Digital Privacy Base

Featured Posts

Let`s Get Social

Recent Posts

Recent Comments

No comments to show.
Learn what ransomware as a service (RaaS) is, how attacks work, real examples, and practical steps to protect yourself from ransomware.
P PC Security

What is Ransomware as a Service (RaaS) & How to Stay Safe

November 15, 2025
15 min read
0
Share
0
0
0

If it feels like ransomware headlines have exploded over the last few years, you’re not imagining it. 

What used to be the domain of a handful of elite hackers has turned into a full-blown underground industry — complete with subscriptions, customer support, marketing websites, and “user reviews.”

That industry has a name: ransomware as a service (RaaS).

In this article, we’ll dig deep into what RaaS actually is, how the RaaS ecosystem works behind the scenes, real-world RaaS groups like LockBit, REvil, Ryuk, DarkSide, Dharma, and more

We’ll also take a look at how RaaS intersects with spyware, adware, and the wider “malware-as-a-service” economy, and the concrete, technical steps you can take to defend your organization (and yourself).

What is ransomware as a service (RaaS)?

Ransomware as a service (RaaS) is a cybercrime business model where skilled developers build and maintain ransomware, then lease or sell it to other criminals (“affiliates”) who carry out the actual attacks.

Instead of:

“I build ransomware and I attack you.”

RaaS looks more like:

“I build and support a ransomware platform. Other criminals log in, configure campaigns, and share the profits with me.”

It’s a criminal mirror of legitimate software-as-a-service (SaaS):

  • SaaS: Users pay to access software in the cloud.
  • RaaS: Criminals pay to access ready-made ransomware, dashboards, leak sites, payment portals, and even 24/7 “support.”

Affiliates don’t need to write malware at all — many don’t even have deep technical skills. They just:

  1. Create an account (typically on a dark-web portal).
  2. Pay a subscription, licensing fee, or agree to share a cut of ransom profits.
  3. Use the web UI to generate ransomware payloads and configure campaigns.
  4. Launch attacks using phishing, exploit kits, spyware-harvested credentials, exposed RDP, or vulnerable VPNs.

Meanwhile, operators provide:

  • Infrastructure (command-and-control servers, Tor payment portals).
  • Encryption logic and decryption key management.
  • Updates to evade detection.
  • “Branding”: ransom note templates, leak sites, victim portals, and sometimes negotiation support.

Short answer: absolutely not.

Any involvement with ransomware — writing it, selling it, renting it, deploying it, or laundering cryptocurrency — is illegal in jurisdictions where computer misuse, extortion, and unauthorized access are crimes.

A few groups try to claim they are “ethical” by only targeting certain sectors or avoiding hospitals. Law enforcement doesn’t buy that distinction: the model itself is built around criminal extortion.

The RaaS ecosystem: operators, brokers, and affiliates

The RaaS world is bigger than just “devs and attackers.” Mature RaaS operations often look like startups with departments, just in an illegal industry.

Core roles

RaaS operators (developers/maintainers)

These are the technical brains:

  • Develop and maintain the ransomware codebase.
  • Build and host the RaaS portals (affiliate dashboards, build panels, leak sites).
  • Manage command-and-control (C2) infrastructure and payment portals.
  • Provide updates, bug fixes, and features (new obfuscation methods, faster encryption, Linux/ESXi support).
  • Sometimes handle negotiations or provide scripts for affiliates.

Affiliates (attackers/deployers)

These are the “franchisees”:

  • Buy or subscribe to a particular RaaS brand (LockBit, REvil, Dharma, etc.).
  • Choose targets, perform phishing / intrusion, move laterally, exfiltrate data, and detonate ransomware.
  • Configure ransom notes, demanded amount, and crypto wallet.
  • Share a percentage of profit with the operator.

Affiliates range from small-time criminals to highly organized groups with their own tooling, access to spyware logs, and professional negotiation teams.

Initial Access Brokers (IABs)

IABs specialize in breaching networks and then selling access to others:

  • Exploit unpatched VPNs, exposed RDP, web apps, or edge devices.
  • Use commodity spyware / infostealers to dump browser credentials and VPN logins at scale.
  • Advertise footholds on underground markets: “Access to mid-size EU manufacturer, domain admin, 500 endpoints.”

