Ransomware as a Service: How It Works, Examples and Defenses

What Is Ransomware as a Service (RaaS)? 

Ransomware as a Service (RaaS) is a subscription-based business model in which cybercriminals develop and sell or lease ransomware tools and infrastructure to other threat actors, called affiliates, for a share of the profits. This has “democratized” cybercrime by enabling individuals with limited technical skills to execute sophisticated ransomware attacks, leading to an exponential increase in incidents.

The RaaS model mimics a legitimate Software as a Service (SaaS) business, complete with marketing campaigns, user reviews, 24/7 support, and online portals for tracking infections and payments.

RaaS attacks involve cooperation between several threat actors:

• RaaS operators (developers): Create and maintain the ransomware malware, infrastructure (such as command-and-control servers), and payment systems. They handle the technical aspects and advertise their RaaS kits on dark web forums. 
• RaaS affiliates: Purchase or rent access to the ransomware kits from the operators. They are responsible for distributing the malware to victims, typically through methods like phishing emails, exploiting software vulnerabilities, or social engineering. 
• Initial access brokers: Some advanced RaaS operations also involve a third party that specializes in infiltrating corporate networks and selling access to the affiliates. 
• Profit sharing: If the victim pays, the RaaS operators receive their cut, and the affiliate gets the rest. A common profit-sharing ratio gives the affiliate a large majority (e.g., 70–80%) of the ransom.

Cybercriminals use several business and extortion models to maximize their profits:

• Subscription: A flat monthly fee for access to the ransomware. 
• Affiliate program: A monthly fee plus a percentage of any successful ransom payments. 
• One-time license fee: A single payment for unlimited access. 
• Profit sharing: No upfront cost, but the developer takes a larger cut of the ransom. 
• Double extortion: A newer tactic where threat actors not only encrypt a victim’s data but also steal it. They threaten to leak the sensitive information on a public “leak site” if the ransom is not paid, adding pressure on the victim. 
• Triple extortion: An escalation of double extortion that includes a third element, such as a Distributed Denial of Service (DDoS) attack on the victim’s website or infrastructure to increase pressure.

This is part of a series of articles about information security

How Is RaaS Different from Traditional Ransomware? 

Traditional ransomware attacks are typically carried out by skilled threat actors who develop their own malware, plan the attack infrastructure, and execute the entire campaign themselves. This approach requires technical expertise in malware development, network penetration, and encryption techniques.

RaaS separates the development and execution roles. Developers focus on creating and maintaining the ransomware platform, while affiliates, who may lack deep technical skills, handle the actual attacks. 

The platform often includes automated tools for payload generation, distribution, encryption, and payment handling. This separation allows less experienced actors to carry out sophisticated attacks by leveraging the tools and infrastructure provided by RaaS operators. RaaS industrializes ransomware, turning it into a scalable service model that can reach more targets through a broader range of actors.

Related content: Read our guide to ransomware statistics

How the RaaS Business Model Works 

RaaS platforms operate similarly to legitimate SaaS products, offering subscription-based or commission-based access to ransomware kits and management dashboards. Affiliates can sign up through dark web forums or invitation-only marketplaces, gaining access to tools that automate payload creation, campaign tracking, and ransom payment processing.

Revenue models vary. Some platforms charge a flat fee for access, while others use a profit-sharing model where the operator takes a percentage (commonly between 20% to 40%) of each ransom payment. More advanced services may offer tiered plans, with higher tiers unlocking additional features like advanced encryption options, obfuscation tools, or technical support.

Many RaaS platforms include branding, real-time support, and integration with cryptocurrency wallets to handle payments. This professionalization reduces the overhead for attackers and allows developers to scale operations by supporting a growing number of affiliates simultaneously.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you better defend against and prepare for Ransomware-as-a-Service (RaaS) threats:

Harden initial access vectors via attack surface reduction: Beyond patching, disable or restrict high-risk services like RDP, SMB, and macros in Office documents by default. RaaS affiliates often exploit these common weak points, especially in SMB environments.

Implement deception technologies for early detection: Deploy honeypots, canary files, and fake credentials across the network. RaaS operators and affiliates often probe broadly before encryption. These traps can trigger alerts well before damage occurs.

