RaaS (Ransomware as a Service)

Why Trust Techopedia

What is Ransomware as a Service (RaaS)?

Ransomware as a service (RaaS) is a business model on the dark web that encourages cybercriminals to develop ransomware software and then sell or lease it to other criminals for profit.

Advertisements

Ransomware is a type of malware that locks the victim out of a computer system by encrypting the victim’s own data. The attacker then contacts the victim to demand a ransom payment in exchange for the decryption key.

What is Ransomware as a Service

Key Takeaways

  • RaaS operates similarly to legitimate Software-as-a-Service (SaaS) models but for criminal purposes.
  • The accessibility provided by RaaS has led to a surge in ransomware incidents worldwide.
  • Many RaaS operators now employ “double extortion” techniques. In addition to encrypting files, they exfiltrate sensitive data from victims and threaten to leak or sell it unless the ransom is paid.
  • RaaS attacks typically focus on large organizations because they are more likely to pay ransoms to avoid business disruptions and data breaches.
  • RaaS developers regularly update their malware to bypass new security defenses.

How RaaS Works

Essentially, the RaaS business model allows threat actors with general technical skills to conduct sophisticated data extortion attacks.

Many RaaS operators today use fairly traditional cloud service provider business models. They lease infrastructure, create and maintain ransomware software and tools, package RaaS resources into user-friendly kits, and use ads to reach potential customers.

There are a few important differences between legitimate software as a service (SaaS) providers and RaaS operators, however.

For example, once a potential affiliate creates an account with ransomware as a service platform, they will be vetted. Because RaaS providers and affiliates operate within a cybercrime culture, payments are almost always made in cryptocurrency to provide anonymity.

How RaaS Has Changed

Until fairly recently, RaaS was associated with lone developers who used inexpensive spyware to gather information about a potential target. After reconnaissance, they’d set up a tailored attack and then sell the instructions and necessary tools to a fellow criminal.

Today, RaaS operations are typically run by foreign nationals and organized criminal gangs who prefer to share profits rather than sell ransomware toolkits. This provides the operator with a steady income stream and motivates them to continually improve their malware and services.

What are the RaaS Revenue Models?

RaaS Revenue Models

A revenue model is a strategy that a business uses to generate income.

Commonly used revenue models for RaaS include:

Affiliate model (revenue sharing)

A key benefit of RaaS platforms that use this business model is that the affiliate doesn’t have to pay anything upfront. If their attacks are successful, however, they will need to pay the RaaS operator a percentage of the paid ransom (typically less than 40%).

Operators who use an affiliate model tend to treat their affiliates as subcontractors and usually maintain the infrastructure for negotiation and payment collection to protect their own investment and minimize risk.

Subscription model
In this model, customers pay a monthly or yearly fee to access a ransomware kit and supporting infrastructure. Subscriptions may be tiered and offer varying levels of service, premium features, and technical support.
One-time payment
In this model, customers purchase a ransomware kit with a one-time cyber currency payment. This revenue model gives the customer full control over the ransomware they purchase for an unlimited amount of time.

Why is RaaS Dangerous?

The RaaS business model has lowered the entry bar for cybercriminals and made it easier for gangs of criminals to scale their illegal activities.

Why Is RaaS Dangerous

  • Roughly one-third of all breaches involved ransomware or some other extortion technique.
  • Over the past three years, ransomware and other extortion breaches accounted for almost two-thirds of all financially-motivated cyberattacks.
  • The median amount of the initial ransom demand was 1.34% of the victim organization’s total revenue.
  • The median adjusted loss for those who did pay a ransom was $46,000.
  • Ransomware is the top threat across 92% of industries.
  • The human element was a component of 68% of breaches.

Examples of RaaS Exploits

In 2024, the U.S. Federal Bureau of Investigation, along with the Cybersecurity and Infrastructure Security Agency, confirmed that RansomHub ransomware as a service has targeted organizations across nearly every industry worldwide and encrypted and exfiltrated data from at least 210 victims.

Here are some examples of other well-known exploits:

  • LockBit 3.0 affiliates are known to have targeted major corporations like Boeing and the Industrial and Commercial Bank of China.
  • BlackCat (ALPHV) affiliates are known for using social engineering and malvertisements to deploy ransomware.
  • Dispossessor, a ransomware platform that is often compared to LockBit, is often credited with popularizing a dual-extortion RaaS business model that demands two ransoms.

5 Tips to Prevent RaaS Attacks

RaaS cybercriminals often deliver malware through automated exploit kits, malicious advertisements, and sophisticated spear phishing emails.

Safeguarding against RaaS exploits requires a strong risk management strategy that includes:

  1. Ensure endpoint protection software and all other software are up-to-date.
  2. Create 3-2-1 backups and implement a recovery plan.
  3. Provide and/or attend security awareness training on a consistent basis.

Is Ransomware as a Service Legal?

Ransomware as a service is illegal because the malware enables cybercriminals to gain unauthorized access to computer systems and networks.

Criminals who conduct this type of attack can be very difficult to catch, however. They typically use layers of anonymization techniques to hide their identity and often operate in jurisdictions that have weak data privacy laws and limited cooperation with international law enforcement.

RaaS Future

As RaaS providers increasingly use artificial intelligence (AI) to streamline their business models, law enforcement agencies are concerned that the number of ransomware attacks will only increase.

AI is already helping RaaS operators automate low-level malware development tasks and anonymize their communication with affiliates more effectively.

In the future, it’s likely that AI integration will allow smaller, more low-profile RaaS operators to extend the scale of their operations and even automate ransom negotiations with victims.

The Bottom Line

The definition of RaaS has evolved over time in response to the profitability of this cybercrime business model. Twenty years ago, when bad actors sold ransomware malware, it was a simple one-time transaction. Today, ransomware as a service has transformed into a multi-billion dollar full-service business model that’s often run by gangs of cybercriminals.

FAQs

What is ransomware as a service (RaaS) in simple terms?

What are the top ransomware as a service?

Is ransomware as a service legal?

What are the threats of ransomware as a service?

Advertisements

Related Terms

Margaret Rouse
Technology expert
Margaret Rouse
Technology expert

Margaret is an award-winning writer and educator known for her ability to explain complex technical topics to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles in the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret’s idea of ​​a fun day is to help IT and business professionals to learn to speak each other’s highly specialized languages.