RaaS affiliates buy these footholds, drop in their preferred ransomware, and share the profits with the operator.

RaaS revenue models

RaaS adopts classic SaaS pricing, just with crime:

  1. Subscription model
    • Flat monthly fee (sometimes as low as ~$40/month, up to thousands).
    • Includes portal access, payload builders, and updates.
    • Predictable revenue for operators.
  2. Affiliate (profit-sharing) model
    • No big upfront fee, but operators take a cut of each ransom.
    • Typical splits historically: 70/30, 80/20, or 90/10 in favor of the affiliate, depending on their skill and scale.
    • Popular because it aligns incentives: operators want big ransoms; affiliates want low entry cost.
  3. One-time license (“lifetime” access)
    • Pay once, get the ransomware builder and sometimes source code.
    • Favored by more advanced groups who want independence from operator control.
  4. Pure profit-sharing / hybrid
    • Some setups eliminate fixed fees entirely: the operator only earns when victims pay.
    • Others mix smaller subscriptions with profit-sharing to weed out unserious buyers.

Features of RaaS portals

RaaS portals genuinely look like commercial SaaS dashboards. Common features include:

  • “Build your own ransomware” panel: generate payloads with a few clicks.
  • Victim management dashboard: lists current infections, online status, and ransom payment status.
  • Leak site integration: one click to publish stolen files if the victim refuses to pay.
  • Customer support (for criminals): tickets, FAQs, sometimes 24/7 chat.
  • Marketing tools: RaaS brands run “press releases” on dark-web forums, produce promo videos, and publish “success statistics.”

And yes, they absolutely run ads, have logos, and sometimes even whitepapers. The business side of RaaS is disturbingly professional.

How a RaaS attack actually unfolds

Let’s walk through a typical RaaS attack lifecycle from the defender’s point of view.

Step 1: Initial access

Affiliates (or IABs) gain a foothold using:

  • Phishing and spear phishing
    • Malicious attachments (often Office macros or exploit-laden PDFs).
    • Links to weaponized websites.
    • “Payment invoice,” “job application,” or fake MFA prompts.
  • Compromised credentials and spyware
    • Info-stealer spyware logs (RedLine, Raccoon, etc.) are sold in bulk.
    • Attackers reuse VPN, RDP, or SaaS credentials to log straight in.
  • Exposed remote services
    • Unsecured or weak-password RDP endpoints.
    • Unpatched VPN appliances or gateways.
  • Exploited vulnerabilities
    • Network devices, on-prem apps, file-sharing servers, or ESXi hypervisors.
    • Zero-days are valuable; more often attackers use public, unpatched bugs.

Step 2: Post-exploitation and lateral movement

Once inside, affiliates behave more like penetration testers than smash-and-grab crooks:

  • Privilege escalation with tools like Mimikatz, LSASS dumping, Pass-the-Hash.
  • Living off the land: using built-in tools (PowerShell, WMI, PSExec) to avoid triggering traditional antivirus.
  • Discovery and mapping: identify AD structure, backups, hypervisors, and key business systems.
  • Disable defenses: try to kill EDR/AV processes, tamper with logging, and encrypt or wipe backups.

Step 3: Data theft and extortion (single, double, triple)

Modern RaaS almost always includes data exfiltration before encryption.

Common extortion patterns:

  1. Single extortion
    • Steal sensitive data (IP, personal data) and demand money not to leak it.
    • No encryption; pure blackmail.
  2. Double extortion
    • Encrypt systems and threaten to leak or auction stolen data.
  3. Triple extortion
    • Add more pressure: contacting customers/partners, launching DDoS attacks, or emailing employees directly to force payment.

Data is then published on RaaS leak sites if the victim refuses to pay — a major driver of privacy, regulatory, and reputational damage.

Step 4: Encryption and ransom note

When the affiliate is ready, they push the “big red button”:

  • The ransomware payload is launched on as many endpoints as possible, sometimes automatically spreading across shares and domain-joined systems.
  • Files are encrypted with strong cryptography (often using unique per-victim keys).
  • Backups reachable over the network are encrypted or deleted to limit recovery options.
  • A ransom note appears on infected systems with:
    • A TOR link to the payment portal.
    • A deadline.
    • A warning that data will be leaked or auctioned.
    • Sometimes a “free decryption” offer for a sample file to prove they hold the key.