Correlate ransom notes with threat actor TTPs: Analyze ransom note content, delivery method, and file artifacts to map them to known RaaS groups via MITRE ATT&CK mappings. This speeds threat attribution and guides response prioritization.

Use DNS-layer filtering to block C2 and leak portals: Enforce outbound DNS filtering to disrupt contact with RaaS command-and-control servers and prevent data exfiltration. Most ransomware variants rely on external infrastructure that can be proactively blocked.

Inventory and air-gap key operational backups: Many RaaS groups now target backup systems directly. Maintain an up-to-date inventory of backup dependencies and ensure one immutable, offline backup tier exists, ideally air-gapped or stored on write-once media.

RaaS Revenue and Extortion Tactics 

RaaS operators and affiliates generate revenue primarily through ransom payments, but the methods of extortion have evolved to increase profits. Early ransomware relied only on encrypting files and demanding payment for decryption keys. Modern RaaS groups often combine multiple tactics to increase pressure on victims.

One common method is double extortion, where attackers not only encrypt data but also steal it. Victims who refuse to pay risk having sensitive information leaked or sold. Some groups escalate further with triple extortion, which adds additional pressure such as threatening denial-of-service (DoS) attacks or directly contacting customers, employees, or business partners of the victim.

Payment is usually demanded in cryptocurrency, with Bitcoin and Monero being the most common due to their difficulty to trace. Operators may provide automated portals where victims can negotiate, verify proof of decryption, and process payments. These portals are often designed to mimic customer service systems, making the extortion process more structured and efficient.

The revenue potential is significant. Large enterprises can face multimillion-dollar ransom demands, while smaller businesses are often targeted with lower but more frequent demands to ensure higher payment rates. Affiliates and operators share the proceeds based on the agreed model, incentivizing affiliates to scale campaigns and maximize victim conversion.

Who Are the Primary Targets of RaaS Attacks? 

RaaS attacks are often opportunistic, with affiliates targeting a wide range of organizations across industries. While any connected system is a potential target, critical infrastructure, healthcare, finance, and education sectors are hit especially hard. These targets present substantial disruption risk and are perceived as more likely to pay ransoms quickly to restore essential operations.

Small- and medium-sized businesses are also frequent victims because they often lack robust defenses and may pay ransoms rather than risk prolonged downtime. Public sector organizations, such as municipalities and school districts, are appealing targets due to budget constraints and high sensitivity of their data. 

Notable RaaS Examples and Variants

1. LockBit

LockBit is one of the most prolific and persistent RaaS operations, known for rapid encryption speeds and aggressive targeting of organizations across the globe. The LockBit group operates a RaaS affiliate model, offering substantial customization and technical support to its partners. Its leaked builder tools also mean even copycat groups now deploy LockBit variants, fueling further spread. 

LockBit affiliates benefit from a dedicated negotiation portal and communication system, increasing success rates. The group frequently evolves its tactics, adopting defense evasion techniques like disabling security software and employing double extortion, which drives continued global impact and ensures prominence among ransomware threats.

2. Hive

Hive ransomware emerged in 2021 and quickly became notable for its attack volume and adaptability. It uses a classic RaaS structure, offering affiliates automation tools to manage campaigns efficiently, from initial infection to negotiation. Hive is recognized for its unique encryption algorithm and ability to adapt to corporate network defenses. 

Hive’s impact escalated due to persistent double extortion schemes and targeting of healthcare and critical infrastructure. Multiple variants have been released with improved evasion and persistence techniques. Law enforcement agencies have launched crackdowns on Hive, but its affiliates continue to pivot, underscoring its resilience within the RaaS market.

3. DarkSide

DarkSide rose to prominence after its attack on Colonial Pipeline in 2021, which caused fuel shortages in the US and shaped federal cybersecurity responses. As a RaaS offering, DarkSide provided an interface for affiliates, including analytics to monitor infection rates and payment progress. Its service-oriented approach set a new standard for criminal professionalism in ransomware. 

Despite law enforcement pressure forcing its operators to shut down, DarkSide’s methods, code, and approach influenced numerous successors. Its model of direct victim communication, data leak portals, and robust customer support for affiliates persists in many current RaaS groups, cementing its legacy in ransomware operations.

