What is Ransomware as a Service (RaaS?)

In a hurry? Click here for a quick guide
In a Nutshell: What is Ransomware-as-a-Service? (RaaS)

Ransomware-as-a-Service (RaaS) is a criminal business model lifted from the legitimate Software-as-a-Service (SaaS) model. Ransomware syndicates perfect a ransomware code, but rather than using it to carry out cyberattacks on companies and other organizations themselves, they lease the malware out to “affiliates.”

While these lesser-skilled affiliates may not have the ability to develop their own code, they can still carry out a full-blown ransomware attack on an organization’s network with the most effective criminal tech available. As affiliates bag hefty ransom payouts, they kick a percentage back to the RaaS operators, thus increasing profits.

There have been some prominent RaaS groups in the headlines for massive cyberattacks in recent years:

  • REvil
  • Ryuk
  • Darkside
  • Netwalker
  • CL0P

Do you want to learn more about Ransomware-as-a-Service? Want to find out about the different schemes and ransom payouts that cybersecurity experts have uncovered? Learn how to protect yourself and prevent devastating ransomware attacks on your computers or network in the article below.

Due to the barrage of cyberattacks that have crippled countless businesses in recent years, many have become familiar with the term ransomware.

Your screen goes blank, up pops a message in crude English telling you that all the files on your system have been downloaded and encrypted. In order to get a decryption key, or avoid having your sensitive data leaked on the dark web, you’ve got to pay a ransom in Bitcoin or other cryptocurrencies (untraceable) to black hat cybercriminals.

But fewer may be aware of a well-organized underworld business model that can launch these kinds of attacks known as ransomware-as-a-Service (or RaaS). Rather than launching attacks themselves, ransomware developers lease their premium malware product to lesser-skilled cybercriminals willing to take on the risk that comes with running ransomware campaigns.

But how does it all work? Who’s at the top of the hierarchy and who are the intermediaries? And more importantly, how do you protect yourself and your company from these debilitating attacks? Read on to take a deep dive into RaaS.

What is Ransomware as a Service (RaaS?)

Ransomware-as-a-Service (RaaS) is a criminal business model that has simply lifted its concept from the legitimate Software-as-a-Service (SaaS) model. Some of the biggest companies in the world offer SaaS apps, such as Dropbox, Microsoft Office 365, and Slack.

Customers usually pay a monthly subscription or a one-time fee to use SaaS apps. For RaaS, cybercriminals can do the same, though payment comes in hard-to-trace Bitcoin or other cryptocurrencies.

As far as profits go, it comes down to agreements: “franchisees” or “affiliates” can opt to either share a cut of the ransom with the RaaS operator or keep all profits for themselves, depending on the agreement.

Here’s an infographic of a common RaaS scheme:

Infographic Ransomware as a Servive (RaaS) Business Model

Just like SaaS companies, organized cybercrime syndicates advertise their services and share positive user reviews of their products, though their market is limited to the dark web and underground hacker forums.

How Does RaaS Work?

Since RaaS is a criminal scheme, it doesn’t have the traditional structure, contractual obligations, and clearly defined terms and conditions that legitimate companies do. Regardless, experts who study the web underworld have picked up on a few regular schemes — all similar to legitimate business models — that RaaS providers operate under.

Say a lower-skilled hacker doesn’t have the ability to create their own ransomware code or know the full ins and outs of running a ransomware attack. These lower-level hackers not only get access to top-tier ransomware, but they might also get other perks, like customer support, access to anonymous ransom payment portals, and even updates on system infections and campaigns. Hackers also use it for social engineering attacks.

Let’s look at some of these illicit business models.

Affiliate RaaS

Underground affiliate programs have emerged as one of the most prominent versions of RaaS for a number of reasons: name recognition of the ransomware group, campaign success rates, and quality and range of the services provided.

Criminal syndicates that want to keep their ransomware code contained within the group often seek out hackers that can breach corporate networks on their own, then use the malware and support to carry out the attack.

But with the recent surge in corporate network access-for-sale on the dark web, a hacker may not even need this to fulfill this requirement. Instead of paying a monthly or annual fee to use the ransomware code (though sometimes affiliates might have to pay-to-play), well-supported, lower-skilled hackers engage in high-risk attacks for a profit split.

Ransomware gangs typically look for hackers savvy enough to breach a corporate network, and bold enough to go through with the cyberattack. In this scheme, the affiliate usually keeps anywhere from 60%-70% of the ransom, with the remaining 30%-40% kicked upstairs to the RaaS operator.

Subscription-based RaaS

In this scheme, cybercriminals pay a monthly or yearly subscription fee for access to ransomware, technical support, and malware updates. This is quite similar to many web-based subscription service models like Netflix, Spotify, or Microsoft Office 365.

Typically, if ransomware criminals pay for the service upfront — which could be anywhere from $50 to thousands of dollars per month, depending on the RaaS provider — they keep all the profit from ransom payments for themselves. Considering the average ransom payment is around $220,000, these subscription fees are just a small investment.