Step 5: Payment and decryption (maybe)

Victims who decide to pay typically:

  1. Purchase cryptocurrency (Bitcoin, Monero, etc.).
  2. Send it to a wallet controlled by the RaaS operator or affiliate.
  3. Receive a decryption tool and key (if the operator keeps their “promise”).

Some groups don’t fully decrypt data, re-extort victims, or leak data anyway — paying is never a guarantee.

Prominent RaaS groups and real-world attacks

RaaS is not an abstract concept. Some of the highest-profile cyberattacks of the last decade have been carried out using RaaS platforms.

LockBit: the “franchise giant” (and its takedown)

LockBit emerged in 2019 and quickly became one of the most widely deployed ransomware variants in the world, operating on a pure RaaS model with hundreds of affiliates. By early 2024, it had targeted thousands of victims and extorted hundreds of millions of dollars in ransom payments.

In February 2024, an international law-enforcement operation disrupted LockBit’s infrastructure, seized servers, froze many of its crypto accounts, and released a decryption tool to help victims recover data without paying.

Later in 2024, authorities publicly named a suspected LockBit leader and imposed sanctions, further undermining the group’s credibility and finances.

Despite these blows, LockBit variants and rebrands remain a key example of how a RaaS “brand” can dominate the ecosystem.

REvil / Sodinokibi: aggressive, high-value RaaS

REvil (Sodinokibi) is infamous for hitting high-profile targets and demanding some of the largest ransoms on record.

REvil:

  • Operated under a classic affiliate model, with operators sometimes taking up to 40% of ransoms.
  • Frequently used double extortion with public “shaming” blog posts and countdown timers to pressure victims.
  • Exploited unpatched VPN and remote access systems to gain footholds.

Law-enforcement operations significantly disrupted REvil, and in 2024, a REvil member was sentenced to over 13 years in prison for attacks resulting in hundreds of millions in ransom demands.

Ryuk: targeted “big game” hunting

Ryuk is a ransomware family associated with highly targeted attacks on large organizations, often after extensive reconnaissance. Researchers have estimated Ryuk operators earned at least hundreds of millions of dollars in ransom payments by tracking their cryptocurrency wallets.

Ryuk attacks are notable for:

  • Manually driven intrusions (hands-on-keyboard) with careful selection of high-value targets.
  • Heavy reliance on phishing and exposed services for initial compromise.
  • Very high ransom demands — sometimes in the tens of millions.

DarkSide and Colonial Pipeline

DarkSide is a RaaS operation associated with the Colonial Pipeline attack in 2021, which disrupted fuel supplies along the U.S. East Coast and made ransomware a household topic.

Key traits:

  • Focus on large enterprises and critical infrastructure.
  • Double extortion tactics and a “corporate-like” code of conduct (they publicly claimed to avoid certain sectors — a claim widely doubted).
  • After Colonial Pipeline reportedly paid a multimillion-dollar ransom, U.S. authorities later recovered a portion of the cryptocurrency, and DarkSide’s infrastructure came under immense pressure from law enforcement.

Hive: disrupted from inside

Hive is a RaaS group that targeted hospitals, schools, financial firms, and more. By early 2023, Hive had hit over 1,500 victims in more than 80 countries, with ransom demands totaling hundreds of millions of dollars.

In a major success, the FBI infiltrated Hive’s infrastructure, captured decryption keys, and quietly distributed them to victims for months before ultimately seizing the group’s servers and dark-web sites. This operation likely saved victims hundreds of millions in unpaid ransoms.

Dharma / Mespinoza

Dharma is a long-running RaaS family often linked to financially motivated threat actors. Notable features:

  • Heavy focus on RDP-based attacks (brute-forcing or buying stolen RDP credentials).
  • Ransom demands usually around 1–5 Bitcoin.
  • Very similar attack patterns across incidents, with only small customizations (encryption keys, contact emails) made via the RaaS portal — making attribution tricky.