4. REvil / Sodinokibi

REvil, also known as Sodinokibi, built its reputation on highly targeted attacks, sophisticated encryption, and multi-stage extortion. The group offered comprehensive dashboards and support for affiliates, including discounted rates for high-value or government targets. REvil frequently conducted large-scale, headline-grabbing attacks, including those on supply chains and managed service providers. 

REvil’s infrastructure enabled precise control over negotiations and payment tracking, with tools for automating victim communications. Even after law enforcement actions forced it offline, REvil’s tactics and infrastructure resurfaced in rebranded variants and copycat RaaS operations, reflecting its ongoing influence on cybercrime.

5. Dharma

Dharma has been active since 2016 and stands out for its accessibility in underground markets, making it a common choice for less-skilled attackers. The RaaS model is straightforward, requiring minimal technical setup, and is widely distributed via phishing campaigns and Remote Desktop Protocol (RDP) attacks. 

Dharma’s ransomware releases are frequently updated, with variants tailored to specific targets and widely circulated. Its lack of sophisticated negotiation or leak portals is offset by high infection rates and the sheer volume of campaigns leveraging its toolkit, which contributes heavily to ransomware statistics worldwide.

6. BlackCat / ALPHV

BlackCat (also known as ALPHV) is a newer, highly sophisticated RaaS threat developed in the Rust programming language, which adds flexibility for cross-platform attacks. BlackCat is notable for its modular approach, advanced evasion tactics, and targeting of a broad cross-section of industries. Its affiliates benefit from access to modern control panels and extensible features to tailor attacks. 

BlackCat adopts triple extortion schemes, sometimes involving harassment of victims’ customers or partners to intensify pressure. Its developers actively monitor law enforcement activity and quickly release updates in response. BlackCat exemplifies the current “cutting edge” of RaaS, and its rise shows how rapidly RaaS threats evolve.

Best Practices to Defend Against RaaS 

Organizations can improve their defenses against Ransomware-as-a-Service attacks by implementing the following practices.

1. Implement Robust Endpoint Protection

Advanced endpoint detection and response (EDR) solutions use behavioral analysis, machine learning, and real-time monitoring to detect suspicious activities, such as unauthorized file encryption or lateral movement within networks. These solutions can automatically quarantine endpoints and block ongoing attacks before ransomware spreads organization-wide.

Regularly updating EDR platforms and tuning rulesets ensure the latest ransomware indicators and tactics are recognized. Integration with centralized logging and security information and event management (SIEM) systems provides deeper visibility for threat hunting and incident investigation. Investing in robust EDR capabilities is a key component of a layered ransomware defense strategy.

2. Maintain Regular Backups

Regular data backups are foundational to mitigating ransomware risk, including RaaS attacks. Backing up data frequently, ideally on an automated schedule, ensures organizations can restore critical files without paying a ransom. Best practices include maintaining at least one offline, immutable backup to prevent malware from encrypting or deleting stored copies. Testing the integrity of backups is crucial for ensuring quick, reliable recovery in case of an incident.

Proper backup strategies involve segregating backup storage apart from the main organizational network, minimizing the risk that ransomware will spread to backup environments. Backup policies should be well-documented, and recovery plans should be rehearsed periodically. These practices enable organizations to minimize downtime, avoid extortion, and resume operations with minimal disruption after a RaaS incident.

3. Enforce Patching Management

Keeping all systems, applications, and devices patched is vital for defending against RaaS-based attacks. Attackers commonly exploit known vulnerabilities for initial access, so applying security updates promptly closes off common entry points. Automated patch management systems can help maintain consistent patching across diverse environments, reducing the window of opportunity for threat actors.

Organizations should prioritize critical security patches for publicly exposed services, VPNs, and remote access solutions, which are often targeted by affiliates seeking easy entry. Inventorying all software assets and verifying patch status regularly is essential. Comprehensive patch management dramatically lowers the risk from both RaaS and bespoke ransomware attacks by eliminating gaps threat actors routinely exploit.

4. Conduct Employee Training

Employees are frequently the initial entry point in successful RaaS attacks. Consistent security awareness training reduces the risk of compromise by teaching staff to recognize phishing attempts, malicious attachments, and suspicious links. Well-informed users are less likely to click on ransomware installers or fall for social engineering that grants attackers access.