Of course, affiliate programs could institute a subscription-based, pay-to-play element in their schemes as well.

Lifetime license

Rather than make residual income from subscriptions and profit-sharing, a malware developer might opt to sell packages for a one-time fee and not risk being directly involved in cyberattacks.

In this scenario, cybercriminals pay an upfront fee to gain lifetime access to a ransomware kit and use it as they see fit.

Though it’s a far more expensive option (tens of thousands of dollars for sophisticated kits), some lower-level cybercrooks might opt for a one-off purchase because it would be harder to connect themselves to the RaaS operator, should the operator be caught.

RaaS “heist” partnerships

Ransomware cyberattacks require a different skillset from each hacker involved. In this model, a team would assemble, each offering something different to the cyberattack. To start, you’d need a ransomware code developer, corporate network hackers, and an English-language ransom negotiator. Each member, or partner, would agree to split the profits depending on their position and importance in the campaign.

Largest RaaS Ransomware Gangs and Affiliates

Though ransomware gangs regularly vanish, reorganize, rebrand, and reappear, there have been a few names that have been mentioned more frequently than others over the years. These syndicates run like a well-oiled machine and are highly organized and professional in their setup and execution.

This has led to many high-profile cyberattacks on government sectors, key infrastructure operators, and massive companies over the years. Most of these gangs are based out of Eastern Europe, and they tend to avoid attacking organizations in the former states of the Soviet Union.

Security specialists have discovered that code from some of these groups was written so that the malware steers clear of any computer whose default language is Russian, Ukrainian, or Belarusian, among other Slavic languages from former Soviet Union countries.

Here are some of the most common criminal organizations active now:

REvil (aka Sodinokibi)

One of the most prolific groups of 2021, REvil ransomware was behind the sprawling $70 million Kaseya cyberattack, the extortions of massive supplier JBS Foods, and electronics giant Acer.

REvil ransomware was also used to steal scans of social security cards, passports, and driver’s licenses from patients and employees at the University Medical Center in Las Vegas.

According to security provider Black Fog, REvil malware accounted for 13% of ransomware attacks in 2021.

Ryuk (aka Conti)

This group was one of 2019-2020’s most prolific gangs and was responsible for 13% of all ransomware attacks in 2021. Ryuk ransomware was used in attacks on US hospitals in California, New York, and Oregon, as well as in the UK and Germany.

The cyberattacks caused problems with accessing patient records and even impacted critical care units. Ryuk ransomware was also behind cyberattacks on Universal Health Systems, the Seyfarth Shaw Law Firm, and the Sopra Steria attack in Europe.


If you’re familiar with the debilitating summer cyberattack on Colonial Pipeline, you may have heard the name “Darkside.” The ransomware gang shut down the oil pipeline that services the United States’ east coast, causing widespread panic and a gas shortage.

Though they’re relatively new and have only carried out 60 attacks this year, they’ve made a name for themselves by focusing on huge targets, creating innovative criminal business ventures, and even establishing a “code of conduct.”

They and their affiliates claim to only attack English-speaking countries and have sworn off hospitals, hospices, medical centers, schools, and non-profits.

CL0P (aka Fancycat)

Plenty of victims have been traced back to CLoP, with universities at the top of their lists of favorite targets. This includes the University of Miami and the University of Colorado in the United States. CLoP also hit Maastricht University and the University of Antwerp in the Netherlands and Belgium, respectively.

Ukrainian police arrested six members (or affiliates) of CLoP in June and seized luxury cars, premium computers, and 5 million Ukrainian hryvnia ($185,000) in cash.

Netwalker (aka Mailto)

Another prominent malware group with ransomware behind a string of attacks on companies, public sectors, hospitals, law enforcement, and universities is Netwalker.

Recent attacks included the University of California, which paid out $1.14 million in ransom after the hack of a research facility. Other targets were Michigan State, Equinix, and the Toll Group in Australia.

How to Prevent Ransomware Attacks

Cybersecurity provider Varonis estimates that there have been 4,000 ransomware attacks a day since 2016 (numbers from 2021).

Ransomware gangs tend to go for big paydays, targeting massive companies and organizations, infrastructure operators, and even the public sector. But that doesn’t mean that hackers aren’t downloading simple, cheap malware kits to launch ransomware attacks on a much smaller scale.

Protect yourself from ransomware attacks

There are several ways to protect yourself and your business. Since ransomware attacks can succeed by the error of just one individual within the company or establishment, cybersecurity training is essential. Here are some tips to prevent such attacks.