Maze, Egregor, Conti, and others

A non-exhaustive list of other important RaaS families and kits:

  • Maze: popularized the double-extortion model before “retiring.” Many of its affiliates later appeared under the Egregor brand.
  • Conti: linked to hundreds of global victims, including Ireland’s Health Service Executive (HSE), severely disrupting healthcare operations.
  • Locky, CryptoWall, Shark, Stampado, Encryptor, Jokeroo, Goliath: earlier or smaller RaaS kits that helped prove the business model.
  • DarkTequila, Phobos: examples of RaaS that mix data theft, credential harvesting, and encryption, often targeting specific regions or sectors.
  • Pysa / Mespinoza: another RaaS gang focused on data theft plus encryption and high ransoms.

Taken together, these families show how RaaS has evolved from crude lockers to industrialized extortion platforms.

Why RaaS is so dangerous

RaaS is more than “just another malware trend.” It amplifies threats in several ways:

Lower barrier, more attacks

Before RaaS, an attacker needed to understand cryptography, write stable, cross-platform malware, and build their own infrastructure and payment systems.

Now, a would-be attacker can simply rent a mature ransomware kit for a relatively low cost, follow step-by-step guides with built-in support, and focus entirely on social engineering or buying access rather than writing code.

The result is far more attackers and far more incidents.

Higher impact: data breaches, downtime, and compliance fallout

RaaS attacks don’t just lock files. They routinely:

  • Exfiltrate massive volumes of sensitive data (customer PII, IP, financial records).
  • Create full-blown data breaches with regulatory implications (GDPR, HIPAA, PCI DSS, SEC breach reporting, etc.).
  • Cause extended downtime — days or weeks of disruption to manufacturing, healthcare, or critical services.

In some sectors, like healthcare, ransomware has directly impacted patient care by delaying critical treatments and surgeries.

Financial damage at scale

Financial harm comes in many layers. Organizations often face direct ransom payments that can range from the hundreds of thousands to millions of dollars in a single incident.

On top of that, they must absorb the costs of forensics, incident response, legal advice, public relations work, and potential regulatory investigations or fines.

Revenue can drop sharply as operations stall, customers lose confidence, and long-term reputational damage takes hold.

Even once systems are restored, many victims see their cyber insurance premiums increase significantly or, in some cases, lose coverage altogether.

Global ransomware revenues have been estimated in the tens of billions of dollars annually, and average demands continue to rise.

Long-term security challenges

Even when systems are restored, the damage does not end.

Attackers may have installed backdoors or created new accounts that allow them to return later, stolen data can resurface months down the line on underground marketplaces.

And organizations can struggle for years to regain the trust of customers, partners, and regulators. In short, RaaS combines scale, sophistication, and persistence.

Spyware, adware, and the wider “-as-a-service” crime economy

You must be curious about how spyware and adware fit into all of this. So, here’s how they do.

Spyware: feeding the RaaS machine

Modern RaaS operations are tightly linked with spyware / infostealers:

  • Spyware collects browser-stored passwords, cookies, VPN credentials, crypto wallets, and autofill data.
  • Criminals sell giant “logs” of these stolen credentials on underground markets.
  • RaaS affiliates and IABs buy logs, filter for corporate domains (e.g., @company.com), and log directly into VPNs, email accounts, and remote desktops.

So spyware doesn’t encrypt anything itself — but it hands attackers the keys they need to deploy ransomware as a service efficiently.

Adware and malicious distribution

Adware is often seen as “annoying but harmless,” but in the modern ecosystem, it can be a stepping stone to worse outcomes:

  • Some shady adware bundles come with additional payload droppers. Under the hood, those droppers may install spyware or provide a foothold later used for ransomware.
  • Malvertising (malicious ads) can redirect users to exploit kits or fake installers, which eventually drop ransomware.

In other words, “low-grade” adware and spyware are frequently part of the initial compromise chain in RaaS campaigns, even if they don’t perform the encryption themselves.

How to protect against RaaS (and ransomware in general)

Let’s get practical. Defending against ransomware as a service requires layers of protection — there’s no single magic control.

The good news: most defenses also reduce risk from other threats like spyware, adware, and data-stealing malware.

Start with solid cyber hygiene

Strong identity and credential hygiene

Require multi-factor authentication (MFA) for VPN, RDP, email, cloud apps, and administrative access.

Additionally, use a password manager and enforce strong, unique passwords.

Disable legacy authentication protocols (e.g., basic authentication, NTLM) where possible.

Regularly review and revoke unused accounts and excessive privileges.