Training must be ongoing to address evolving attack methods and reinforce best practices. Simulated phishing exercises can measure employee readiness and identify gaps in awareness. Reporting mechanisms should be simple and encouraged to catch attacks early. Investing in employee cybersecurity education builds a human firewall, significantly reducing exposure to RaaS threats.

5. Develop an Incident Response Plan

A comprehensive incident response plan (IRP) prepares organizations to react quickly and effectively to RaaS incidents. This plan should include predefined steps for detection, containment, eradication, and recovery, ensuring that critical actions are not missed in the chaos of an attack. Having roles, communication channels, and decision-making authority clearly defined prevents confusion and delays during high-pressure events.

Incident response plans should be regularly tested using tabletop exercises and simulations. Lessons learned from exercises and real incidents must feed back into updated, improved protocols. Effective planning minimizes operational impact, simplifies recovery, and enhances organizational resilience, reducing the leverage adversaries have for extortion during RaaS attacks.

6. Use Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) significantly reduces the risk of unauthorized access by requiring users to provide two or more verification factors. RaaS affiliates often gain initial access through stolen or brute-forced credentials. MFA blocks many of these attacks by adding a layer that cannot be bypassed with a password alone.

MFA should be enforced on all remote access points, email accounts, administrative interfaces, and any application with sensitive data. For maximum effectiveness, use app-based authenticators or hardware tokens rather than SMS-based codes, which are more vulnerable to interception. Integrating MFA across the organization raises the bar for attackers and prevents many opportunistic breaches.

7. Implement Network Segmentation and Access Controls

Network segmentation limits attackers’ ability to move laterally after initial compromise, which constrains the impact of RaaS and other ransomware outbreaks. Critical assets and sensitive data should reside on segregated segments with access restricted based on the principle of least privilege. Properly implemented firewalls, VLANs, and internal access controls disrupt ransomware propagation between systems.

Layered access controls further reinforce segmentation by requiring strong authentication for sensitive operations. Regular reviews of user permissions and network access help identify and remediate excessive privileges and misconfigured rules. These architectural precautions slow attackers, enable quicker detection, and help isolate incidents before widespread damage occurs.

8. Use Threat Intelligence Sharing and Collaboration

Active participation in threat intelligence sharing greatly enhances defenses against RaaS. Organizations can join industry Information Sharing and Analysis Centers (ISACs), government partnerships, or private security groups to receive timely alerts about current threats, including IOCs (indicators of compromise) related to RaaS attacks. Collaboration enables rapid identification of new attack vectors and emerging RaaS groups.

Sharing information about observed threats and incidents anonymously benefits the broader ecosystem by increasing visibility for defenders and law enforcement. Threat intelligence platforms that integrate with detection and response tools can automate protective measures in real time. 

RaaS Protection with Exabeam

Exabeam enables early detection and fast response to ransomware by analyzing user and entity behavior across the entire environment. Instead of relying on static indicators or predefined rules, Exabeam applies advanced analytics to detect anomalies that signal the early stages of an attack. This includes unusual privilege changes, lateral movement, suspicious access to backup systems, and abnormal file activity and access.

The platform automatically builds timelines that connect related events, giving analysts the full context of an incident without manual correlation. Security teams can quickly see how an attack unfolded and take informed action.

Exabeam integrates with your existing tools including EDR, CASB, identity systems, and backup infrastructure. It enriches that data with behavioral insights and automates responses through playbooks in the SIEM. This approach helps organizations stop ransomware without needing to adopt vendor-specific XDR or SOAR platforms, giving them flexibility and control while improving detection coverage and response time.

Ultimately with the Exabeam New-Scale platform, customers have reported up to a 60% reduction in alerts, investigation times reduced by up to 80%, and the ability to respond to incidents like ransomware attacks are 50% faster than with other solutions. Automated threat timelines and behavioral analytics provide instant context, reducing manual effort and surfacing critical incidents more efficiently. With seamless integration, pre-built detections, and intuitive workflows, Exabeam helps organizations improve security outcomes, reduce operational costs, and potentially respond to threats in under an hour.