  • Do not click unsafe links: Clicking a malicious link is all it takes to download ransomware onto your computer or network and cause an infection. Never click on links in spam messages or on websites that you’re not familiar with.
  • Stay away from suspicious email attachments: Hackers can also inject ransomware via email attachments. Never open attachments from suspicious senders. If you recognize the sender, make sure their email address is correct and hasn’t been spoofed. Never open an attachment in macros, as it allows the malware to gain complete control of your device.
  • Never give out personal information: Using social engineering tactics, hackers often call, text, or email victims before an attack. They’ll try to pry personal information from you by pretending to be tech or customer support. They’ll then use that information to customize phishing attempts specifically for you.
  • Update, update, update: No matter your operating system, make sure to regularly update it and the programs on your computers and devices. When you update your programs and operating systems, you’re downloading the latest security patches and vulnerability fixes. This makes it a bit harder for cybercrooks to gain access through known vulnerabilities.
  • Don’t download from unknown sites: RaaS can be hiding on phishing websites that you might have been redirected to. Make sure that there is a padlock icon in your browser bar and that the site uses the “https” (not “http”) prefix. Be cautious if you use file-sharing and torrenting sites. While these sites often aren’t malicious in and of themselves, ill-intentioned users could upload ransomware disguised as a popular movie, music file, or even an eBook. This is one of the reasons to avoid piracy at all costs.
  • Do not use unknown USB sticks: Cybercriminals have actually infected storage USBs with ransomware and placed them in public places in the hopes of getting unsuspecting individuals to use them. You should never connect a USB stick or other external storage if you don’t know its origin.
  • Use a VPN on public Wi-Fi networks: When you’re connected to a public Wi-Fi network in a coffee shop, airport, or virtually any other place, you’re far more vulnerable to cyberattacks. Cybercriminals can easily access insecure Wi-Fi networks and retrieve sensitive data to facilitate ransomware attacks. To protect yourself, get a VPN. VPNs create a secure connection between you and the public connection. It protects your browsing activity by sending your data traffic through an encrypted virtual tunnel.

According to cybersecurity firm Kaspersky, there are a few factors that might put you or your company especially at risk of a ransomware attack:

  • You use outdated devices or software.
  • Browsers and operating systems are not patched or updated.
  • You don’t back up your files.
  • Cybersecurity is not a priority, and there is no cyberattack response plan.

RaaS Continues to Rise in Popularity

Ransomware payments increased 337 percent to over $400 million in 2020, according to blockchain research firm Chainalysis. With online extortionists having already taken more than $81 million in the first half of 2021 alone, RaaS shows no signs of slowing down.

Cybersecurity insurance premiums have soared through the roof for small and big businesses alike. The majority of these attacks are coming in the form of RaaS models, which cybercriminals have adopted for two main reasons: It makes for less risk and increased profits for ransomware coders, and it allows low-skilled hackers to perform high-level attacks.

Less risk and increased profits for ransomware coders

Once a developer has perfected an effective ransomware code, it makes more sense to lease it out rather than take the risk associated with executing ransomware campaigns.

A hacker has to breach the corporate network, inject ransomware, and encrypt and download the company files. Then, they must go through the criminal process of extorting Bitcoin (or another cryptocurrency) from the victims.

Developers can do just as well attracting “franchisees” on the dark web to do the legwork, sitting back and taking a cut from each ransom.

Low-skilled hackers can perform high-level attacks

With the RaaS model, lesser-skilled hackers don’t have to create their own ransomware code and tools to perform advanced cyberattacks.

The ransomware affiliates have already taken care of that by offering full malware kits, and even customer support for their RaaS schemes. Less-talented hackers can launch wildly lucrative ransomware campaigns with proven malware for a low upfront fee.

If ransomware attacks continue to pull in these multimillion-dollar payouts, we’ll certainly see more black-hatted affiliates jumping onboard in the coming years.

That’s why it’s more important than ever to make internet safety a top priority. Ransomware as a Service is a dangerous trend, but one that clearly highlights the increasing nature of threats online.

What is Ransomware-as-a-Service (Raas?) | Frequently Asked Questions

Got some questions about the Ransomware-as-a-Service (RaaS) business model? We’ve compiled a list of the most frequently asked questions below. Click on one to pull up the answer.

Ransomware-as-a-Service (RaaS) is an underground, subscription-based business model where ransomware operators lease out their malware to affiliates. RaaS operators often receive a percentage of ransom payments gained during malicious campaigns. It’s quite similar to the legitimate Software-as-a-Service (SaaS) business model. Read our full article to jump into RaaS in more detail.

Ransomware-as-a-Service (RaaS) is an illegal enterprise developed by organized crime syndicates. Being involved in a ransomware attack in any part of a campaign — buying ransomware kits on the dark web, breaching a corporate network, stealing, encrypting and downloading system files, and extorting Bitcoin from victims — is entirely illegal.

Ransomware is a form of malware used to encrypt a network’s or system’s sensitive files and data, essentially holding them hostage until the hacker gives the victim a decryption key. After injecting ransomware, cybercriminals demand Bitcoin or other hard-to-trace cryptocurrencies in exchange for the key. Cybersecurity experts are divided on whether or not victims should pay ransoms, as there’s no guarantee they’ll get their files back.

Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For VPNOverview.com he follows news and developments in online privacy, cybersecurity, and internet freedom.