Patch and harden external-facing systems

Prioritize VPN appliances and remote-access gateways, RDP gateways, web applications and other internet-exposed services, as well as hypervisors such as VMware ESXi and the backup servers that support them.

To harden these systems effectively, rely on centralized patch management, regular vulnerability scanning and external attack-surface management.

Also, make use of secure configuration baselines and configuration management practices.

Reduce your attack surface

  • Disable direct RDP exposure to the internet; require VPN and MFA.
  • Implement network-level restrictions and geo-fencing where feasible.
  • Remove or lock down unused services and ports.
  • Apply the principle of least privilege across systems and services.

Strengthen email and web defenses

Because so many RaaS attacks start with phishing, it is essential to strengthen both email and web defenses.

Deploy a secure email gateway that provides attachment sandboxing, URL rewriting with time-of-click protection, and the blocking of known bad domains so that malicious payloads and links are filtered before they ever reach end users.

Combine this with DNS filtering or secure web gateways that prevent users from accessing known malware distribution sites, as well as newly registered or otherwise suspicious domains that attackers frequently abuse.

Finally, implement DMARC, DKIM, and SPF to authenticate email and reduce spoofed messages, making it much harder for adversaries to impersonate your domain and trick recipients into trusting phishing emails.

Then, pair technology with training:

  • Regular phishing simulations (but respectful, not “gotcha” style).
  • Clear “report phishing” mechanisms (e.g., Outlook button, Slack workflow).
  • No-blame culture for reporting suspicious emails.

Endpoint, network, and identity security

Modern endpoint protection (EPP/EDR/XDR)

Look for:

  • Behavioral detection (e.g., mass file encryption, suspicious PowerShell use).
  • Ransomware-specific heuristics and canary files.
  • Isolation/quarantine capabilities for compromised endpoints.
  • Centralized visibility and response (XDR/SIEM integration).

Even for individuals, having robust endpoint security that detects spyware, adware, and ransomware behavior is critical.

Network segmentation and zero trust

  • Segment high-value assets (domain controllers, hypervisors, backup servers, OT environments) from general user networks.
  • Restrict lateral movement using:
    • Internal firewalls or micro-segmentation.
    • Local admin separation and just-in-time privileged access.
  • Move toward zero-trust principles: never implicitly trust; always verify and continuously evaluate risk.

Monitor for credential exposure

  • Use services that alert you when corporate emails appear in known breaches.
  • Monitor dark-web forums (either directly or via a threat-intel provider).
  • Force password resets and tighten MFA when new leaks are detected.

Backups and ransomware resilience

Backups are your last line of defense and your best leverage in deciding not to pay a ransom.

Follow the 3-2-1-1-0 backup strategy to protect your data.

Keep three copies of your data—your original plus two backups. Store them on two different types of storage media, such as a hard drive and cloud storage.

Keep one copy off-site, away from your primary location, to protect against physical disasters like fires or floods.

Maintain one offline or immutable backup that’s disconnected from your network to safeguard against ransomware and cyberattacks.

Finally, achieve zero errors by regularly testing your backups and actually restoring files to verify they work.

The key is maintaining multiple copies in multiple places, with at least one copy unreachable by threats, and regular testing to ensure you can recover your data when needed.

Key practices:

  • Ensure backups are logically and physically separated from production (no flat network where ransomware can easily reach backup servers).
  • Use immutable snapshots where possible (e.g., object-lock in cloud storage).
  • Regularly test restores: practice restoring entire systems and critical apps, not just files.
  • Document recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.

Threat intelligence and hunting

Because RaaS techniques evolve fast, threat intelligence is essential.

Subscribe to reputable threat-intel feeds, track which RaaS groups actively target your sector, and use real-world exploitation trends to prioritize where you patch first and where you harden your defenses most aggressively.

Where resources allow, incorporate threat hunting:

  • Search for known RaaS TTPs: suspicious use of tools like Cobalt Strike, random scheduled tasks, abnormal RDP activity, domain-admin logons from odd endpoints, or unusual outbound connections.
  • Hunt for infostealer/spyware indicators, as those often precede ransomware.

Specific controls for common RaaS techniques

RDP & remote access

  • Never expose RDP directly to the internet.
  • Require VPN + MFA and IP restrictions.
  • Enforce strong passwords and lockout policies.
  • Monitor for repeated failed logins and anomalous geolocation access.

