). The revenue model for RaaS solutions mirrors SaaS products and buyers can, for example, either sign up with a one-off fee or a monthly subscription.

Ransomware buyers are supported with onboarding documentation that includes a step-by-step guide to launching ransomware attacks with the malware. Some RaaS distributors even provide affiliated buyers with a dashboard solution to help them monitor the status of each attempted ransomware infection.

To find potential buyers, the hackers behind RaaS post on forums on the dark web. Some ransomware groups, like Circus Spider, only want buyers with specific technical skills because of their greater chances of successfully targeting large and well-known companies.

Other ransomware groups are only interested in rapid distribution and have very few requirements for buyers.

Each new affiliate is given a custom exploit code for their unique ransomware attack. This custom code is then sent to the website hosting the RaaS softwarefor the buyer.

With the affiliate hosting site updated, RaaS users are ready to launch their ransomware attacks.

Revenue models in ransomware as a service

There are four common RaaS revenue models:

  • Monthly subscription for a fixed fee
  • Affiliate programs, which are the same as a monthly fee model, but where a percentage of profits (typically 20-30%) goes to the ransomware developer
  • One-time license fee with no profit sharing
  • Pure profit sharing

The most sophisticated RaaS operators offer portals that let their subscribers see infection status, total payments, total encrypted files and other information about their targets. An affiliate can simply log into the RaaS portal, create an account, pay with Bitcoin, enter details of the type of malware they want to create, and click the submit button.

Subscribers can have access to support, communities, documentation, feature updates and other benefits identical to those received by subscribers to legitimate SaaS products.

The RaaS market is competitive. In addition to RaaS portals, RaaS operators run marketing campaigns and have websites similar to your own company's campaigns and websites.

They have videos, reading material and are active on Twitter. RaaS is business, and it's big business: total ransomware revenue in 2020 was about $20 billion, up from $11.5 billion the year before.

Some well-known examples of RaaS kits include Locky, Goliath, Shark, Stampado, Encryptor and Jokeroo, but there are many others, and RaaS operators regularly disappear, reorganise and resurface with newer and better ransomware variants.

Examples of RaaS attacks and groups


DarkSide is a RaaS group whose operators originally focused on Windows machines and have recently expanded to Linux. Their RaaS targets enterprise environments running unpatched VMware ESXi hypervisors. In addition, they steal vCenter credentials. On 10 May 2022, the FBI publicly indicated that the Colonial Pipeline incident involved DarkSide ransomware. It was later reported that Colonial Pipeline had approximately 100 GB of data stolen from their network, and the organization allegedly paid nearly $5 million dollars to a DarkSide-affiliated company.


REvil, also known as Sodinokibi, was identified as the ransomware behind one of the largest ransom demands ever: $10 million dollars. It is sold by the criminal group PINCHY SPIDER, which sells RaaS under the affiliate model and typically takes 40% of the profits.

Similar to the TWISTED SPIDER group's data leaks, PINCHY SPIDER warns their victims before leaking the stolen data, usually via a blog post on their DLS containing sample data as evidence, before releasing the bulk of the data after a given time.

REvil will typically also include a link to the blog post in the ransomware message that victims receive when their systems are hit by an attack.

The link shows what data will be leaked before it is leaked to the public. When a person clicks on the link, a timer starts showing how long until the data is leaked.


The Dharma ransomware attack has been attributed to a financially motivated Iranian threat group. This RaaS has been available on the dark web since 2016 and is mainly associated with remote desktop protocol (RDP) attacks. Hackers usually demand 1-5 bitcoins from their victims across a wide range of industries.

Dharma is not centrally controlled, unlike REvil and other RaaS kits.

Dharma variants come from many sources, and many incidents have almost a 100% match between example files. The only differences are usually the encryption keys, contact email and a few other things that can be customized through a RaaS portal. Because Dharma attacks are nearly identical, law enforcement is not able to use an incident to learn much about who is behind a Dharma attack and how they operate.


LockBit has been developed since September 2019, and LockBit is available as a RaaS targeting Russian-speaking users or English speakers with Russian-speaking contacts. In May 2020, an affiliate using LockBit issued a threat to leak data on a popular Russian-language criminal forum.

In addition to the threat, the buyer provided evidence, including a screenshot of a sample document contained in the victim data. This is just one of many threats.

Once the deadline has passed, this buyer is known to post a link that can be used to download the stolen victim data. This affiliate has threatened to publish the data of at least nine victims.

Preventing RaaS attacks through IT security

Recovering data from a ransomware attack can be difficult and expensive, and as a result it is best to fprevent them completely by having strong IT security. The steps to prevent a RaaS attack, or avoid malware in general, are the same as preventing any ransomware attack, because RaaS is just user-friendly ransomware for anyone with bad intentions:

  • Implement reliable and modern endpoint protection that can work on advanced algorithms and operate automatically in the background around the clock.
  • Take regular backups. If a backup is only performed every weekend, a ransomware attack can cost an entire week's work.
  • Make multiple backups and store them on separate devices in different locations.
  • Test backups regularly to make sure they can be retrieved.
  • Maintain a rigorous patching program to protect computers from both known and unknown vulnerabilities.
  • Segment the network to prevent propagation across the environment.
  • Implement advanced anti-phishing protection.
  • Invest in awareness training and build a strong security culture.
Author Sofie Meyer

Sofie Meyer

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

View all posts by Sofie Meyer

Similar posts