What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service

Ransomware attacks have evolved from one-off, opportunistic hacks into a mature criminal industry — and at the heart of this transformation is Ransomware-as-a-Service (RaaS). This underground business model has lowered the barrier to entry for cybercrime, enabling even non-technical criminals to launch sophisticated ransomware campaigns.

RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.

A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2024 was $2.73 million, according to Sophos. A threat actor doesn’t need every attack to be successful in order to become rich.

1. Subscription Model

Affiliates pay a monthly or annual fee for access to the ransomware kit, infrastructure, and updates. Pricing can range from a few hundred to several thousand dollars per month, depending on features like stealth, speed, and encryption strength.

Example: A $500/month subscription granting access to the latest ransomware build plus 24/7 “support.”

Advantage for criminals: Predictable, recurring income stream for the RaaS developers.

2. Affiliate/Profit-Sharing Model

The most common RaaS structure. Affiliates use the ransomware for free or a small setup fee, then share a percentage of each ransom with the developers.

Typical splits: 70/30 or 80/20 (affiliate gets the larger share).

Example: A $1 million ransom payment might yield $800k to the affiliate and $200k to the developer.

Advantage: Low barrier to entry for affiliates, high earning potential for developers if affiliates succeed.

3. One-Time License Fee

Affiliates purchase the ransomware kit outright for a single payment. After that, they own and operate it without further revenue sharing.

Example: A one-time $5,000 payment for a fully functional ransomware package.

Advantage: Instant, lump-sum income for developers — but no ongoing revenue unless they sell new versions later.

4. Hybrid Model

Combines aspects of the above models. Affiliates might pay a smaller monthly subscription plus a reduced profit-sharing percentage, or a partial upfront license fee with ongoing royalties.

Example: $200/month subscription plus 20% of each ransom collected.

Advantage: Developers get both steady income and a cut of big payouts.

Some RaaS platforms also run “bug bounty”–style incentives for affiliates, rewarding them for finding better infection vectors or bypassing new security measures — another sign of how professionalized this criminal market has become.

Ransomware as a Service (RaaS) Examples

There is an abundance of ransomware as a service in circulation, and while cyber professionals are aware of and tracking many different groups, it’s important to be on guard and prepared for anything. 

LockBit

This ransomware emerged in June 2021 and exploits SMB and PowerShell to spread malware through a compromised network. It claims to have the fastest market encryption and has compromised over 50 organizations across different industries.

BlackCat

Also known as ALPHV, BlackCat is coded in the Rust programming language and is easy to compile against different operating architectures. This ransomware is dangerous as it’s highly customizable and easy to individualize.

Hive

First observed in June 2021, the Hive RaaS group pressures victims to pay by releasing details of the attack on different leak sites and even social media, including the date and time of attacks and a countdown to information leaks.

Dharma

First identified in 2016, Dharma targets victims through malware attachments in phishing emails. Several other ransomware groups have used Dharma as source code.

Defending Against Ransomware-as-a-Service

Ransomware is especially insidious because there is no singular root cause for the attack. Ransomware itself refers to the malware that is injected to encrypt and possibly exfiltrate data, not the method used to do that. While there are common TTPs in ransomware every organisation should be aware of and monitor for, a major way to prevent ransomware attacks is to monitor for precursors.

1. Conduct Basic File Backups. 

This small act can make a major difference if a ransomware attack occurs, as it defends against double extortion. According to Arctic Wolf , in 68% of ransomware incidents, reliable backups aided in the recovery process — in many cases removing the need for a payout by providing an alternate path to sufficient recovery.

2. Secure the Cloud

Not only can the cloud offer initial access to threat actors, but as data storage and operational applications expand to the cloud, it’s likely threat actors will find their way there. Understanding your responsibility in cloud security, as well as staying on top of misconfigurations, can go a long way in hardening this part of the attack surface.

3. Enforce Identity and Access Controls

Identity is an emerging battleground, and not only are credentials a growing root cause of initial access, but Remote Desktop Protocol (RDP) and compromised VPN credentials are the leading root causes of ransomware and intrusions. 

4. Conduct Risk-Based Vulnerability Management

It’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system, and with the number of critical vulnerabilities continuing to increase year over year, continuous vulnerability management is no longer optional for organisations.

5. Invest in 24×7 Monitoring

There are two key components to preventing and stopping a ransomware attack – visibility into your environment and the ability to swiftly detect anomalies. 

6. User Awareness and Training

MDR services often include training employees about ransomware risks and best practices to avoid falling victim to phishing and other social engineering techniques commonly used in ransomware campaigns. Phishing simulation training is one example of what an MDR provider can offer to strengthen your weakest link in RaaS attacks: your end users.

Monitoring Remote Sessions

Security monitoring is crucial for preventing ransomware attacks as it enables early detection, identification of vulnerabilities, monitoring for anomalies, data protection, and compliance with regulatory requirements. 

RecordTS will record Windows remote sessions reliably and securely for RDS, Citrix and VMware systems. Scalable from small offices with one server to enterprise networks with tens of thousands of desktops and servers, RecordTS integrates seamlessly with the native environment.