Hypervisors and ESXi

  • Patch ESXi and vCenter aggressively.
  • Restrict management interfaces to admin networks or jump hosts.
  • Protect backups and snapshots separately from the hypervisor network.

Backup systems

  • Treat backup servers as crown jewels.
  • Limit admin access, enforce MFA, and segment them from user networks.
  • Regularly verify that ransomware can’t simply log into backup consoles with domain accounts.

What to do if you’re hit by a RaaS attack

Even with strong defenses, no environment is immune. You need a clear, pre-planned incident response playbook.

Immediate steps

First, isolate affected systems as quickly as possible by disconnecting infected endpoints from both wired and wireless networks and by disabling compromised accounts and revoking any active sessions tied to those identities.

Once the immediate spread is contained, turn your attention to preserving evidence.

Avoid wiping systems or deleting logs, and capture volatile data wherever you can.

This includes memory images and snapshots of current network connections, so that investigators have enough information to understand what happened.

Next, activate your incident response plan. Notify your internal IR team along with executive leadership, legal, and communications.

And if you have an external incident response firm on retainer, bring them in immediately so they can help coordinate the technical, legal, and messaging aspects of the response.

You should also contact law enforcement and relevant national or sectoral cybercrime authorities.

Many cybercrime units now hold decryption keys and valuable intelligence for specific RaaS strains and can support your recovery efforts.

Finally, check whether public decryptors are available for the ransomware that hit you.

Initiatives like the NoMoreRansom project and vendor-released decryption tools sometimes allow victims to recover data without paying.

So verifying the availability of a free decryptor is a critical early step before even considering ransom negotiations.

Should you pay the ransom?

This is a complex business, legal, and ethical decision. General considerations:

  • Paying does not guarantee full decryption or deletion of stolen data.
  • Payment may be illegal if the recipient is on sanctions lists.
  • Paying funds criminal organizations and incentivizes more attacks.

Most governments and law-enforcement agencies discourage payment and recommend exploring all other options first. Always consult legal counsel and relevant authorities.

Recovery and lessons learned

After containment:

  • Restore systems from known-good backups.
  • Reset credentials broadly (especially privileged accounts).
  • Conduct a post-incident review:
    • How did attackers get in?
    • Where were detection opportunities missed?
    • What controls will you implement to prevent recurrence?

Use the incident to justify and prioritize strategic improvements, not just tactical patches.

The future of RaaS

RaaS isn’t going away. If anything, it’s still evolving.

More AI, automation, and specialization

We can expect to see AI-assisted phishing that utilizes more convincing language and better targeting, as well as increasingly automated discovery of misconfigurations and exposed services.

Additionally, we will likely see specialized RaaS “verticals” that focus on particular sectors, such as healthcare, manufacturing, and OT/ICS environments.

And just as defenders are using AI in EDR/XDR and anomaly detection, attackers are testing AI to optimize their own campaigns.

Blurring lines between nation-state and criminal activity

In some regions, ransomware groups are tolerated or quietly supported by states that benefit from economic damage and chaos abroad.

Some RaaS actors share infrastructure or tooling with state-sponsored groups, or moonlight between crime and espionage.

Law enforcement is getting smarter

The story isn’t one-sided. Authorities have infiltrated RaaS groups, seized infrastructure and leak sites.

They have also named and sanctioned key individuals, steadily chipping away at some of the largest and most notorious RaaS operations.

Each such operation:

  • Weakens specific RaaS brands.
  • Releases decryption keys and tools to help victims.
  • Raises the operational costs and risks for affiliates.

But as long as RaaS remains profitable and some countries offer safe havens, new variants and groups will continue to appear.

Conclusion

Ransomware as a service (RaaS) has turned cyber extortion into a scalable, global industry. It blends criminal entrepreneurship with technical sophistication, pulling in everything from spyware to adware to monetize every weakness in modern networks.

You can’t eliminate RaaS from the internet — but you can drastically reduce your risk of becoming a victim and improve your ability to recover if it happens.

Strong identity control, disciplined patching, layered defenses, resilient backups, and a prepared incident response plan together form a powerful answer to RaaS.

The organizations that treat ransomware as a when-not-if scenario, and harden accordingly, are the ones that bounce back the fastest.

Bit Scriber T1000
+ posts